Hi,
I'm in the process of testing VSE 8.8 patch 7 (moving from patch 5) and I've noticed that since the upgrade my test machines are reporting the following entries in the access protection log:
23/03/2016 | 08:29:16 | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE | C:\ProgramData\McAfee\datreputation\Logs\datreputation.txt | McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings | Action blocked : Create |
23/03/2016 | 08:29:16 | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE | C:\ProgramData\McAfee\datreputation\Logs\notices.txt | McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings | Action blocked : Create |
23/03/2016 | 08:29:16 | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\PROGRAM FILES (X86)\MCAFEE\COMMON FRAMEWORK\NAPRDMGR.EXE | HKLM\SOFTWARE\WOW6432NODE\MCAFEE\DATREPUTATION\ | McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings | Action blocked : Write |
At first I thought this might be due to the fact I was running an old DAT reputation extension, but upgrading to the latest one available (1.0.2.129) but upgrading to this hasn't cleared the issue. I believe I'm running the latest extension for VSE (8.8.0.448) too. For information, the test machines are running McAfee Agent 4.8.0.1500.
I did read an article saying that if you've altered the Access Protection rule policy then the policy would not pick up the latest exclusions detailed in products extensions, but the entries still appear when i revert back to "McAfee Default" which I do expect to be updated.
The workstations don't seem to be suffering any ill effects as a result. I could add manual exclusions but I'd really like to understand why a McAfee process is being blocked from writing to a McAfee file.
Anyone else seeing this issue? Any ideas why it might be happening?
Thanks
MVC
I've seen similar issues in access protection logs when upgrading from VSE 8.8 w/P5 (8.8.0.1385) to VSE 8.8 Patch 7. Primarily I've seen it on a few XP systems we still have in our environment, but also a couple of W7 O/S's. Our Helpdesk has reported that these few systems are generating thousands of alert emails. The Access Protection Rule "Common Standard Protection: Prevent modification of McAfee Common Management Agent files and settings" is triggering "Action blocked: Write" alerts and references MFEVTPS.exe, NAPRDMGR.exe, VSTSKMGR.exe, MFEANN.exe, and SCAN32.exe. I've tried reference the "Installation Sequence Chart" here: McAfee KnowledgeBase - Intel Security - Security Bulletin: Protected resource access bypass vulnerab... but all of the upgrade options start with VSE 8.8.0.1478 which isn't my scenario.
It seems that this is caused by the fact I had DAT reputation disabled when DAT reputation was upgraded from 1.0.3 to 1.0.4. Installing VSE 8.8 patch 7 doesn't cause the problem, it just exposes it. Details can be found in KB86569, though I've had mixed results when testing the fix.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA