1 2 Previous Next 17 Replies Latest reply on Apr 12, 2010 4:21 AM by Minkus

    Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

      Afternoon all,

      I wonder if anyone else has seen Outlook being blocked from creating / deleting keys in HKLM\SOFTWARE\McAfee\AVEngine? We're running 8.5i Patch 5 (I know that's outdated) managed by ePO 4.0 and this behaviour only started occuring this morning. It's affecting a couple of machines, running both 2003 and 2007 versions of Outlook, both on WinXP.

      Any ideas?

       

      Cheers,

      Keith

       

      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
      17/03/2010 08:33:39 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
      17/03/2010 08:33:40 Blocked by Access Protection rule  ch\nwatts C:\PROGRA~1\MICROS~4\Office12\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

       

      17/03/2010 09:05:54 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
      17/03/2010 09:05:55 Blocked by Access Protection rule  CH\rdodson C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
        • 1. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine
          Minkus

          Same issue here. VirusScan 8.5i Patch 8, managed by ePO 4.0, running Outlook 2003 on XP SP3.

           

          Started doing it this morning across the network. I'm ignoring it at the moment but hope it doesn't carry on doing it every day!

           

          17/03/2010 10:04:30 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
          17/03/2010 10:04:31 Blocked by Access Protection rule  ADMIN\Chris C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

          • 2. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

            I'm seeing the same thing each time I open Outlook.  Save versions of Outlook and McAfee.

             

            Started on the evening on March 16th.

            • 3. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

              See same for many users. Same start date.

              • 4. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

                See the same behavior here on several machines

                • 5. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

                  See other thread on same topic: http://community.mcafee.com/message/120290

                  1 of 1 people found this helpful
                  • 6. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine
                    maziz

                    Hello Everyone

                     

                    Just to give you all some assurance here as to what is happening.

                     

                    McAfee is aware of this behaviour occuring on machines running VirusScan 8.5 primarily. This issue seems to have occured when a new Buffer Overflow DAT was released on the 16th March 2010 which was version 480

                     

                    I can assure you all that this issue is being investigated by McAfee seniors and should be fixed with a new BOC DAT update. This is most likely to be version 491 and should be released soon.

                     

                    In the meantime, a workaround would be to add Outlook.exe as an exclusions in the rule of Access Protection that is being triggered.

                     

                    Hope this helps.

                    • 7. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine

                      Hello,

                       

                      About the same problem here, not from Outlook.exe but from EngineServer.exe. We have 8.7 Patch 1 on W2K3 Server x64. Also started on March 17th 2010.

                       

                      Is there any release date for the BOC update?

                       

                      23-3-2010 8:30:51 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScanEnterprise\x64\EngineServer.exe

                      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create

                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
                      23-3-2010 8:30:52 Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\EngineServer.exe \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

                       

                       

                      on 3/23/10 9:37:25 AM CDT
                      • 8. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine
                        Minkus

                        Hi,


                        We are also seeing the issue, not just on Outlook.exe, but occasionally with naPrdMgr.exe as well:

                         

                        26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
                        26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
                        26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
                        26/03/2010 07:29:36 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create
                        26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
                        26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
                        26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
                        26/03/2010 07:29:37 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\McAfee\Common Framework\naPrdMgr.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

                        • 9. Re: Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine
                          wwarren

                          A new vscan.bof content update package is expected to be available today.

                          It will resolve this issue.

                           

                          I still have the hose running just in case the team needs a fresh soaking for messing with this file.

                          Our process has been to always include the latest build of vscan.bof with patch releases (the content had not been changing, though was getting rebuilt). However, that process has since changed to ensure no surprises in future.

                          I haven't caught up on all the threads - its been about 3 weeks since I could revisit these forums but I'm sure there have been some choice discussions about this.

                          1 of 1 people found this helpful
                          1 2 Previous Next