2 Replies Latest reply on Feb 12, 2010 3:59 PM by wwarren


      Hey everyone,

      I recently got an error in my AccessProtectionLog, which I was expecting... but upon opening up the log I noticed a month old message...

      12/01/2010    20:29:42    Blocked by Access Protection rule     NT AUTHORITY\NETWORK SERVICE    C:\Windows\system32\taskeng.exe    C:\Windows\ehome\mcupdate.EXE    Common Standard Protection:Prevent termination of McAfee processes    Action blocked : Terminate


      I wondered if someone could tell me what that is, what could trigger it, and if it's normal... I've never seen anything like this before


      I'm using Windows Vista 32-bit.



      Message was edited by: ksahunter on 08/02/10 08:07:15 CST



      Message was edited by: ksahunter on 08/02/10 10:28:15 CST

          I have found more information about it... Task Scheduler is taskeng.exe, and ehome/mcupdater.exe is the Windows Media Centre updater.


          Following some tests, I have found that the access protection log is trying to tell me that taskeng.exe was trying to terminate mcupdater.exe.



          Now, mcupdater.exe is also the McAfee update file name...



          So, would there be any reason for taskeng.exe to terminate mcupdater.exe (media center)? And why would McAfee stop that from happening?

          Does it get confused between the two mcupdater.exe's?


          Thanks again!

            In essence, Yes it's getting confused between the two.

            But technically it is not   The Windows Media Center process name is fortunate enough to benefit from our own access protection rule implementation.

            They are an exact match in process names, but it's close enough for the rule to match.


            You get the trigger because the TaskEng.exe process requested access to the Mcupdater.exe process with enough privileges to be able to terminate that process.

            Whether the TaskEng.exe process had intent to do so or not is indeterminate (usually not the case) but our rule doesn't make that distinction. We trigger based on the requesting process being capable of terminating.