I'm seeing the following on all of our computers in our network:
10/25/2020 6:13:24 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
We are using VSE 8.8 patch 15.
I recently took over Anti-Virus duties saw that in ePO Build: ePolicy Orchestrator 5.10.0 (Build 2428) Update Installed: Update 4 (22.214.171.1244), every computer and server was in an escalated state. Upon further investigation, it appears that every time McAfee does an auto-update, SVCHOST.exe is blocked from terminating a McAfee process (VsTskMgr.exe, mfeann.exe, mcshield.exe...)
I'm new to this, so my uneducated guess is that McAfee is using SVCHOST.exe to finish up an update process, but McAfee is preventing this action (most likely as designed.)
I do not want to whitelist svchost. I also don't want to leave this ignored, because from a reporting standpoint, 142 escalated devices out of 142 devices is not good.
How can I either trust actions that McAfee spawns or let McAfee know that this is a benign action and not escalate the computers based on this action.
Other information. All computers are running Windows 10 update 1909 with at least 8gigs RAM. All servers are running Server 2012 R2 or 2016 DataCenter and are VMs on VMWare.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.