4 Replies Latest reply: Apr 11, 2013 2:31 AM by simonp RSS

    VsTskMgr.exe triggering Access Protection rule

    RRMX

      I was exploring our Access Protection events today and noticed that there are hundreds, if not thousands of events generated by VsTskMgr.exe trying to modify registry keys related to VirusScan. Here is a sample:

       

      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\ExtraDatItem     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Major     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersion32Minor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Create
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersionMinor     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      1/25/2011     9:13:41 AM     Blocked by Access Protection rule      NT AUTHORITY\SYSTEM     C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe     \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDateSys     Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings     Action blocked : Delete
      

       

      Is it good practice to exclude VsTskMgr.exe from this rule? Or is there something wrong and a hotfix or newer patch fixes it? I am not sure what causes it so I can't re-create it... but several of our workstations get the error. Looks like there are some creates and deletes in the registry that are attempting to take place.

       

      We are running XP SP3 with VSE 8.7 P3 w/ AntiSpyware. We also run HIP 7.0.0.1159 (Patch 6) and Agent 4.0.0.1494.

       

      I found a similar thread on this but it didn't seem to offer any results from what I could tell: https://community.mcafee.com/thread/22964

       

      Thanks for any insight on this.