cancel
Showing results for 
Search instead for 
Did you mean: 
aneta5
Level 7
Report Inappropriate Content
Message 1 of 4

alerts

Hi,

i have a lot of alerts generated by AP and i am not sure where to start. For example McAfee blocking its own processes. I read that when you check in new extensions to ePO, the exceptions will be enetered into policies. This doesn’t seem to be the case. Is there a list of the exceptions that I should have? Do I have to enter them manually? If yes can I do on fly?

Thanks

3 Replies
McAfee Employee dmcgeary
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: alerts

Greetings, 

 How to proceed will have mostly to do with what rule(s) are violated. 
Keep in mind that once a rule is modified (add exclusions) it becomes a self-managed custom rule.  
Otherwise adding exclusions to AP is common.
See KB73080 - It article should get you through this.

If you have more question look in the AP log
In Run line:
%deflogdir% locate accessprotection.log
provide copy of log entries for the rules being violated.

aneta5
Level 7
Report Inappropriate Content
Message 3 of 4

Re: alerts

Hello,

This is  major pain. Can I add these exclusions after on a fly withou breakign anythong.  am getting a lot of

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE

Common Standard Protection:Prevent termination of McAfee processes

 

Thank you

Highlighted
McAfee Employee dmcgeary
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: alerts

Topic is covered in KB84015

Before excluding anything the behavior needs to be understood. 

Cause

A service running within SvcHost.exe or a third-party process is accessing and enumerating the running processes with a permission set that allows it to terminate processes, though it might not actually be attempting to terminate processes. 

Svchost.exe is a process on your computer that hosts, or contains, other individual services that Windows uses to perform various functions. For example, Windows Defender uses a service that is hosted by a svchost.exe process. There can be multiple instances of svchost.exe running on your computer, with each instance containing different services. One instance of svchost.exe might host a single service for a program, and another instance might host several services related to Windows. You can use Task Manager to view which services are running under each instance of svchost.exe.

Some third-party applications enumerate processes with the privilege to terminate processes. This can cause the rule to be triggered many times per minute, depending on the application.

Solution

This is expected behavior, and VSE is working as designed.

The rule is triggered because it is a self-protection rule, and it acts as a security measure to avoid any third-party applications or malware from disabling VSE protection.

Contact Microsoft if further root cause or information is required
 
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator