cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

ePO Access Protection Rule Violation NT Authority\System

Hi,

We upgraded to Windows 10/ Server 2016 boxes. ePo 5.1.1 with VSE 8.8.9 started alerting every time a user logged into the Win10/Server2016 box. An Example shown below.

Detecting Product Host Name: SERVER2016

Time Detected: 12/07/17 15:05:11 UTC

Time Received: 12/07/17 15:06:40 UTC

Host Name: _

Host's DAT Version:

Threat Category: 'File' class or access

Threat Type: access protection

Severity: Notice

Name: Common Standard Protection:Prevent termination of McAfee processes

Description: Access Protection rule violation detected and blocked

File: C:\WINDOWS\SYSTEM32\MFEVTPS.EXE

Source URL:

Source Process:

Source Username:

Source IP: IP Redacted

Target Host Name: SERVER2016

Target Username: NT AUTHORITY\SYSTEM

Target IP: IP Redacted

Target Port: 0

Target Protocol:

Action Taken: deny terminate

Threat Handled: True

Several alerts are generated per login. The difference in the body is the file / path. Another example is:

Detecting Product Host Name: SERVER2016

Time Detected: 12/07/17 15:05:11 UTC

Time Received: 12/07/17 15:06:40 UTC

Host Name: _

Host's DAT Version:

Threat Category: 'File' class or access

Threat Type: access protection

Severity: Notice

Name: Common Standard Protection:Prevent termination of McAfee processes

Description: Access Protection rule violation detected and blocked

File: C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE Source URL:

Source Process:

Source Username:

Source IP: IP Redacted

Target Host Name: SERVER2016

Target Username: NT AUTHORITY\SYSTEM

Target IP: IP Redacted

Target Port: 0

Target Protocol:

Action Taken: deny terminate

Threat Handled: True

All the alerts (about 6 per login session) are for various files in the McAfee directory. The target user is always NT Authority\System. We upgraded to ePo 5.3.3 and VSE 8.8.010 with agent version 5.0.6.220

McAfee support told me it is a Windows issue since NT Authority\System is trying to request kill privileges upon start u. Anyone else seen this and have any insite?

1 Reply
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: ePO Access Protection Rule Violation NT Authority\System

Discussion successfully moved from Community Support to ePolicy Orchestrator (ePO)

Cliff
McAfee Volunteer
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community