4 Replies Latest reply on Aug 7, 2012 3:46 AM by northomsk

    Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8

    northomsk

      Hi all

       

      VSE8.7 latest patch

      VSE8.8 latest patch

       

      Why is it that i keep getting following in EPO, well i do know why but could i have it explained

       

      example of an Automatic Response rule

      Common Standard Protection:Prevent termination of McAfee

      processes

      17

      Common Standard Protection:Prevent modification of McAfee files

      and settings

      11

      Common Standard Protection:Prevent modification of McAfee

      Common Management Agent files and settings

      9

       

      Then when looking further into the above rule, found following

       

      Processes attempting to Terminate McAfee processes

      036DFF3520DC0456ED4566FE7B07D287.exe

      acroaum.exe

      Ad-AwareAdmin.exe

      AdminService.exe

      Adobe_Updater.exe

      aljxrbcsw.exe

      aolsoftware.exe

      Au_.exe

      avast.setup

      Dropbox.exe

      getPlusUninst_Adobe.exe

      GPY23D.tmp

      HealthService.exe

      ienrcore.exe

      IncredibarToolbar.exe

      mcClient.exe

      mikogo-starter.exe

      mikogo-starter[1].exe

      MOM.exe

      mor.exe

      MsiExec.exe

      MyBabylonTB.exe

      PatrolAgent.exe

      resrcmon.exe

      rool1_pk.exe

      rty0_7z.exe

      ruby.exe

      setup.exe

      smhstart.exe

      SmileboxStarter.exe

      SmileboxUpdater.exe

      smss.exe

      StorageServer.exe

      sysocmgr.exe

      TaskController.exe

      taskmgr.exe

      termsrv.exe

      TrolleyExpress.exe

      Uninstall.exe

      WLSync.exe

      WriteDescExecuteFileName.exe

       

      Processes attempting to Modify McAfee files

      6784xdat.exe

      aolsoftware.exe

      ASCService.exe

      cleanmgr.exe

      csrss.exe

      CtxBace.exe

      DllHost.exe

      dsmcutil.exe

      EXCEL.EXE

      Explorer.EXE

      file_aut.exe

      JetClean.exe

      mfevtps.exe

      mmc.exe

      PCCleaner.exe

      regmech.exe

      RegSeeker.exe

      RegWork.exe

      services.exe

      SpeedyPC.exe

      Stinger_Coficker.exe

      svchost.exe

      System

      updatdrv.exe

       

      1)      Are these processes meant to be trying to modify/terminate the McAfee files/processes and if so why?

      2)      If these processes aren’t meant to be trying to modify/terminate the McAfee files/processes why is VirusScan not detecting them as spyware/virus infections?

       

       

      Could i just have explained why this happens

      I mean create exclusions for them all isnt really theway forward, there must be a explaination to this

       

      Hoping to hear something back

      thanks in advance

        • 1. Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8
          Tristan

          Some of them would be expected

           

          avast.setup - Avast AV install attempting to uninstall McAfee

          6784xdat.exe - DAT update

          JetClean.exe, regseeker.exe - Registry clean up tools attempting to access McAfee registry entries

           

          Others i would be more worried of and suggest a virus or malicious software attempting the disable McAfee to prevent detection.

           

          rool1_pk.exe

          rty0_7z.exe

          • 2. Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8
            northomsk

            Hi Tristan

             

            Well the Avast is of'course as you also did say something to expect

             

            The weird thing here is that i have used Getsusp, done full ODS, used malwarebytes but nothing detected

            Hmmm now i did a search for the rool1_pk.exe and found (in German) http://www.istdiesedateisicher.de/sha1/B349C5CD5A320279457D8F0BE1E7505070395882_ details.aspx

            Guess i need to start yet another scan on the system(s)

             

            But what i dont really get is why something like Adobe_Updater.exe would attempt to terminate mcafee processes

             


             

            • 3. Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8
              wwarren

              Hi northomsk,

               

              The AP rule to prevent termination of McAfee processes is activated whenever we see a process try to interact with one of our protected processes, and explicitly seeks the access mask called TERMINATE_PROCESS, which is a flag the programmers of the 3rd party process pass along in their request for gaining access/info from our protected process.

               

              It's a behavior that processes do not need to engage in but has perhaps become a fairly common programming practice because "nobody cares" to be more particular about the access level they're seeking/acquiring, even to do mundane things in their program, not actually intending to terminate the process.

               

              Well, this AP rule in VSE is here to change that way of thinking because it's not a secure way to program. And of course, it's there to protect our software from malicious coders who would do the same thing but actually intend to terminate us. VSE can't distinguish who's malicious or not, so we block everybody - but we give you the ability to make that choice, by means of exclusions.

               

              You have options available to you to reduce the number of events being generated. You can disable reporting of the event (an ePO tweak), or of the rule itself (a VSE policy tweak), or you can trust the 3rd party process and add it as an excluded process for the specific rule.

              And/or, you can take up a request with your 3rd party vendor whose process is unnecessarily seeking the TERMINATE_PROCESS privilege, and tell them not to do that when the privilege is never going to be exercised.

              1 of 1 people found this helpful
              • 4. Re: Processes attempting to Terminate McAfee processes, VSE 8.7 & 8.8
                northomsk

                Hi

                 

                Thank you so much for explaining this to me (and others, i cant be the only one wondering)

                This was what i was looking for.

                 

                Well as you did say, tweak in EPO, tweak the rule itself or exclusions. Or contact 3rd party might be a pain in the ....

                I think working through the list and exclude all known and then lets see what action will be on the rest.

                 

                Again thanks