2 Replies Latest reply on Jan 19, 2010 8:44 AM by kjhurni

    Virtual Machine Protection -csrss.exe falsely shows up in access protection log

    kjhurni

      After applying patch 8, any pc with VSE 8.5i and patch 8 that also has vmware (workstation) on it, shows up in the access protection log as having:

       

      NT AUTHORITY\SYSTEM    \??\C:\WINDOWS\system32\csrss.exe

       

      listed as trying to terminal the virtual machine.

       

      1)  this is not true.  That process is not listed via any tool I can find as trying to terminate the virtual machine, yet VSE insists it is.

       

      2)  I CAN go into EPO and configure VSE to have this process "allowed", but I'm more concerned by the fact that it's falsely reporting erroneous conditions.

       

      3)  We have an inventory process (ZEN Asset Management--formerly the Tally Census product) that does a READ of the registry, yet VSE also thinks this process is trying to WRITE to the registry (procman does not support McAfee's conclusion of "writing").

       

      Again, I can configure EPO to allow these, but I'm more concerned with the fact that access protection is reporting things that are not true (reporting that crsrss.exe is trying to terminate something, when in fact, it is not, and reporting that our inventory scanner is trying to WRITE to the registry when it's doing a READ operation).