first of all, apologize for the long post, as we are currently stuck with an issue where we had just recently installed McAfee Endpoint Security 10.5.0 into our DB server running windows server 2012 R2 and SQL server 2014.
We noticed that after installing endpoint, a new task scheduler appeared called "Security Notify Script":
which apparently is calling a script in C:\windows\system\ctfmon.vbs --> this file wasn't there prior to endpoint installation
And inside the script, it is running a powershell command:
eventually this will run svchost.exe*32 (we checked through procmon) and it will crash a random driver with bugcheck 0x133
the issue here is that whenever it crashes, it always makes the server restarts and by default the "security Notify Script" will run again, since somehow it is set to run after log on:
and the restart loop will keep on going and going. We tried to disable this scheduler and also delete the ctfmon.vbs file and it didn't restart anymore, but around 1 month later, it appeared again automatically.
we also found this task scheduler was created by user:
and when we searched in the event viewer, this user belongs to:
so the main question, is is normal for McAfee Endpoint security to create this task scheduler and ctfmon.vbs file ?
did we made a mistake on how to install it, or is this something else ?
can anyone help ?