1 Reply Latest reply on Mar 17, 2010 9:26 AM by PhilR

    Do you use the Prevent Windows Process Spoofing?

      Do you use the Prevent Windows Process Spoofing?

       

      This sounds like a good setting but does work seamlessly.

       

      Regards

        • 1. Re: Do you use the Prevent Windows Process Spoofing?
          PhilR

          See https://mysupport.mcafee.com/eservice/Article.aspx?id=KB68448

           

          Problem

          After installing VirusScan Enterprise (VSE) 8.7i Patch 3  and restarting your computer, the Windows desktop is not displayed with the  Access Protection rule Standard Protection: Prevent Windows Process spoofing enabled.

           

          Windows Task Manager shows that Explorer.exe is  not running.

          System Change

          Installed Patch 3 for VSE 8.7i and restarted computer.

          Cause

          The Access Protection rule Standard Protection: Prevent  Windows Process spoofing is enabled and configured to Block. The  issue is caused by changes to vscan.bof, a content file for Access  Protection rules and buffer overflow protection.

           

          This issue has been  reported for the Explorer.exe process. Other Windows processes are not  affected.

          Solution

           

          This issue is resolved by an updated vscan.bof content file on the  McAfee Common Updater site. This updated file will be automatically downloaded  and applied to all VSE systems (regardless of patch level) in the same was as  daily DAT files.

           

          This means Patch 3 can be applied and systems will  never encounter the issue.

           

          The updated package is also attached to this  article.

           

          NOTE: This content  file is also used by VirusScan Enterprise 8.5i. After the update, both VSE 8.7i  and 8.5i will report version 480 for the Buffer Overflow and Access  Protection DAT Version.

          Workaround

          Disable the Access Protection rule.
          NOTE: Because Explorer.exe is not  running, there is no Start button or VirusScan Enterprise (VSE) icon in  the system tray.

          To open the VirusScan Console

          1. Press CTRL+ALT+DEL.
          2. Click Task Manager, File, New Task (Run...).
          3. Navigate to C:\Program Files\McAfee\VirusScan  Enterprise\mcconsol.exe.
          4. Click OK.
          5. Right-click Access Protection and select  Properties.
          6. Select Anti-virus Standard Protection.
          7. Select Prevent Windows Process spoofing and deselect the  Block option.

            NOTE: Optionally, you can deselect Report to completely  disable the rule.
          8. Click OK.

          Related Information

          If you log into your system quickly, you might not  encounter this issue, even when the rule to block spoofing of Windows processes  is enabled. This is because Explorer.exe is running before the Access  Protection Rule takes effect.