I was exploring our Access Protection events today and noticed that there are hundreds, if not thousands of events generated by VsTskMgr.exe trying to modify registry keys related to VirusScan. Here is a sample:
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\ExtraDatItem Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Major Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Minor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDateSys Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDateSys Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
1/25/2011 9:13:41 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDateSys Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
Is it good practice to exclude VsTskMgr.exe from this rule? Or is there something wrong and a hotfix or newer patch fixes it? I am not sure what causes it so I can't re-create it... but several of our workstations get the error. Looks like there are some creates and deletes in the registry that are attempting to take place.
We are running XP SP3 with VSE 8.7 P3 w/ AntiSpyware. We also run HIP 7.0.0.1159 (Patch 6) and Agent 4.0.0.1494.
I found a similar thread on this but it didn't seem to offer any results from what I could tell: https://community.mcafee.com/thread/22964
Thanks for any insight on this.
Anyone?
The events should not be occurring.
Vstskmgr.exe is a process that periodically will touch registry keys as indicated by the AP rule violation. However, it utilizes a code routine to ensure its activities are "trusted".
For whatever reason, vstskmgr is going "untrusted" and so its activities breach the AP rule.
As to why it might be untrusted...
It may be a HIPS content issue - make sure you're up-to-date.
If the issue is reproducible, report the behavior to McAfee Support - we'd love to figure out what the steps are to reproduce the issue, find root cause and get it addressed.
An exclusion would work around the problem and may be an acceptable resolution for many, but it's still just a workaround.
I worked with an company that used another security product to force a revocation check for everything. The end result was that when systems could not verify the validity of the code signing, then the various components would not trust each other. In our case, the hot button issue was (as always) the McTray icon--but there were other components that behaved awkwardly as well.
Hi RRMX, I just want to find out if you have resolved this issue?
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA