Showing results for 
Show  only  | Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 4

VirusScan Enterprise 8.8 / Patch 7 and Windows Server RDP issue


Just after feedback from the community on any issues experienced with deploying VirusScan Enterprise 8.8 / patch 7. We encountered an issue where after upgrade / installation we were unable to RDP to our Windows 2008 R2 servers, access to the virtual desktop via the V-Centre console was unaffected. Our investigations identified an issue where the Access Protection "Anti-virus Standard Protection: Prevent Windows Process spoofing" rule was blocking certain behaviour exhibited by of the Microsoft Session Manager process (smss.exe) which ultimately impacted RDP sessions (see AccessProtectionLog.txt output below).

10/03/2016 7:41:09 PM
Blocked by Access Protection rule
Anti-virus Standard Protection:Prevent Windows Process spoofing
Action blocked : Execute

In my preparation for patch 7 deployment I undertook due diligence and reviewed all the known issues and other articles called out by McAfee. The Knowledge Base article KB86694 shared common symptoms with that we experience, however the recommended process exclusions had already been added to the Access Protection "Anti-virus Standard Protection: Prevent Windows Process spoofing" rule. Ultimately it was due to this article that we investigated this thread as a potential issue (we only had the rule in Block so the issue wasn't initially obvious, why we don't Report detected behaviour is another issue).

I raised a case to McAfee as I wanted to confirm if this was expected product behaviour in patch 7 as we had not encountered the issue before on either VSE 8.7 P4 or VSE 8.8 P2/3/4 and unfortunately the response was underwhelming. I was referred to Knowledge Base article KB52624 and it suggested I consider disabling this rule as it is disabled by default. Naturally I have asked support for reference to any official McAfee literature where it states it a best practice recommendation to have this rule disabled.

I would appreciate any insights or experiences from those of you that have attempted applying VSE 8.8 patch 7.



3 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: VirusScan Enterprise 8.8 / Patch 7 and Windows Server RDP issue

Hi Mick,

according to this, I think it is currently best practice to disable the rule until engineering has determined the root cause for the effects we're seeing with this AP rule.



Re: VirusScan Enterprise 8.8 / Patch 7 and Windows Server RDP issue

Just for info,

I have had Anti-virus Standard report onlyProtection: Prevent Windows Process spoofing rule stop windows updates in the past.

We have this rule set to report only.


Re: VirusScan Enterprise 8.8 / Patch 7 and Windows Server RDP issue

I agree with this assessment. In our office's 10+ years with VSE, we have this option unchecked as well.

The only things we leave checked on AV standard protection are:

  • prevent tftp
  • prevent remote creation of autorun files
  • prevent registry editor and task manager being disabled
  • prevent mass mailing worms
  • prevent irc comms

These rules have exceptions, but I can't really divulge those

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community