0 Replies Latest reply on Jun 20, 2017 11:24 AM by buiskand

    installing McAfee Endpoint 10.5.0 creates a task scheduler that runs a .vbs file

    buiskand

      Hi,

       

      first of all, apologize for the long post, as we are currently stuck with an issue where we had just recently installed McAfee Endpoint Security 10.5.0 into our DB server running windows server 2012 R2 and SQL server 2014.

       

      We noticed that after installing endpoint, a new task scheduler appeared called "Security Notify Script":

      ctfmon_1.JPG

       

      which apparently is calling a script in C:\windows\system\ctfmon.vbs --> this file wasn't there prior to endpoint installation

      And inside the script, it is running a powershell command:

      ctfmon_2.JPG

       

      eventually this will run svchost.exe*32 (we checked through procmon) and it will crash a random driver with bugcheck 0x133

       

      the issue here is that whenever it crashes, it always makes the server restarts and by default the "security Notify Script" will run again, since somehow it is set to run after log on:

      ctfmon_3.JPG

       

      and the restart loop will keep on going and going. We tried to disable this scheduler and also delete the ctfmon.vbs file and it didn't restart anymore, but around 1 month later, it appeared again automatically.

       

      we also found this task scheduler was created by user:

      ctfmon_4.JPG

      and when we searched in the event viewer, this user belongs to:

      ctfmon_5.JPG

      so the main question, is is normal for McAfee Endpoint security to create this task scheduler and ctfmon.vbs file ?

       

      did we made a mistake on how to install it, or is this something else ?

       

      can anyone help ?

       

      thanks