Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3572 Views 7 Replies Latest reply: Mar 26, 2013 3:30 PM by gandepas RSS
mrandolp Apprentice 102 posts since
Mar 11, 2008
Currently Being Moderated

Feb 22, 2012 3:32 PM

Issues with LANDESK and VSE 8.8 Patch 1

We recently upgraded all 7000 nodes to VSE 8.8.  On all of our workstations we are seeing the following:

Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe       Common Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\WINDOWS\system32\mfevtps.exe            Common Standard Protection:Prevent termination of McAfee processes   Action blocked : Terminate

2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\McAfee\Common Framework\naPrdMgr.exe  Common Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe            Common Standard Protection:Prevent termination of McAfee processes   Action blocked : Terminate

2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE    Common Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

 

I’ve added all of the process to the User-defined rules and we still see the errors.  Any ideas how to fix this?

 

Thanks in advance Mike.

  • Lakshmanan Sathyamoorthy Champion 308 posts since
    May 16, 2011
    Currently Being Moderated
    1. Feb 22, 2012 10:03 PM (in response to mrandolp)
    Re: Issues with LANDESK and VSE 8.8 Patch 1

    Dear Mrandolp,

     

    We have faced the same issue before one month but we have faced DC problem and McAfee suggested us to to disable the scriptscan so what we have did is we have installed McAfee with script scan disabled using custom instrallation option on 2 problamatic server and we have monitored more than two weeks after that we didn't faced any issue so we have disabled script scan on all problamatic DC servers now our server is running perfectly ...test this idea on one of your machine and monitor it

     

    FYKI:

     

    Protection:Prevent termination of McAfee processes             Action blocked : Terminate

    1/9/2012              5:10:00 AM         Blocked by Access Protection rule            NT AUTHORITY\SYSTEM                C:\Windows\system32\conhost.exe      C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe                Common Standard Protection:Prevent termination of McAfee processes             Action blocked : Terminate


    Regards,

    Lakshmanan S




  • Lakshmanan Sathyamoorthy Champion 308 posts since
    May 16, 2011
    Currently Being Moderated
    2. Feb 22, 2012 10:12 PM (in response to mrandolp)
    Re: Issues with LANDESK and VSE 8.8 Patch 1

    Hi,

     

    We had this issue in Win2008 R2 server any way kindly test this work around on the problanatic machiches ...... Hope this will helps you


    Regards,

    Lakshmanan S




  • andy_clarke Newcomer 6 posts since
    Feb 21, 2011
    Currently Being Moderated
    4. Feb 24, 2012 5:00 AM (in response to mrandolp)
    Re: Issues with LANDESK and VSE 8.8 Patch 1

    Hi Mike,

    I'm unclear what processes you've excluded. We run LANDesk and also experienced this issue after I installed McAfee 8.8. I'm pretty sure I resolved it by adding the LANDesk process "StartAsUser.exe" to the Exclusion list on Access Protection Policies>Common Standard Protection>Prevent Termination of mcafee processes.

    Cheers.

    Andy.

  • sbenedix Apprentice 71 posts since
    Oct 20, 2011
    Currently Being Moderated
    5. Feb 27, 2012 4:46 AM (in response to mrandolp)
    Re: Issues with LANDESK and VSE 8.8 Patch 1

    This might be of interest to you, second post:

     

    https://community.mcafee.com/message/181331#181331

     

    This is how it works, setting an exclusion is the correct way of adddressing it or get in touch with LanDesk and ask them why the process seeks to aquire a terminate handle on the MFE process.

  • gandepas Newcomer 7 posts since
    Feb 4, 2013
    Currently Being Moderated
    7. Mar 26, 2013 3:30 PM (in response to mrandolp)
    Re: Issues with LANDESK and VSE 8.8 Patch 1

    Hi,

     

    I work on Nitro SIEM.  I saw 10,000 events of this type just in one day for ePO logginf to Nitro SIEM

     

    C:\Program Files (x86)\RemotelyAnywhere\x64\RaMaint.exe       C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe

     

    ThreatName='Common Standard Protection:Prevent termination of McAfee processes' ThreatEventID='1092' ThreatType='access protection' ThreatActionTaken='deny terminate' ThreatHandled='1'

     

    Although this was blocked by ePO, I am curious as to what needs to done be avoid such occurances. Why will RaMaint.exe try to terminate a McAfee process?

     

    Thanks for your help in advance.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points