4 Replies Latest reply on Mar 2, 2009 6:15 PM by mchpis

    McLogEvent 257

      Hi,

      i have a Problem with Groupshield v6.0.2 (6.0.1148.100) and VirusScan Enterprise 8.5i

      Every 1 minute is an entry in the eventlog:
      Source: McLogEvent
      Event ID : 257
      Type: Information
      User: NT-AUTORITÄT\SYSTEM

      Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default\ExcludedItem_0 was blocked by rule Common Standard Protection:Prevent modification of McAfee files and settings.

      and in the AccessProtectionLog.txt is the following entry

      08.10.2007 11:52:04 Blocked by Access Protection rule NT-AUTORITÄT\SYSTEM C:\Programme\Network Associates\McAfee GroupShield\bin\SAFeService.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default\ExcludedItem_0 Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Create

      Has anyone solution for this?


      ___________________
      Cheers
      Thomas


      *sorry for my bad englisch*
        • 1. Me, too
          I am also encountering this issue. I presume it's not critical but it still clogs up my application event monitor. There's an entry like that in the log once every minute.

          Any help?
          • 2. RE: McLogEvent 257
            I'm encountered this as well on a group of my servers. It applies to 8 servers.

            1. They are all application servers.
            2. They are in a container on our ePO server that contains unaffected computers.
            3. They are able to poll externally to the McAfee HTTP source.
            4. The servers function normally otherwise.
            5. The only GPOs applied to that box are our Default Domain Policy, our Windows Update Policy, and our Default Server Policy. These GPOs are applied to all servers in our domain and not causing problems anywhere.
            6. Communication will occur if we force the update from the ePO console on the ePO server, but not if we attempt the update from the affected server.

            We are in the process of determining if these boxes are somehow sitting inside our DMZ, but we're unsure at the moment (large environment, takes a bit).

            Ideas?
            • 3. RE: McLogEvent 257
              Anyone find a fix for this?

              I have this happening on 3 of my Exchange servers.

              Event Type: Information
              Event Source: McLogEvent
              Event Category: None
              Event ID: 257
              Date: 3/2/2009
              Time: 4:18:17 PM
              User: NT AUTHORITY\SYSTEM
              Computer: Server name
              Description:
              Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\DefaultTask\ExcludedItem_0 was blocked by rule Common Standard Protection:Prevent modification of McAfee files and settings.


              Looks like something is trying to modify McAfee items and its blocking whatever it from doing it. Would be nice if they could somehow include the object thats trying to do the modifications.

              Server running
              Win2k3 sp2
              Exchange 2003
              Group Shield 6.02 (yeah it needs updated)
              VSE/MAS 8.5 P7
              McAfee Agent 4.0.0.1345

              Thanks for any help!

              -Keith
              • 4. RE: McLogEvent 257
                Did some digging at kc.mcafee.com and found this article and so far it seems to have solved the issue.

                They must have forgotten to add the Safeservice.exe process to the exclude list of McAfee files and settings when they built the default settings for 8.5....

                Here is the link to the article:

                https://kc.mcafee.com/corporate/index?page=content&id=KB53652&actp=search&search id=1236036946193