cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

mfeann.exe and Registry violations - Infection or Misconfiguration?

All,

I have a few computers generating about 100k 1092 events daily.

The threat source is mfeann.exe... below is the output.

99% of these events are occuring on a very small number of computers...however, it appears to be coming from mfeann.exe which a legit McAfee process.

Is this an infection or is this a misconfiguraiton?

Below is my Pivot Table export

Common Standard  Protection:Prevent modification of McAfee files and settings92710
C:\Program Files (x86)\McAfee\VirusScan  Enterprise\mfeann.exe92710
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection11
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\OASState11
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\Alert  Client\VSE14122
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesCleaned13094
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesDeleted13097
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesInfected13094
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesMoved13097
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesScanned13092
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\szLastScanned13092
2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

Re: mfeann.exe and Registry violations - Infection or Misconfiguration?

A little more info from the On Access log:......so, is Mcafee triggering on itself?  and why?

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesInfected    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesCleaned    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesDeleted    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesMoved    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\Alert Client\VSE    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Write

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

Re: mfeann.exe and Registry violations - Infection or Misconfiguration?

Ok, i figured this out.

I looked at the McAfee Default Access Protection policy for VSE 8.8 and then compared it to the policy being applied.

Someone built new policies but removed mfeann.exe from the "Processes to Exclude:" list.

Anyhow, this exclusion wipes out about 100k extraneous events per day that should never have been generated.

Now I gotta wait for it to propagate out....

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community