5 Replies Latest reply on Jun 20, 2008 3:47 AM by tonyb99

    Access Protection: Modification of McAfee Files

      Since setting up an alert for the Access Protection rule that “Prevent modification of McAfee files and settings”, I've been getting a lot of them, mainly from registry cleaner programs. Also from Ad-Aware.

      This leads me to ask, what exactly sets off this rule? Is it actual changes of files and registry settings or just "reading" them? Seems hard to believe that these programs are changing anything since McAfee is running just fine on those computers.

      I don't think any of these products are doing any harm, but I'm not sure what exactly they are doing.

      If someone can shed some light on this rule, it would be greatly appreciated so I can either block these programs or set up exceptions.

      Thanks!
        • 1. RE: Access Protection: Modification of McAfee Files
          twenden
          We are also seeing similar events. Below is an example of one for us:

          Date Time Local Date Time Rule Name Process Name
          6/16/2008 12:00:11 AM 6/15/2008 7:00:11 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\Program Files\Norton Security Scan\Nss.exe
          6/16/2008 12:00:12 AM 6/15/2008 7:00:12 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\Program Files\Norton Security Scan\Nss.exe
          6/16/2008 12:00:12 AM 6/15/2008 7:00:12 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\Program Files\Norton Security Scan\Nss.exe
          6/16/2008 12:00:12 AM 6/15/2008 7:00:12 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\Program Files\Norton Security Scan\Nss.exe
          6/16/2008 12:00:13 AM 6/15/2008 7:00:13 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\Program Files\Norton Security Scan\Nss.exe

          Date Time Local Date Time Rule Name Process Name
          6/16/2008 5:26:52 PM 6/16/2008 12:26:52 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\WINDOWS\system32\cleanmgr.exe
          6/16/2008 5:26:52 PM 6/16/2008 12:26:52 PM Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings C:\WINDOWS\system32\cleanmgr.exe
          • 2. RE: Access Protection: Modification of McAfee Files
            tonyb99
            Just about every managment tool know to mankind seems to trigger this rule, including all the updates to mcafee itself.

            I just log to the local machine but dont report or block.

            You could spend your life trying to make sense of logging from this rule.
            • 3. RE: Access Protection: Modification of McAfee Files
              twenden
              Thanks for the information.

              I noticed that the main programs that trigger the rule, in our environment, is cleanmgr.exe, fixccs.exe (both Microsoft programs) and nss.exe (norton standalone scanner). I decided to just add these to the exclusion list.
              • 4. RE: Access Protection: Modification of McAfee Files
                It would still be nice to know what exactly sets off the rule. I really *like* the purpose of it. I've caught a few people messing with stuff via Explorer.

                But I don't want to setup an exception for everything.
                • 5. RE: Access Protection: Modification of McAfee Files
                  tonyb99
                  Ive never found a full definition of what it entails, has anyone asked for this in the past from support and got something written down?

                  If not just log a case through the support portal asking for the information