After installing Patch 3 I've been receiving from block errors every 5 min - 10 895 warnings last 24H (33 Computers - Windows 7 64Bit)
Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
CcmExec.exe (MS SCCM)
Prevent termination of McAfee processes: x64\McShield.exe, naPrdMgr.exe, VsTskMgr.exe, McScript_InUse.exe, FrameworkService.exe, ShStat.exe ...
McAfee Agent 126.96.36.1994, Product Coverage Reports 188.8.131.524, VirusScan Enterprise 184.108.40.2060.Wrk, AntiSpyware 220.127.116.11
Any Idea?Nachricht geändert durch andydu on 18.03.10 10:48:33 GMT+01:00
might be the vscan.bof file issue... ?
c:\program files\mcafee\virusscan enterprise\vscan.bof
its checked in with the normal dats, just might need replication to machines.
Ok, and I'll speculate that you have done some spot checks of some machines and made sure the correct file is there. the patch 3 vscan.bof isn't much different, it's like version 4.67 i think... Good Luck..
Have these issue been occuring ever since the BOC DAT update 480, which was posted on the 16/03/2010?
If you check your Access Protection log and Update log and confirm when the BOC DAT Update occured and whether these events of termination started to occur on or around the same time or after? Or did you see these events before the 16/03/2010?
1. 64 Bit only
2. First events: 17.03.10 16:39:17
3. Sp 3 checked in: 15.03.2010 14:51
4. .boc dat checked in: 16.03.2010
I can't find log files older then 17.03 - I cleaned log files on the EPO Server (I know not very clever) and clients logs reached max. size - first events from 19.03.
The sure thing is, that before SP3 access protection
was OK, but I can't tell u if it is after .boc file or after sp3.
Since 19.03.10 130 122 events ID 1092
Interesting those are PC generating 1092 events - I will take a closer look at those:
Thank you very much - it will be this case .. but, this is very interesting:
This is expected behavior. The Access Protection rule Prevent
Termination of McAfee Processes
is currently not
supported on 64-bit computers and will not be supported in the future
in this environment due to 64 bit security.
To suppress relevant errors, install
VirusScan Enterprise 8.7i
Patch 1 (or later). This places an extra rule file (
in the VirusScan installation folder of 64-bit computers which disables
this particular rule.
For x64 systems this rule is meant to be disabled.
McAfee accomplishes this by including a Extra*.rul file that tells Access Protection this rule is disabled. The file is named EXTRA460575.RUL, found in the VSE install folder.
There is an upgrade path for x64 systems that is causing this file to be removed. We're not sure why yet.
The solution is to replace this file.
McAfee Support are working on updating the appropriate KB article to attach this file, and even to have it wrapped in an installer package.