cancel
Showing results for 
Search instead for 
Did you mean: 
andydu
Level 7
Report Inappropriate Content
Message 1 of 18

VSE 8.7 SP3 Win7 access protection

After installing Patch 3 I've been receiving from block errors every 5 min - 10 895  warnings last 24H (33 Computers - Windows 7 64Bit)

Blocked by Access  Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\services.exe  C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\McShield.exe  Common Standard Protection:Prevent termination of McAfee processes  Action blocked : Terminate

CcmExec.exe (MS SCCM)

services.exe

Prevent termination of  McAfee processes: x64\McShield.exe, naPrdMgr.exe, VsTskMgr.exe,  McScript_InUse.exe,  FrameworkService.exe, ShStat.exe ...

McAfee Agent 4.0.0.1494, Product Coverage Reports 4.0.0.1494, VirusScan  Enterprise 8.7.0.570.Wrk, AntiSpyware 8.7.0.12

DAT-Version  5923.0000
Modulversion  5400.1158

Any Idea?

Nachricht geändert durch andydu on 18.03.10 10:48:33 GMT+01:00
17 Replies
Slyfin
Level 10
Report Inappropriate Content
Message 2 of 18

Re: VSE 8.7 SP3 Win7 access protection

Bump. This affects Win2k8 R2 as well.

Message was edited by: Slyfin on 3/19/10 10:35:13 AM GMT-05:00
HupSkiDup
Level 11
Report Inappropriate Content
Message 3 of 18

Re: VSE 8.7 SP3 Win7 access protection

might be the vscan.bof file issue... ?

https://kc.mcafee.com/corporate/index?page=content&id=KB68448

c:\program files\mcafee\virusscan enterprise\vscan.bof    

its checked in with the normal dats, just might need replication to machines.

hth

andydu
Level 7
Report Inappropriate Content
Message 4 of 18

Re: VSE 8.7 SP3 Win7 access protection

Thank you for this idea, but this .bof file:

Buffer Overflow DAT for VirusScan  Enterprise 480

is already checked in. I am still getting over 10 000 msgs a day.

HupSkiDup
Level 11
Report Inappropriate Content
Message 5 of 18

Re: VSE 8.7 SP3 Win7 access protection

Ok, and I'll speculate that you have done some spot checks of some machines and made sure the correct file is there.  the patch 3 vscan.bof isn't much different, it's like version 4.67 i think... Good Luck..

Highlighted
maziz
Level 10
Report Inappropriate Content
Message 6 of 18

Re: VSE 8.7 SP3 Win7 access protection

Hi

Have these issue been occuring ever since the BOC DAT update 480, which was posted on the 16/03/2010?

If you check your Access Protection log and Update log and confirm when the BOC DAT Update occured and whether these events of termination started to occur on or around the same time or after? Or did you see these events before the 16/03/2010?

Thanks.

andydu
Level 7
Report Inappropriate Content
Message 7 of 18

Re: VSE 8.7 SP3 Win7 access protection

1. 64 Bit only
2. First events: 17.03.10 16:39:17
3. Sp 3 checked in: 15.03.2010 14:51
4. .boc dat checked in: 16.03.2010

I can't find log files older then 17.03 - I cleaned log files on the EPO Server (I know not very clever) and clients logs reached max. size - first events from 19.03.

The sure thing is, that before SP3 access protection
was OK, but I can't tell u if it is after .boc file or after sp3.

Since 19.03.10 130 122 events ID 1092

Interesting those are PC generating 1092 events - I will take a closer look at those:

xx150      6.362
xx232      123.001
xx255      4.729
xx126      1.612
xx62      49
xx237      1.309
xx239      512
xx78      8
xx25      2
xx76      8.697
xx202     1
xx307     816

jguenrdc
Level 12
Report Inappropriate Content
Message 8 of 18

Re: VSE 8.7 SP3 Win7 access protection

Might be related to this KB article:

https://kc.mcafee.com/corporate/index?page=content&id=KB53876

Jay

andydu
Level 7
Report Inappropriate Content
Message 9 of 18

Re: VSE 8.7 SP3 Win7 access protection

Thank you very much - it will be this case .. but, this is very interesting:

Solution

This is expected behavior. The Access Protection rule Prevent
Termination of McAfee Processes

is currently not


supported on 64-bit computers and will not be supported in the future
in this environment due to 64 bit security.


To suppress relevant errors, install

VirusScan Enterprise 8.7i
Patch 1
(or later).  This places an extra rule file (

extra460575.rul)
in the VirusScan installation folder of 64-bit computers which disables
this particular rule.

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 10 of 18

Re: VSE 8.7 SP3 Win7 access protection

Hello Folks,

For x64 systems this rule is meant to be disabled.

McAfee accomplishes this by including a Extra*.rul file that tells Access Protection this rule is disabled. The file is named EXTRA460575.RUL, found in the VSE install folder.

There is an upgrade path for x64 systems that is causing this file to be removed. We're not sure why yet.

The solution is to replace this file.

McAfee Support are working on updating the appropriate KB article to attach this file, and even to have it wrapped in an installer package.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community