I've been trying to figure this out also. I'm still not sure what the root cause is, but I used Process Monitor to log activity and here is what I found:
Svchost.exe starts a new threead and looks up some registry keys in HKLM\SOFTWARE\Microsoft\COM3, HKLM\SOFTWARE\Microsoft\Ole, and a bunch of Classes and AppIDs under HKCR and HKU\S-1-5-20 (the network service security ID). It also looks at wmiprvse.exe a couple times and various other registry entries and files, including C:\Windows\AppPatch\sysmain.sdb. Then it starts a new process using "C:\WINDOWS\system32\wbem\wmiprvse.exe -secured -Embedding". That wmiprvse.exe process then looks at a bunch of files (not sure if it is all of them) in the C:\Windows\system32 folder, some other folders and files, and some registry entries, including some that Svchost.exe was looking at. When it tries to look at tftp.exe, VirusScan blocks it. I'm not familiar enough with Process Monitor logs and the inner workings of Windows to determine exactly what it is really doing in plain English. My guess is that VSS or COM+ or Windows Updates or WGA or something else is cataloging the system.
I didn't get the warning using VSE 8.5. It only started showing up when I installed VSE 8.7. It shows up about once every 24 hours on each system.
I don't get the VS warning on our Vista systems (tftp.exe isn't there), our Windows 2003 Server system, or a few of our XP systems. It does occur on most of our XP systems. I haven't been able to determine anything different about those few XP systems that don't generate the VS warning.
I know this is an old topic but we're seeing this now too. I've been running the TFTP setting in only "Report" mode and not "Block" mode on our user's desktops for a long time and we decided to enable blocking finally because we've never seen a report of it and users do not need to be using this. However as soon as we enabled the actual blocking we started getting machines reporting in that TFTP was being actually blocked from being actively used. Digging into the ePO report more shows that it is the WMI wmiprvse.exe process as stated before that is touching this file. Continued investigation shows that this only happens on Windows XP SP3 systems, all Vista & W7 machines do not have this behaviour.
So it just seems a baviour of how the WMI processes of Win XP worked that have changed since then in Vista/W7. I plan to leave the block in place and have it ignore the reporting portion as we only have a handful of Win XP machines left.
Server ID: das-ePO Event Received Time: 6/25/12 2:50:01 PM Event Generated Time: 6/25/12 2:49:08 PM Agent GUID: BCAF43F8-48B9-4C1F-A302-B37E8FE814F6 Detecting Prod ID (deprecated): VIRUSCAN8800 Detecting Product Name: VirusScan Enterprise Detecting Product Version: 8.8 Detecting Product Host Name: Workstation30 Detecting Product IPv4 Address: 192.168.7.30 Detecting Product IP Address: 192.168.7.30 Detecting Product MAC Address: DAT Version: Engine Version: Threat Source Host Name: _ Threat Source IPv4 Address: 192.168.7.30 Threat Source IP Address: 192.168.7.30 Threat Source MAC Address: Threat Source User Name: Threat Source Process Name: C:\WINDOWS\system32\wbem\wmiprvse.exe Threat Source URL: Threat Target Host Name: Workstation30 Threat Target IPv4 Address: 192.168.7.30 Threat Target IP Address: 192.168.7.30 Threat Target MAC Address: Threat Target User Name: NT AUTHORITY\NETWORK SERVICE Threat Target Port Number: Threat Target Network Protocol: Threat Target Process Name: Threat Target File Path: C:\WINDOWS\system32\tftp.exe Event Category: 'File' class or access Event ID: 1092 Threat Severity: Notice Threat Name: Anti-virus Standard Protection:Prevent use of tftp.exe Threat Type: access protection Action Taken: deny read Threat Handled: true Analyzer Detection Method: OAS
I'm seeing this same behavior. Here are the dates that it has occured. Any ideas what causes it? Whether it's usual behavior or something to raise an eyebrow about?
Blocked by Access Protection rule NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\tftp.exe Anti-virus Standard Protection:Prevent use of tftp.exe Action blocked : Read