3 Replies Latest reply on Apr 7, 2011 8:30 AM by paul_psmith

    Access Protection blocks Mcafee agent registry key

      So I have been working on a VB script to check some things out as part of a logon script all users will run. This script will check to see if the the MA is installed, if the service is running, if the correct ePO servers are defined (we have 3 for different business units), if the Mcshield service is installed and runnning.


      If any of these are not true on logon, a new agent will get installed on the PC.


      My script works ok on my W7 pc, but on an XP PC, it gets stopped when i try to see if the MA service is running. This happens with VSE 8.7 or 8.8. But only on XP.


      I can make it work on the XP pc if I disable the "Prevent Mcafee Services from being stopped" tick box in the Access Protection policy. But I don't get any info in the logs as to what might be causing this.


      As far as i know, I am not attempting to stop the services, just to query the status.


      I'm not a big VB guru. i mostly borrow others work and force it to do my bidding.  Anybody have an idea for me? I'm not wedded to this code and as I said, I am not a VB guru. Just a cut and paste and make it work guy.


      the error I get is misleading too. "Active Directory: General access denied error"


      Here is the code where it fails on me. (I added the > signs.) the exact spot is at "IF aService.Status = 4 THEN"



      Set oShell = CreateObject("WScript.Shell")

      Set oProcEnv = oShell.Environment("PROCESS")


      Set objComputer = GetObject("WinNT://,computer")

      objComputer.Filter = Array("McAfeeFramework")


      Set objShell = Wscript.CreateObject("Wscript.Shell")


      strServiceName = "McAfeeFramework"


      For Each aService In objComputer

      IF LCase(strServiceName) = LCase(aService.Name) THEN

        IF aService.Status = 4 THEN

          MAsvcRun= "1"


                 MAsvcRun= "0"

        END IF

      END IF




      Message was edited by: paul_psmith on 4/6/11 2:39:26 PM CDT
        • 1. Re: Access Protection blocks Mcafee agent registry key

          Hmmmmm...I turned up Windows auditing and now get this in the event log. MS says apply latest SP, but i am running SP3 and have all updates...



          Event Type:    Failure Audit

          Event Source:    Security

          Event Category:    Object Access

          Event ID:    560

          Date:        4/6/2011

          Time:        2:43:04 PM

          User:       userdomain\userid

          Computer:   COMPUTERNAME


          Object Open:

               Object Server:    SC Manager

               Object Type:    SERVICE OBJECT

               Object Name:    McAfeeFramework

               Handle ID:    -

               Operation ID:    {0,6921152}

               Process ID:    1204

               Image File Name:    C:\WINDOWS\system32\services.exe

               Primary User Name:    COMPUTERNAME

               Primary Domain:    DOMAIN

               Primary Logon ID:    (0x0,0x3E7)

               Client User Name:    userid

               Client Domain:    DOMAIN

               Client Logon ID:    (0x0,0x1C7B95)

               Accesses:        READ_CONTROL

                      Start the service

                      Stop the service

                      Pause or continue the service

                      Query information from service

                      Issue service-specific control commands


               Privileges:        -

               Restricted Sid Count: 0



          For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

          • 2. Re: Access Protection blocks Mcafee agent registry key

            You could try to disable the access protection rule "prevent execution of scripts from temp folder" and "prevent modification of McAfee files and settings"

            • 3. Re: Access Protection blocks Mcafee agent registry key

              No. I even put a policy in place that didn't block anything but would report on everything, and still did not work. The only way to fix it is to either disabel acceee protection altogether or untick the box to keep mcafee services safe.