cancel
Showing results for 
Search instead for 
Did you mean: 
RRMX
Level 7
Report Inappropriate Content
Message 1 of 5

VsTskMgr.exe triggering Access Protection rule

I was exploring our Access Protection events today and noticed that there are hundreds, if not thousands of events generated by VsTskMgr.exe trying to modify registry keys related to VirusScan. Here is a sample:

1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\ExtraDatItem     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Major     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Minor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete

Is it good practice to exclude VsTskMgr.exe from this rule? Or is there something wrong and a hotfix or newer patch fixes it? I am not sure what causes it so I can't re-create it... but several of our workstations get the error. Looks like there are some creates and deletes in the registry that are attempting to take place.

We are running XP SP3 with VSE 8.7 P3 w/ AntiSpyware. We also run HIP 7.0.0.1159 (Patch 6) and Agent 4.0.0.1494.

I found a similar thread on this but it didn't seem to offer any results from what I could tell: https://community.mcafee.com/thread/22964

Thanks for any insight on this.

4 Replies
RRMX
Level 7
Report Inappropriate Content
Message 2 of 5

Re: VsTskMgr.exe triggering Access Protection rule

Anyone?

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 3 of 5

Re: VsTskMgr.exe triggering Access Protection rule

The events should not be occurring.

Vstskmgr.exe is a process that periodically will touch registry keys as indicated by the AP rule violation. However, it utilizes a code routine to ensure its activities are "trusted".

For whatever reason, vstskmgr is going "untrusted" and so its activities breach the AP rule.

As to why it might be untrusted...

It may be a HIPS content issue - make sure you're up-to-date.

If the issue is reproducible, report the behavior to McAfee Support - we'd love to figure out what the steps are to reproduce the issue, find root cause and get it addressed.

An exclusion would work around the problem and may be an acceptable resolution for many, but it's still just a workaround.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: VsTskMgr.exe triggering Access Protection rule

I worked with an company that used another security product to force a revocation check for everything. The end result was that when systems could not verify the validity of the code signing, then the various components would not trust each other. In our case, the hot button issue was (as always) the McTray icon--but there were other components that behaved awkwardly as well.

Highlighted
simonp
Level 9
Report Inappropriate Content
Message 5 of 5

Re: VsTskMgr.exe triggering Access Protection rule

Hi RRMX, I just want to find out if you have resolved this issue?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community