8 Replies Latest reply: Nov 14, 2012 10:49 AM by jamesatdillon RSS

    McAfee 8.8 and Windows System Resource Manager

    joel

      We have recently deployed McAfee 8.8 in out production terminal server 2003 and our 2008R2 environment.  Since then we have noticed that our Access Protection Log is filling with the following messages on both 2003 and 2008R2:

       

      2/27/2011 5:09:07 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\MCUPDATE.EXE Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/27/2011 5:09:07 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/27/2011 6:32:08 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/27/2011 10:00:09 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 2:19:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scan64.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 9:10:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 9:23:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 9:23:09 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 10:00:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 10:00:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\Common Framework\McTray.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 10:03:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      2/28/2011 11:32:25 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\wsrm.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      We have not changed the configuration of WSRM since deployment of 8.8 and we did not have this issue before.  We currently have WSRM set to use the default “Equal Per Session” policy, so it should not kill any process just deprioritize them if they eat up to much of the CPU.  Has anyone else seen this issue or can offer any insight?  If it helps any we are using EPO 4.5.

        • 1. McAfee 8.8 and Windows System Resource Manager
          wwarren

          Do you trust this WSRM.exe process?

           

          If so, exclude it from the AP rule.

          • 2. Re: McAfee 8.8 and Windows System Resource Manager
            HerbSmith

            I am seeing a very similar problem,  but it is with SCCM (formerly SMS).  Everytime the SMS Agent HOST service starts we see string of Access protection messages about it being blocked from shutting down various McAfee processes.

            1)  This did not happen in VSE 8.5 and VSE 8.7

            2)  There is no evidence that I can find that shows this service is actually trying to shut down anything.

            3)  No I do NOT want to trust any part of SMS to shut down McAfee services.  And I certainly do not want to allow it the ability to shut things down just to avoid FALSE positive message.

             

            I understand that Access Protection was completely rewritten for VSE 8.8.   That they now have hair trigger for anything coming anywhere near their services.  

             

            Thanks\

             

            Message was edited by: HerbSmith on 6/27/12 1:59:53 PM CDT
            • 3. Re: McAfee 8.8 and Windows System Resource Manager
              zn

              Any fix for this?  I've excluded the McAfee processes from WSRM and WRSM from the McAfee Access Protection Rules but it still triggers in the log

              • 4. Re: McAfee 8.8 and Windows System Resource Manager
                joel

                This is no longer an issue for us since we switched to Symantec a few months ago and it works much better for us.

                • 5. Re: McAfee 8.8 and Windows System Resource Manager
                  alobato

                  McAfee posted this KB in relation to these types of issues. I was seeing it with the SCCM process (CcmExec.exe) and read this KB. I also checked with our Microsoft TAM and this is what he said; "...Ccmexec.exe shouldnever terminate anything.  Software metering is simply reading the fileinformation."

                   

                  https://kc.mcafee.com/corporate/index?page=content&id=KB71970&actp=LIST_RECENT

                   

                  Message was edited by: alobato on 6/27/12 12:38:48 PM CDT
                  • 6. Re: McAfee 8.8 and Windows System Resource Manager
                    HerbSmith

                    You are correct on your comments.  But they are not complete.

                     

                    CCMEXEC also is the process that launches the install packages that SCCM delivers to the local machines.   In our Access Protection rules that block install.exe, setup.exe and similar I have to have exceptions for CCMEXEC.EXE.   This is where my concerns start.   The install packages can have anything the SCCM staff wants to put in them.  This would include shutting down McAfee products because "it makes the install go quicker".   I also hate to rely on CCMEXEC not be explotable by the bad guys.  I do not like leaving the door open for this even a little bit.  But because of the way CCMExec plays with the self protection rules I have little choice.   The alternative is to have hundreds of thousands of alerts for CCMEXEC.exe attempting to terminate McAfee processes.

                     

                    Bottom line for me is that this "improvement" in the self protection methodology has actually resulted in less protection rather than more.   I am sure McAfee could revise their code to deal with situations like this.

                     

                    Thanks

                     

                    Herb Smith

                    • 7. Re: McAfee 8.8 and Windows System Resource Manager
                      alobato

                      I whole-heartedly agree and that is why I decided to filter these events from the EPO Alert and Event logs/reports instead of applying the exclusions in the Access Protection policies.

                       

                      Thanks Herb.

                       

                      Anthony

                      • 8. Re: McAfee 8.8 and Windows System Resource Manager
                        jamesatdillon

                        We experienced a similar issue after updating from 8.7 to 8.8, and it was actually preventing us from deploying a policy from ePolicy Orchestrator to change another issue.  (McAfee was interpreting reports being e-mailed from our reporting server as a spamming worm.) 

                         

                        Apparently, McAfee was using wsrm.exe in some fashion when deploying a policy, and when wsrm.exe attempted to close McAfee to deploy the policy, the rule in Comon Standard Protection to prevent the termination of McAfee processes was preventing it; a real catch 22.  We ended up logging in to the affected server as administrator, disabling the Access Protection from the console, using the 5-minute intervalbefore McAfee turned it back on to deploy a policy allowing McAfee processes to be turned off, and also installing the policy we needed.  At that point, we could re-deploy the policy not to terminate McAfee, closing the door we had opened long enough to deploy the policy we needed.

                         

                        I still expect that we will see the messages in the Access Protection log after turning the policy back on.