cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cmenes
Level 7
Report Inappropriate Content
Message 1 of 2

VSE and SVCHOST.exe

I'm seeing the following on all of our computers in our network:

10/25/2020 6:13:24 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

We are using VSE 8.8 patch 15.

I recently took over Anti-Virus duties saw that in ePO Build: ePolicy Orchestrator 5.10.0 (Build 2428)
Update Installed: Update 4 (2.0.0.454), every computer and server was in an escalated state.  Upon further investigation, it appears that every time McAfee does an auto-update, SVCHOST.exe is blocked from terminating a McAfee process (VsTskMgr.exe, mfeann.exe, mcshield.exe...)

I'm new to this, so my uneducated guess is that McAfee is using SVCHOST.exe to finish up an update process, but McAfee is preventing this action (most likely as designed.)

I do not want to whitelist svchost.  I also don't want to leave this ignored, because from a reporting standpoint, 142 escalated devices out of 142 devices is not good.

How can I either trust actions that McAfee spawns or let McAfee know that this is a benign action and not escalate the computers based on this action.

Other information.  All computers are running Windows 10 update 1909 with at least 8gigs RAM.  All servers are running Server 2012 R2 or 2016 DataCenter and are VMs on VMWare.

1 Reply
cmenes
Level 7
Report Inappropriate Content
Message 2 of 2

Re: VSE and SVCHOST.exe

More information that I did not include in original post.  The following are in the "Prevent termination of McAfee processes" exclusion list:

amgrcnfg.exe

C:\Program Files (x86)\Common Files\McAfee\SystemCore\csscan.exe

C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcshield.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe

C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe

C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

C:\Windows\system32\csrss.exe

C:\Windows\system32\drwtsn32.exe

C:\Windows\system32\lsass.exe

C:\Windows\syswow64\lsass.exe

cleanup.exe

cmdagent.exe

dainstall.exe

dbinit.exe

EngineServer.exe

fcag.exe

fcags.exe

FCAGT.exe

fcagte.exe

firesvc.exe

FireTray.exe

framepkg.exe

framepkg_upd.exe

frameworks*

frameworks*.exe

frminst.exe

HipManage.exe

hipsvc.exe

masvc.exe

mcadmin.exe

McAfeeFire.exe

mcconsol.exe

mcscancheck.exe

mcscript*

mcscript_inuse.exe

mctray.exe

mcupdate.exe

mfeann.exe

mfefire.exe

mfehidin.exe

MPEScanner.exe

mue_inuse.exe

naimserv.exe

naprdmgr.exe

naprdmgr64.exe

narepl32.exe

ncdaemon.exe

restartVSE.exe

RPCServ.EXE

RSSensor.exe

SAFeService.exe

scan32.exe

scan64.exe

scanner.exe

scncfg32.exe

setlicense.exe

shcfg32.exe

shstat.exe

SiteAdv.exe

TBMon.exe

udaterui.exe

updaterui.exe

VirusScanAdvancedServer.exe

vmscan.exe

vstskmgr.exe

WerFault.exe

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community