cancel
Showing results for 
Search instead for 
Did you mean: 

Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8

Hi all

VSE8.7 latest patch

VSE8.8 latest patch

Why is it that i keep getting following in EPO, well i do know why but could i have it explained

example of an Automatic Response rule

Common Standard Protection:Prevent termination of McAfee

processes

17

Common Standard Protection:Prevent modification of McAfee files

and settings

11

Common Standard Protection:Prevent modification of McAfee

Common Management Agent files and settings

9

Then when looking further into the above rule, found following

Processes attempting to Terminate McAfee processes

036DFF3520DC0456ED4566FE7B07D287.exe

acroaum.exe

Ad-AwareAdmin.exe

AdminService.exe

Adobe_Updater.exe

aljxrbcsw.exe

aolsoftware.exe

Au_.exe

avast.setup

Dropbox.exe

getPlusUninst_Adobe.exe

GPY23D.tmp

HealthService.exe

ienrcore.exe

IncredibarToolbar.exe

mcClient.exe

mikogo-starter.exe

mikogo-starter[1].exe

MOM.exe

mor.exe

MsiExec.exe

MyBabylonTB.exe

PatrolAgent.exe

resrcmon.exe

rool1_pk.exe

rty0_7z.exe

ruby.exe

setup.exe

smhstart.exe

SmileboxStarter.exe

SmileboxUpdater.exe

smss.exe

StorageServer.exe

sysocmgr.exe

TaskController.exe

taskmgr.exe

termsrv.exe

TrolleyExpress.exe

Uninstall.exe

WLSync.exe

WriteDescExecuteFileName.exe

Processes attempting to Modify McAfee files

6784xdat.exe

aolsoftware.exe

ASCService.exe

cleanmgr.exe

csrss.exe

CtxBace.exe

DllHost.exe

dsmcutil.exe

EXCEL.EXE

Explorer.EXE

file_aut.exe

JetClean.exe

mfevtps.exe

mmc.exe

PCCleaner.exe

regmech.exe

RegSeeker.exe

RegWork.exe

services.exe

SpeedyPC.exe

Stinger_Coficker.exe

svchost.exe

System

updatdrv.exe

1)      Are these processes meant to be trying to modify/terminate the McAfee files/processes and if so why?

2)      If these processes aren’t meant to be trying to modify/terminate the McAfee files/processes why is VirusScan not detecting them as spyware/virus infections?

Could i just have explained why this happens

I mean create exclusions for them all isnt really theway forward, there must be a explaination to this

Hoping to hear something back

thanks in advance

4 Replies
Tristan
Level 15
Report Inappropriate Content
Message 2 of 5

Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8

Some of them would be expected

avast.setup - Avast AV install attempting to uninstall McAfee

6784xdat.exe - DAT update

JetClean.exe, regseeker.exe - Registry clean up tools attempting to access McAfee registry entries

Others i would be more worried of and suggest a virus or malicious software attempting the disable McAfee to prevent detection.

rool1_pk.exe

rty0_7z.exe

Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8

Hi Tristan

Well the Avast is of'course as you also did say something to expect

The weird thing here is that i have used Getsusp, done full ODS, used malwarebytes but nothing detected

Hmmm now i did a search for the rool1_pk.exe and found (in German) http://www.istdiesedateisicher.de/sha1/B349C5CD5A320279457D8F0BE1E7505070395882_details.aspx

Guess i need to start yet another scan on the system(s)

But what i dont really get is why something like Adobe_Updater.exe would attempt to terminate mcafee processes


Highlighted
McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8

Hi northomsk,

The AP rule to prevent termination of McAfee processes is activated whenever we see a process try to interact with one of our protected processes, and explicitly seeks the access mask called TERMINATE_PROCESS, which is a flag the programmers of the 3rd party process pass along in their request for gaining access/info from our protected process.

It's a behavior that processes do not need to engage in but has perhaps become a fairly common programming practice because "nobody cares" to be more particular about the access level they're seeking/acquiring, even to do mundane things in their program, not actually intending to terminate the process.

Well, this AP rule in VSE is here to change that way of thinking because it's not a secure way to program. And of course, it's there to protect our software from malicious coders who would do the same thing but actually intend to terminate us. VSE can't distinguish who's malicious or not, so we block everybody - but we give you the ability to make that choice, by means of exclusions.

You have options available to you to reduce the number of events being generated. You can disable reporting of the event (an ePO tweak), or of the rule itself (a VSE policy tweak), or you can trust the 3rd party process and add it as an excluded process for the specific rule.

And/or, you can take up a request with your 3rd party vendor whose process is unnecessarily seeking the TERMINATE_PROCESS privilege, and tell them not to do that when the privilege is never going to be exercised.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8

Hi

Thank you so much for explaining this to me (and others, i cant be the only one wondering)

This was what i was looking for.

Well as you did say, tweak in EPO, tweak the rule itself or exclusions. Or contact 3rd party might be a pain in the ....

I think working through the list and exclude all known and then lets see what action will be on the rest.

Again thanks

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center