2 Replies Latest reply on Nov 17, 2011 8:06 AM by twenden

    Access Protection Block Alert when upgrading from VSE 8.7i to VSE 8.8i via ePO

    twenden

      Have started testing upgrading from VSE 8.7i to VSE 8.8i (patch 1 bundle) via ePO 4.6. We have a total of 4 systems that we use to test McAfee software. Two systems are XP, one Vista and one Windows 7. Noticed that both the Vista & Windows 7 system displayed a red status under the agent "View Security Status" option. It was referring to Access Protection rule "Common Standard Protection:Prevent termination of McAfee processes" . It appears that during the upgrade, the Microsoft installer msiexec.exe was triggering this Access Protection rule. The problem does not appear on the XP systems. The Vista & Windows 7 systems did upgrade to VSE 8.8i and don't show any obvious problems.

       

      Below is what was being reported. Has anyone else seen this occur?

       

       

       

       

      Threat Source Process Name:C:\Windows\system32\msiexec.exe
      Threat Source URL:
      Threat Target Host Name:WIN7-PC
      Threat Target MAC Address:
      Threat Target User Name:NT AUTHORITY\SYSTEM
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe
      Event Category:'File' class or access
      Event ID:1092
      Threat Severity:Notice
      Threat Name:Common Standard Protection:Prevent termination of McAfee processes
      Threat Type:access protection
      Action Taken:deny terminate
      Threat Handled:true
      Analyzer Detection Method:OAS

       

       

       

       

      Threat Source Process Name:C:\Windows\system32\msiexec.exe
      Threat Source URL:
      Threat Target Host Name:WIN7-PC
      Threat Target MAC Address:
      Threat Target User Name:NT AUTHORITY\SYSTEM
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
      Event Category:'File' class or access
      Event ID:1092
      Threat Severity:Notice
      Threat Name:Common Standard Protection:Prevent termination of McAfee processes
      Threat Type:access protection
      Action Taken:deny terminate
      Threat Handled:true
      Analyzer Detection Method:OAS

       

       

       

       

      Threat Source Process Name:C:\Windows\system32\msiexec.exe
      Threat Source URL:
      Threat Target Host Name:WIN7-PC
      Threat Target MAC Address:
      Threat Target User Name:NT AUTHORITY\SYSTEM
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
      Event Category:'File' class or access
      Event ID:1092
      Threat Severity:Notice
      Threat Name:Common Standard Protection:Prevent termination of McAfee processes
      Threat Type:access protection
      Action Taken:deny terminate
      Threat Handled:true
      Analyzer Detection Method:OAS