Just after feedback from the community on any issues experienced with deploying VirusScan Enterprise 8.8 / patch 7. We encountered an issue where after upgrade / installation we were unable to RDP to our Windows 2008 R2 servers, access to the virtual desktop via the V-Centre console was unaffected. Our investigations identified an issue where the Access Protection "Anti-virus Standard Protection: Prevent Windows Process spoofing" rule was blocking certain behaviour exhibited by of the Microsoft Session Manager process (smss.exe) which ultimately impacted RDP sessions (see AccessProtectionLog.txt output below).
|10/03/2016 7:41:09 PM||Blocked by Access Protection rule||NT AUTHORITY\SYSTEM||C:\WINDOWS\SYSTEM32\SMSS.EXE||C:\Windows\System32\smss.exe||Anti-virus Standard Protectionrevent Windows Process spoofing||Action blocked : Execute|
In my preparation for patch 7 deployment I undertook due diligence and reviewed all the known issues and other articles called out by McAfee. The Knowledge Base article KB86694 shared common symptoms with that we experience, however the recommended process exclusions had already been added to the Access Protection "Anti-virus Standard Protection: Prevent Windows Process spoofing" rule. Ultimately it was due to this article that we investigated this thread as a potential issue (we only had the rule in Block so the issue wasn't initially obvious, why we don't Report detected behaviour is another issue).
I raised a case to McAfee as I wanted to confirm if this was expected product behaviour in patch 7 as we had not encountered the issue before on either VSE 8.7 P4 or VSE 8.8 P2/3/4 and unfortunately the response was underwhelming. I was referred to Knowledge Base article KB52624 and it suggested I consider disabling this rule as it is disabled by default. Naturally I have asked support for reference to any official McAfee literature where it states it a best practice recommendation to have this rule disabled.
I would appreciate any insights or experiences from those of you that have attempted applying VSE 8.8 patch 7.
according to this, I think it is currently best practice to disable the rule until engineering has determined the root cause for the effects we're seeing with this AP rule.
Just for info,
I have had Anti-virus Standard report onlyProtection: Prevent Windows Process spoofing rule stop windows updates in the past.
We have this rule set to report only.
I agree with this assessment. In our office's 10+ years with VSE, we have this option unchecked as well.
The only things we leave checked on AV standard protection are:
These rules have exceptions, but I can't really divulge those