cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
RRMX
RRMX
Level 7
Report Inappropriate Content
Message 1 of 5
‎01-26-2011 12:38 PM

VsTskMgr.exe triggering Access Protection rule

I was exploring our Access Protection events today and noticed that there are hundreds, if not thousands of events generated by VsTskMgr.exe trying to modify registry keys related to VirusScan. Here is a sample:

1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\ExtraDatItem     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Major     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Minor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete

Is it good practice to exclude VsTskMgr.exe from this rule? Or is there something wrong and a hotfix or newer patch fixes it? I am not sure what causes it so I can't re-create it... but several of our workstations get the error. Looks like there are some creates and deletes in the registry that are attempting to take place.

We are running XP SP3 with VSE 8.7 P3 w/ AntiSpyware. We also run HIP 7.0.0.1159 (Patch 6) and Agent 4.0.0.1494.

I found a similar thread on this but it didn't seem to offer any results from what I could tell: https://community.mcafee.com/thread/22964

Thanks for any insight on this.

0 Kudos
Reply
4 Replies
RRMX
RRMX
Level 7
Report Inappropriate Content
Message 2 of 5
‎02-03-2011 09:06 AM

Re: VsTskMgr.exe triggering Access Protection rule

Anyone?

0 Kudos
Reply
Highlighted
wwarren
wwarren McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5
‎02-03-2011 02:46 PM

Re: VsTskMgr.exe triggering Access Protection rule

The events should not be occurring.

Vstskmgr.exe is a process that periodically will touch registry keys as indicated by the AP rule violation. However, it utilizes a code routine to ensure its activities are "trusted".

For whatever reason, vstskmgr is going "untrusted" and so its activities breach the AP rule.

As to why it might be untrusted...

It may be a HIPS content issue - make sure you're up-to-date.

If the issue is reproducible, report the behavior to McAfee Support - we'd love to figure out what the steps are to reproduce the issue, find root cause and get it addressed.

An exclusion would work around the problem and may be an acceptable resolution for many, but it's still just a workaround.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
0 Kudos
Reply
joeleisenlipz
joeleisenlipz
Level 12
Report Inappropriate Content
Message 4 of 5
‎02-16-2011 05:16 AM

Re: VsTskMgr.exe triggering Access Protection rule

I worked with an company that used another security product to force a revocation check for everything. The end result was that when systems could not verify the validity of the code signing, then the various components would not trust each other. In our case, the hot button issue was (as always) the McTray icon--but there were other components that behaved awkwardly as well.

0 Kudos
Reply
simonp
simonp
Level 9
Report Inappropriate Content
Message 5 of 5
‎04-11-2013 12:31 AM

Re: VsTskMgr.exe triggering Access Protection rule

Hi RRMX, I just want to find out if you have resolved this issue?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC