8 Replies Latest reply on Feb 3, 2009 10:04 AM by aguess

    slow login after upgrade to VirusScan 8.7i

      Hi,

      I run a network of about 150 PC's running either 8.0i or 8.5i with ePO 3.6 (iirc). Just got round to looking at 8.7i and installed it on my machine (directly, not via ePO and after uninstalling a perfectly working 8.5i).

      When I log on to my system there's now an extra delay of about 2 minutes after entering my password and reaching my desktop.

      If I look in the Access Protection log I have;

      27/01/2009 08:58:04 Blocked by Access Protection rule [DOMAIN\username] C:\Windows\system32\winlogon.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

      and I have a corresponding entry at 27/01/2009 08:58:05 in the event viewer Event ID 257

      Blocked by access protection rule. Access to object C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe was blocked by rule Common Standard Protection:Prevent termination of McAfee processes.

      (the previous event was at 08:56, 2 mins previous).

      My system is Vista Ultimate 64bit. UAC is disabled and I am Admin.

      I wonder if this is a known issue and if there is any reasonable fix or work around I can use (i.e. that doesn't involve disabling the Access Protection wink ) to resovle this before I look at rolling it out to the rest of my users?

      I will be trying on another system (not Vista 64) when I get some time, this is really the first place I've come to after a quick google in the hopes there's something nice and obvious.

      Thanks,
        • 1. RE: slow login after upgrade to VirusScan 8.7i
          We do one of two things.. Exclude that particular file from the Access Protection (click on the "Edit" button and add the process to the Exlude section..... or UNCHECK the specific Access Protection rule causing the issue in "Common Standard Protection". There's no need to disable Access Protection entirely.. Pick and choose which items work for you. We also remove one of the other "Common Standard Protection" entries, the "Prevent common files from running from Temp" which "reports only". It also can be a pain everytime a temp file runs.

          Hope this helps.

          Grif
          • 3. RE: Look at:
            Laszlo G
            The "Prevent termination of McAfee processes" rule is not supported on 64bits OS systems, but it will be with Patch 1 for VSE 8.7i
            • 4. RE: Look at:


              hmmm, that makes sense. i'm getting a lot of log notifications with regards to termination of mcafee processes. another installation on a vista 32 machine had no problems at all.

              for the time being, i've taken the intial responders advice and modified ePO so I'm in a group by myself and added exceptions for the files i keep getting notified about.
              • 5. RE: Look at:
                Laszlo G
                You can find more info in KB53876 from McAfee Knowledge Base
                • 6. RE: Look at:
                  hmmm, KB not working for me (FF and IE). https://kc.mcafee.com/corporate/index?page=content&id=KB53876 just seems to list recent and popular articles and clicking on any of those does the same. I'll try again later :)

                  Thanks for your help.
                  • 7. RE: Look at:
                    Laszlo G
                    That's a copy/paste of this KB:

                     

                    Corporate KnowledgeBase
                    Common Standard Protection Rule: Prevent Termination of McAfee Processes, is triggered on 64-bit systems

                    Corporate KnowledgeBase ID: KB53876
                    Published: September 22, 2008

                    Environment
                    McAfee VirusScan Enterprise 8.7i

                    Problem 1
                    The access protection rule: Prevent Termination of McAfee Processes, is triggered on 64-bit systems under certain conditions, including computer startup.

                    Problem 2
                    VirusScan Enterprise 8.7i Access Protection Log report the following error:

                    Blocked by Access Protection rule NT AUTHORITY\SYSTEM C Windows\System32\svchost.exe C Program Files x86 \McAfee\VirusScan Enterprise\shstat.exe
                    Common Standard Protection Prevent termination of McAfee processes
                    Action blocked Terminate

                    Problem 3
                    VirusScan Enterprise 8.7i Access Protection Log file: C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt

                    Cause:
                    A service which runs within SVCHost.exe (or a third-party process) is accessing and enumerating the running processes with a permission that allows them to terminate processes, though they may not actually be trying to terminate processes.

                    Solution:
                    This is expected behavior. The Prevent Termination of McAfee Processes access protection rule is currently not supported on 64-bit systems.

                    The rule should be disabled (via ePolicy Orchestrator).

                    Environments not managed via ePolicy Orchestrator will receive a solution in Patch 1 for for VirusScan Enterprise 8.7i. This article will be updated when more information becomes available.
                    Related Information
                    Some third-party applications, whose operation entails enumerating processes with the privilege to terminate processes, might cause for this rule to be triggered many times per minute depending on the application behavior.

                    • 8. RE: Look at:
                      yup, that covers it exactly :)

                      i feel happier now about disabling it foir the time being.