At my office all in a sudden McAfee freezes SumnatraPDF.exe because "it tries to stop McAfee". IThe logs actually detect the installation files (sumatraPDF_install.exe" as the cause of this, which seems ridicuolous. I am on Windows 7 pro, McAfee Agen 4.8.0, McAfee virusScan Agent 8.8.0
Does anybody know what i can suggest to the IT securuty guys who don't want to add Sumatra to the white list?
|31/12/2015||11:40:05 AM||Blocked by Access Protection rule||S02003048-10615\tuser||C:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exe||C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe||Common Standard Protectionrevent termination of McAfee processes||Action blocked : Terminate|
|31/12/2015||11:40:05 AM||Blocked by Access Protection rule||S02003048-10615\tuser||C:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exe||C:\Program Files (x86)\McAfee\Common Framework\McTray.exe||Common Standard Protectionrevent termination of McAfee processes||Action blocked : Terminate|
So this is enterprise I will move it tp virusscan enterprise there you will get better assistance than in the consumer area. IF you feel another area better please let me know
What you are seeing here is not that your app is being detected as a false positive, persay. The VSE component that is showing an issue with this EXE is Access Protection. Access Protection provides a set of pre-defined rules that can be used to prevent applications from taking actions that could destabilize a system through such actions as uninstalling AV, terminating certain Windows processes, etc.
In this case, C:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exe is seen "attempting" to terminate two McAfee processes. This behavior is often a false positive due to an improper access mask. SCCM's agent is an example of this. The other end of the spectrum is that this particular installer is malicious and is actually trying to do damage and terminate AV. If there is concern, your IT security team should have access to ServicePortal and can submit the exe as a sample for analysis.
The question that needs to be answered is - Is the installation / use of SumatraPDF prevented? In the log snippet you provided, it simply looks like the installer is potentially impacted. If the installer executes and the app then works correctly, no whitelisting should be needed. If the installer fails to launch or the app is impacted, then your IT security team may need to review policies and tune to allow the app to function while ensuring security.
thanks for the detailed answer. I fill forward it to the IT security guys. Of course their first answer was "don't use the software!" :-(
Your question is right on. I cannot understand what the install files have to do with the sumatra.exe file that is being blocked. I used Sumatra for ages without problems. Only recently I a having this problem. the files have been there for months but McAfee still blocks sumatra after i deleted them.
Anyway, hopefully they'll send it over to the ServicePortal.
Lots of thanks, Marco