i have a lot of alerts generated by AP and i am not sure where to start. For example McAfee blocking its own processes. I read that when you check in new extensions to ePO, the exceptions will be enetered into policies. This doesn’t seem to be the case. Is there a list of the exceptions that I should have? Do I have to enter them manually? If yes can I do on fly?
How to proceed will have mostly to do with what rule(s) are violated. Keep in mind that once a rule is modified (add exclusions) it becomes a self-managed custom rule. Otherwise adding exclusions to AP is common. See KB73080 - It article should get you through this.
If you have more question look in the AP log In Run line: %deflogdir% locate accessprotection.log provide copy of log entries for the rules being violated.
Before excluding anything the behavior needs to be understood.
A service running within SvcHost.exe or a third-party process is accessing and enumerating the running processes with a permission set that allows it to terminate processes, though it might not actually be attempting to terminate processes.
Svchost.exeis a process on your computer that hosts, or contains, other individual services that Windows uses to perform various functions. For example, Windows Defender uses a service that is hosted by a svchost.exe process. There can be multiple instances of svchost.exe running on your computer, with each instance containing different services. One instance of svchost.exe might host a single service for a program, and another instance might host several services related to Windows. You can use Task Manager to view which services are running under each instance of svchost.exe.
Some third-party applications enumerate processes with the privilege to terminate processes. This can cause the rule to be triggered many times per minute, depending on the application.
This is expected behavior, and VSE is working as designed.
The rule is triggered because it is a self-protection rule, and it acts as a security measure to avoid any third-party applications or malware from disabling VSE protection.
Contact Microsoft if further root cause or information is required