Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
8901 Views 8 Replies Latest reply: Nov 14, 2012 10:49 AM by jamesatdillon RSS
joel Newcomer 2 posts since
Feb 28, 2011
Currently Being Moderated

Feb 28, 2011 11:49 AM

McAfee 8.8 and Windows System Resource Manager

We have recently deployed McAfee 8.8 in out production terminal server 2003 and our 2008R2 environment.  Since then we have noticed that our Access Protection Log is filling with the following messages on both 2003 and 2008R2:

 

2/27/2011 5:09:07 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\MCUPDATE.EXE Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/27/2011 5:09:07 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/27/2011 6:32:08 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/27/2011 10:00:09 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 2:19:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scan64.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 9:10:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 9:23:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 9:23:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 10:00:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 10:00:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 10:03:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

2/28/2011 11:32:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

We have not changed the configuration of WSRM since deployment of 8.8 and we did not have this issue before.  We currently have WSRM set to use the default “Equal Per Session” policy, so it should not kill any process just deprioritize them if they eat up to much of the CPU.  Has anyone else seen this issue or can offer any insight?  If it helps any we are using EPO 4.5.

  • wwarren McAfee SME 778 posts since
    Nov 3, 2009
    Currently Being Moderated
    1. Feb 28, 2011 1:03 PM (in response to joel)
    McAfee 8.8 and Windows System Resource Manager

    Do you trust this WSRM.exe process?

     

    If so, exclude it from the AP rule.

  • HerbSmith Apprentice 92 posts since
    Dec 9, 2009
    Currently Being Moderated
    2. Jun 27, 2012 1:59 PM (in response to wwarren)
    Re: McAfee 8.8 and Windows System Resource Manager

    I am seeing a very similar problem,  but it is with SCCM (formerly SMS).  Everytime the SMS Agent HOST service starts we see string of Access protection messages about it being blocked from shutting down various McAfee processes.

    1)  This did not happen in VSE 8.5 and VSE 8.7

    2)  There is no evidence that I can find that shows this service is actually trying to shut down anything.

    3)  No I do NOT want to trust any part of SMS to shut down McAfee services.  And I certainly do not want to allow it the ability to shut things down just to avoid FALSE positive message.

     

    I understand that Access Protection was completely rewritten for VSE 8.8.   That they now have hair trigger for anything coming anywhere near their services.  

     

    Thanks\

     

    Message was edited by: HerbSmith on 6/27/12 1:59:53 PM CDT
  • zn Apprentice 150 posts since
    Oct 2, 2006
    Currently Being Moderated
    3. Jan 18, 2012 4:17 AM (in response to joel)
    Re: McAfee 8.8 and Windows System Resource Manager

    Any fix for this?  I've excluded the McAfee processes from WSRM and WRSM from the McAfee Access Protection Rules but it still triggers in the log

  • alobato Newcomer 8 posts since
    Jun 27, 2012
    Currently Being Moderated
    5. Jun 27, 2012 12:38 PM (in response to zn)
    Re: McAfee 8.8 and Windows System Resource Manager

    McAfee posted this KB in relation to these types of issues. I was seeing it with the SCCM process (CcmExec.exe) and read this KB. I also checked with our Microsoft TAM and this is what he said; "...Ccmexec.exe shouldnever terminate anything.  Software metering is simply reading the fileinformation."

     

    https://kc.mcafee.com/corporate/index?page=content&id=KB71970&actp=LIST_RECENT

     

    Message was edited by: alobato on 6/27/12 12:38:48 PM CDT
  • HerbSmith Apprentice 92 posts since
    Dec 9, 2009
    Currently Being Moderated
    6. Jun 27, 2012 1:58 PM (in response to alobato)
    Re: McAfee 8.8 and Windows System Resource Manager

    You are correct on your comments.  But they are not complete.

     

    CCMEXEC also is the process that launches the install packages that SCCM delivers to the local machines.   In our Access Protection rules that block install.exe, setup.exe and similar I have to have exceptions for CCMEXEC.EXE.   This is where my concerns start.   The install packages can have anything the SCCM staff wants to put in them.  This would include shutting down McAfee products because "it makes the install go quicker".   I also hate to rely on CCMEXEC not be explotable by the bad guys.  I do not like leaving the door open for this even a little bit.  But because of the way CCMExec plays with the self protection rules I have little choice.   The alternative is to have hundreds of thousands of alerts for CCMEXEC.exe attempting to terminate McAfee processes.

     

    Bottom line for me is that this "improvement" in the self protection methodology has actually resulted in less protection rather than more.   I am sure McAfee could revise their code to deal with situations like this.

     

    Thanks

     

    Herb Smith

  • alobato Newcomer 8 posts since
    Jun 27, 2012
    Currently Being Moderated
    7. Jun 27, 2012 5:19 PM (in response to HerbSmith)
    Re: McAfee 8.8 and Windows System Resource Manager

    I whole-heartedly agree and that is why I decided to filter these events from the EPO Alert and Event logs/reports instead of applying the exclusions in the Access Protection policies.

     

    Thanks Herb.

     

    Anthony

  • jamesatdillon Newcomer 1 posts since
    Nov 14, 2012
    Currently Being Moderated
    8. Nov 14, 2012 10:49 AM (in response to joel)
    Re: McAfee 8.8 and Windows System Resource Manager

    We experienced a similar issue after updating from 8.7 to 8.8, and it was actually preventing us from deploying a policy from ePolicy Orchestrator to change another issue.  (McAfee was interpreting reports being e-mailed from our reporting server as a spamming worm.) 

     

    Apparently, McAfee was using wsrm.exe in some fashion when deploying a policy, and when wsrm.exe attempted to close McAfee to deploy the policy, the rule in Comon Standard Protection to prevent the termination of McAfee processes was preventing it; a real catch 22.  We ended up logging in to the affected server as administrator, disabling the Access Protection from the console, using the 5-minute intervalbefore McAfee turned it back on to deploy a policy allowing McAfee processes to be turned off, and also installing the policy we needed.  At that point, we could re-deploy the policy not to terminate McAfee, closing the door we had opened long enough to deploy the policy we needed.

     

    I still expect that we will see the messages in the Access Protection log after turning the policy back on.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points