cancel
Showing results for 
Search instead for 
Did you mean: 

svchost.exe attempting to stop McAfee services....?

I just enabled alerts for access protection.  Now I am seeing floods of "Common Standard Protection: Prevent terminationf of McAfee processes" notices for a handful of machines (mix of OS from Windows 7 to Server 2012 R2).

The offending source process is svchost.exe which tells me absolutely nothing.....

Does anyone have experience with this error?  It seems to me that the services are still running, except real-time.  Real-time service will not start on any of these machines, so maybe I have the cart in front of the horse.  Maybe the issue is that the real-time client install is corrupted or not working, and therefore sputters and then causes an alert.....?

6 Replies
Hayton
Level 18
Report Inappropriate Content
Message 2 of 7

Re: svchost.exe attempting to stop McAfee services....?

Moved to Business > Endpoint Security > VirusScan Enterprise

There is a KnowledgeBase document about this which also names svchost.exe as the cause of those messages

https://kc.mcafee.com/corporate/index?page=content&id=KB53876

wwarren
Level 15
Report Inappropriate Content
Message 3 of 7

Re: svchost.exe attempting to stop McAfee services....?


The offending source process is svchost.exe which tells me absolutely nothing.....


It tells you what you need to know.

SVChost.exe (or a DLL that it has loaded) is enumerating our processes using an ACCESS_MASK that includes the TERMINATE privilege explicitly.

If we allowed that operation to succeed (such as when the AP rule was disabled) then SVCHost.exe could terminate our protected processes - thus, we do not allow it when that AP rule is enabled, and it should _always_ be enabled.

SVCHost is a notorious strong-arm for malware, allowing malware to run with SYSTEM credentials. There isn't enough data here to know if it is malware or a legitimate application using SVCHost.

But you say that the real-time scanner is not starting.  That, is where your focus should be for now.  I suggest engaging our Support team for assistance, indicating you may have malware disabling the product.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: svchost.exe attempting to stop McAfee services....?

Thank you!  I read the KB too (which I am not sure applies since we are running VSE 8.8).  That KB described what you also did (the terminate privelege).

So is McAfee able to remove that TERMINATE privilege?  Or are you simply reporting that because a DLL has enumerated in such a way that it in practice could stop the services, and therefore will be reported as if it has.  I would agree with this strategy from McAfee (one reason I really like this product).


Is there any way to determine which DLL is doing this?

It is a bit more concerning that one of the McAfee services is actually stopped and unable to be started.  These are fairly new systems though, with clean scans.....

wwarren
Level 15
Report Inappropriate Content
Message 5 of 7

Re: svchost.exe attempting to stop McAfee services....?

We can stop the process from obtaining that privilege.

We cannot stop the process from exercising that privilege once obtained. This is why the rule triggers on many legitimate applications too, well, legitimate but poorly programmed. As stated earlier, the rule triggers because the requesting process has explicitly said "I want to be able Terminate this process", and that's not OK.

There isn't a programmatic way for us to identify the DLL. But you can use Process Explorer to see what DLLs are loaded in the process and cast suspicion upon any non-Microsoft DLLs found.

Indeed the McAfee service not starting is of greater concern. And because the possible causes behind it a many I suggest tackling it with a Support person.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: svchost.exe attempting to stop McAfee services....?

Thanks!  I'll open a ticket and post back if it's anything helpful (regarding real-time not starting or crashing on some systems).

So it must not be real-time that is catching this DLL behavior, because I get these alerts on the systems that have a crashed real-time service.  It must be the VirusScan engine because this is a piece of access protection.  I am wondering what real-time is doing then.....?

wwarren
Level 15
Report Inappropriate Content
Message 7 of 7

Re: svchost.exe attempting to stop McAfee services....?

The alert is coming from Access Protection, which functions independently of the real-time scanner (it didn't used to in the past, so maybe that is confusing to some folk).

The virusscan engine is used by the real-time scanner.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee