7 Replies Latest reply: Mar 26, 2013 3:30 PM by gandepas RSS

    Issues with LANDESK and VSE 8.8 Patch 1

    mrandolp

      We recently upgraded all 7000 nodes to VSE 8.8.  On all of our workstations we are seeing the following:

      Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

      2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\McAfee\VirusScan Enterprise\mfeann.exe       Common Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

      2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\WINDOWS\system32\mfevtps.exe            Common Standard Protection:Prevent termination of McAfee processes   Action blocked : Terminate

      2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\McAfee\Common Framework\naPrdMgr.exe  Common Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

      2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe            Common Standard Protection:Prevent termination of McAfee processes   Action blocked : Terminate

      2/20/2012      4:35:56 AM    Blocked by Access Protection rule           NT AUTHORITY\SYSTEM            C:\Program Files\LANDesk\LDClient\startasuser.exe  C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE    Common Standard Protection:Prevent termination of McAfee processes            Action blocked : Terminate

       

      I’ve added all of the process to the User-defined rules and we still see the errors.  Any ideas how to fix this?

       

      Thanks in advance Mike.

        • 1. Re: Issues with LANDESK and VSE 8.8 Patch 1
          Lakshmanan Sathyamoorthy

          Dear Mrandolp,

           

          We have faced the same issue before one month but we have faced DC problem and McAfee suggested us to to disable the scriptscan so what we have did is we have installed McAfee with script scan disabled using custom instrallation option on 2 problamatic server and we have monitored more than two weeks after that we didn't faced any issue so we have disabled script scan on all problamatic DC servers now our server is running perfectly ...test this idea on one of your machine and monitor it

           

          FYKI:

           

          Protection:Prevent termination of McAfee processes             Action blocked : Terminate

          1/9/2012              5:10:00 AM         Blocked by Access Protection rule            NT AUTHORITY\SYSTEM                C:\Windows\system32\conhost.exe      C:\Program Files (x86)\McAfee\Common Framework\McScript_InUse.exe                Common Standard Protection:Prevent termination of McAfee processes             Action blocked : Terminate

          • 2. Re: Issues with LANDESK and VSE 8.8 Patch 1
            Lakshmanan Sathyamoorthy

            Hi,

             

            We had this issue in Win2008 R2 server any way kindly test this work around on the problanatic machiches ...... Hope this will helps you

            • 3. Re: Issues with LANDESK and VSE 8.8 Patch 1
              mrandolp

              Good morning, scriptscan is disable on all nodes.  I verfied this in ePO and on several nodes.  Is there a registry setting I need to check?

              Great suggestion.

               

              Thanks Mike

               

              Message was edited by: mrandolp on 2/23/12 7:24:46 AM GMT-06:00
              • 4. Re: Issues with LANDESK and VSE 8.8 Patch 1
                andy_clarke

                Hi Mike,

                I'm unclear what processes you've excluded. We run LANDesk and also experienced this issue after I installed McAfee 8.8. I'm pretty sure I resolved it by adding the LANDesk process "StartAsUser.exe" to the Exclusion list on Access Protection Policies>Common Standard Protection>Prevent Termination of mcafee processes.

                Cheers.

                Andy.

                • 5. Re: Issues with LANDESK and VSE 8.8 Patch 1
                  sbenedix

                  This might be of interest to you, second post:

                   

                  https://community.mcafee.com/message/181331#181331

                   

                  This is how it works, setting an exclusion is the correct way of adddressing it or get in touch with LanDesk and ask them why the process seeks to aquire a terminate handle on the MFE process.

                  • 6. Re: Issues with LANDESK and VSE 8.8 Patch 1
                    mrandolp

                    Hi Andy, sorry for not getting back to you before now, been out.  I added the process to common Standard protection rule, and have not had any more issue with LANDESK.

                     

                    Thanks for your help. Mike

                    • 7. Re: Issues with LANDESK and VSE 8.8 Patch 1
                      gandepas

                      Hi,

                       

                      I work on Nitro SIEM.  I saw 10,000 events of this type just in one day for ePO logginf to Nitro SIEM

                       

                      C:\Program Files (x86)\RemotelyAnywhere\x64\RaMaint.exe       C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe

                       

                      ThreatName='Common Standard Protection:Prevent termination of McAfee processes' ThreatEventID='1092' ThreatType='access protection' ThreatActionTaken='deny terminate' ThreatHandled='1'

                       

                      Although this was blocked by ePO, I am curious as to what needs to done be avoid such occurances. Why will RaMaint.exe try to terminate a McAfee process?

                       

                      Thanks for your help in advance.