cancel
Showing results for 
Search instead for 
Did you mean: 

Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

Afternoon all,

I wonder if anyone else has seen Outlook being blocked from creating / deleting keys in HKLM\SOFTWARE\McAfee\AVEngine? We're running 8.5i Patch 5 (I know that's outdated) managed by ePO 4.0 and this behaviour only started occuring this morning. It's affecting a couple of machines, running both 2003 and 2007 versions of Outlook, both on WinXP.

Any ideas?

Cheers,

Keith

17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 08:33:40 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

17/03/2010 09:05:54 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1 Solution

Accepted Solutions
maziz
Level 10
Report Inappropriate Content
Message 7 of 18

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

Hello Everyone

Just to give you all some assurance here as to what is happening.

McAfee is aware of this behaviour occuring on machines running VirusScan 8.5 primarily. This issue seems to have occured when a new Buffer Overflow DAT was released on the 16th March 2010 which was version 480

I can assure you all that this issue is being investigated by McAfee seniors and should be fixed with a new BOC DAT update. This is most likely to be version 491 and should be released soon.

In the meantime, a workaround would be to add Outlook.exe as an exclusions in the rule of Access Protection that is being triggered.

Hope this helps.

View solution in original post

17 Replies
Minkus
Level 7
Report Inappropriate Content
Message 2 of 18

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

Same issue here. VirusScan 8.5i Patch 8, managed by ePO 4.0, running Outlook 2003 on XP SP3.

Started doing it this morning across the network. I'm ignoring it at the moment but hope it doesn't carry on doing it every day!

17/03/2010 10:04:30 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

I'm seeing the same thing each time I open Outlook.  Save versions of Outlook and McAfee.

Started on the evening on March 16th.

jklun
Level 7
Report Inappropriate Content
Message 4 of 18

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

See same for many users. Same start date.

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

See the same behavior here on several machines

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

See other thread on same topic: http://community.mcafee.com/message/120290

maziz
Level 10
Report Inappropriate Content
Message 7 of 18

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

Hello Everyone

Just to give you all some assurance here as to what is happening.

McAfee is aware of this behaviour occuring on machines running VirusScan 8.5 primarily. This issue seems to have occured when a new Buffer Overflow DAT was released on the 16th March 2010 which was version 480

I can assure you all that this issue is being investigated by McAfee seniors and should be fixed with a new BOC DAT update. This is most likely to be version 491 and should be released soon.

In the meantime, a workaround would be to add Outlook.exe as an exclusions in the rule of Access Protection that is being triggered.

Hope this helps.

View solution in original post

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

Hello,

About the same problem here, not from Outlook.exe but from EngineServer.exe. We have 8.7 Patch 1 on W2K3 Server x64. Also started on March 17th 2010.

Is there any release date for the BOC update?

23-3-2010 8:30:51 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScanEnterprise\x64\EngineServer.exe

\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

on 3/23/10 9:37:25 AM CDT
Minkus
Level 7
Report Inappropriate Content
Message 9 of 18

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

Hi,


We are also seeing the issue, not just on Outlook.exe, but occasionally with naPrdMgr.exe as well:

26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

Highlighted
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 10 of 18

Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

Jump to solution

A new vscan.bof content update package is expected to be available today.

It will resolve this issue.

I still have the hose running just in case the team needs a fresh soaking for messing with this file.

Our process has been to always include the latest build of vscan.bof with patch releases (the content had not been changing, though was getting rebuilt). However, that process has since changed to ensure no surprises in future.

I haven't caught up on all the threads - its been about 3 weeks since I could revisit these forums but I'm sure there have been some choice discussions about this.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community