Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3020 Views 4 Replies Latest reply: Apr 11, 2013 2:31 AM by simonp RSS
RRMX Newcomer 25 posts since
Jan 7, 2011
Currently Being Moderated

Jan 26, 2011 2:38 PM

VsTskMgr.exe triggering Access Protection rule

I was exploring our Access Protection events today and noticed that there are hundreds, if not thousands of events generated by VsTskMgr.exe trying to modify registry keys related to VirusScan. Here is a sample:

 

1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\ExtraDatItem     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Major     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Minor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete

 

Is it good practice to exclude VsTskMgr.exe from this rule? Or is there something wrong and a hotfix or newer patch fixes it? I am not sure what causes it so I can't re-create it... but several of our workstations get the error. Looks like there are some creates and deletes in the registry that are attempting to take place.

 

We are running XP SP3 with VSE 8.7 P3 w/ AntiSpyware. We also run HIP 7.0.0.1159 (Patch 6) and Agent 4.0.0.1494.

 

I found a similar thread on this but it didn't seem to offer any results from what I could tell: https://community.mcafee.com/thread/22964

 

Thanks for any insight on this.

  • wwarren McAfee SME 778 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. Feb 3, 2011 4:46 PM (in response to RRMX)
    Re: VsTskMgr.exe triggering Access Protection rule

    The events should not be occurring.

    Vstskmgr.exe is a process that periodically will touch registry keys as indicated by the AP rule violation. However, it utilizes a code routine to ensure its activities are "trusted".

    For whatever reason, vstskmgr is going "untrusted" and so its activities breach the AP rule.

     

    As to why it might be untrusted...

    It may be a HIPS content issue - make sure you're up-to-date.

    If the issue is reproducible, report the behavior to McAfee Support - we'd love to figure out what the steps are to reproduce the issue, find root cause and get it addressed.

     

    An exclusion would work around the problem and may be an acceptable resolution for many, but it's still just a workaround.

  • joeleisenlipz Champion 194 posts since
    Oct 18, 2010
    Currently Being Moderated
    3. Feb 16, 2011 7:16 AM (in response to wwarren)
    Re: VsTskMgr.exe triggering Access Protection rule

    I worked with an company that used another security product to force a revocation check for everything. The end result was that when systems could not verify the validity of the code signing, then the various components would not trust each other. In our case, the hot button issue was (as always) the McTray icon--but there were other components that behaved awkwardly as well.

  • simonp Newcomer 32 posts since
    May 28, 2012
    Currently Being Moderated
    4. Apr 11, 2013 2:31 AM (in response to RRMX)
    Re: VsTskMgr.exe triggering Access Protection rule

    Hi RRMX, I just want to find out if you have resolved this issue?

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points