cancel
Showing results for 
Search instead for 
Did you mean: 

ePO Access Protection Rule Violation NT Authority\System

Hi,

We upgraded to Windows 10/ Server 2016 boxes. ePo 5.1.1 with VSE 8.8.9 started alerting every time a user logged into the Win10/Server2016 box. An Example shown below.

Detecting Product Host Name: SERVER2016

Time Detected: 12/07/17 15:05:11 UTC

Time Received: 12/07/17 15:06:40 UTC

Host Name: _

Host's DAT Version:

Threat Category: 'File' class or access

Threat Type: access protection

Severity: Notice

Name: Common Standard Protection:Prevent termination of McAfee processes

Description: Access Protection rule violation detected and blocked

File: C:\WINDOWS\SYSTEM32\MFEVTPS.EXE

Source URL:

Source Process:

Source Username:

Source IP: IP Redacted

Target Host Name: SERVER2016

Target Username: NT AUTHORITY\SYSTEM

Target IP: IP Redacted

Target Port: 0

Target Protocol:

Action Taken: deny terminate

Threat Handled: True

Several alerts are generated per login. The difference in the body is the file / path. Another example is:

Detecting Product Host Name: SERVER2016

Time Detected: 12/07/17 15:05:11 UTC

Time Received: 12/07/17 15:06:40 UTC

Host Name: _

Host's DAT Version:

Threat Category: 'File' class or access

Threat Type: access protection

Severity: Notice

Name: Common Standard Protection:Prevent termination of McAfee processes

Description: Access Protection rule violation detected and blocked

File: C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE Source URL:

Source Process:

Source Username:

Source IP: IP Redacted

Target Host Name: SERVER2016

Target Username: NT AUTHORITY\SYSTEM

Target IP: IP Redacted

Target Port: 0

Target Protocol:

Action Taken: deny terminate

Threat Handled: True

All the alerts (about 6 per login session) are for various files in the McAfee directory. The target user is always NT Authority\System. We upgraded to ePo 5.3.3 and VSE 8.8.010 with agent version 5.0.6.220

McAfee support told me it is a Windows issue since NT Authority\System is trying to request kill privileges upon start u. Anyone else seen this and have any insite?

1 Reply
Reliable Contributor catdaddy
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: ePO Access Protection Rule Violation NT Authority\System

Discussion successfully moved from Community Support to ePolicy Orchestrator (ePO)

Cliff
McAfee Volunteer
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator