6 Replies Latest reply on Mar 30, 2011 7:33 AM by imcimor

    Changing configuration settings in registry - VirusScan

    araczek

      In trying to resolve a security scan finding I am trying to modify the registry but my changes don't seem to stick. Here is one example:

       

       

      Manual Fix Procedures

      Change the registry key HKLM\Software\Network Associates\TVD\Shared Components\

      On Access Scanner\mcshield\Configuration so that the value of Alert_UsersCanRemove is 0.

      ;Change the registry key HKLM\Software\McAfee\VSCore\

      On Access Scanner\mcshield\Configuration so that the value of Alert_UsersCanRemove

       

      There are other settings also. I make the change but it does not stay, it reverts back to the "finding" value. I at first changed

      only the setting under VScore. But then I noticed te same thing under TVD. So the question is why doesn't the value stay and

      why are there 2 spots to make a change?

       

      ePO is running on the network. VirusScan is v8.5. I did try changing the registry setting at home but it still changed back (not connected

      to the network, epo or Group Policy). Anyone have an answer?

        • 1. Re: Changing configuration settings in registry - VirusScan
          GWIRT

          Moved to VSE Community.

          • 2. Re: Changing configuration settings in registry - VirusScan
            sthayden

            Under your access protection rules, if the Prevent modification of McAfee files and settings is checked, you wont be able to make changes to that. That is a policy managed by EPO so it comes down as policy to block those changes. You may want to check your logs to see if it is that policy that is blocking those changes.

            • 3. Re: Changing configuration settings in registry - VirusScan
              araczek

              Thanks. Actually, I do not have access protection loaded. This is a development LAN not connected to the Internet and Access Protection would be too

              restrictive. Just have Buffer Overflow Prot, On-Delivery email scanner, Unwanted Programs Policy, On-Access scanner, Quarantine Manager, Full Scan

              and Autoupdate.

               

              But as I believe I mentioned why are there 2 spots in the registry, VSCORE and TVD? And do BOTH spots need to be changed to satisfy the scan? I actually did change the one setting in both spots (had to create keys in TVD) and it still reverted back. Maybe McAfee framework is doing this?

               

              AT A LOSS.

              • 4. Re: Changing configuration settings in registry - VirusScan
                araczek

                An update, I turned off the McAfee Framework Service and the registry stays intact. So why is Framework reverting the registry settings?

                 

                ...AR

                • 5. Re: Changing configuration settings in registry - VirusScan

                  Sounds like you have a policy set in EPO which is being enforced and overwriting your change on the desktop.

                   

                  I don't use 8.5 any more (using 8.7), but you should find the GUI equivalent of the Registry key under "On Access Scan Properties"/ "General Settings" / "Messages" / "Actions available to user" - "Remove Messages from the list". When that setting is ticked, it will be 1 in the registry, unticked is 0.

                   

                  There should be a corresponding setting in EPO for the VirusScan policy. It needs to be changed there to make it enforced correctly.

                  • 6. Re: Changing configuration settings in registry - VirusScan

                    For anyone who comes across this, I experienced the same thing. I found this resolved my problem:

                    1. Open up the VirusScan ConsoleSelected Access Protection Properties
                    2. In the Categories window, select Common Standard Protection
                    3. In the right window, there are 3 columns; Block, Report, & Rules

                    The rules I unblocked to allow the modifications to the registry were:

                    • Prevent Modification of McAfee files and Settings
                    • Prevent Modification of McAfee Common Management Agent files and settings
                    • Prevent Modification of McAfee Scan Engine files and settings

                     

                    Afterwards, make sure you enable Block again when you are finished with your modifications. I leave Report checked for auditing purposes.

                    This is based on 8.7i