9 Replies Latest reply: Sep 29, 2014 11:11 AM by rbkinsey RSS

    VSE blocking VsTskMgr.exe


      I have a number of Threat Events (ID 1092) where VsTskMgr.exe is being prevented from modifying files within VSE under the Common Standard Protection rules.


      It is not customary to have to create exclusions for each and every McAfee process, yet I have having to create a number of them.  Any ideas??

        • 1. Re: VSE blocking VsTskMgr.exe



          have you upgraded from 8.7i to 8.8? if yes , then this can be ignored, see release notes for VSE 8.8.



          • 2. Re: VSE blocking VsTskMgr.exe

            In this circumstance, no.  This was a direct install of VSE 8.8.


            Threat Source Process Name:C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
            Threat Source URL:
            Threat Target Host Name:
            Threat Target IPv4 Address:
            Threat Target IP Address:
            Threat Target MAC Address:
            Threat Target User Name:NT AUTHORITY\SYSTEM
            Threat Target Port Number:
            Threat Target Network Protocol:
            Threat Target Process Name:
            Threat Target File Path:\REGISTRY\MACHINE\SOFTWARE\McAfee\DesktopProtection\Tasks\{21221C11-A06D-4558-B8 33-98E8C7F6C4D2}
            Event Category:Registry
            Event ID:1092
            Threat Severity:Notice
            Threat Name:Common Standard Protection:Prevent modification of McAfee files and settings
            Threat Type:access protection
            Action Taken:deny write
            • 3. Re: VSE blocking VsTskMgr.exe

              Going a bit further, the Access Protection policy is chock-full of entries for McAfee processes.  I thought those were all excluded by VSE by default.


              C:\Program Files (x86)\Common Files\McAfee\SystemCore\csscan.exe,

              C:\Program Files (x86)\Common Files\McAfee\SystemCore\dainstall.exe,

              C:\Program Files (x86)\Common Files\McAfee\SystemCore\mcshield.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcadmin.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcconsol.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\mcupdate.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\restartVSE.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\scan32.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\scncfg32.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\shcfg32.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\shstat.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\dainstall.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\dainstall.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\vstskmgr.exe,

              C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scan64.exe,

              C:\Program Files\Common Files\McAfee\SystemCore\csscan.exe,

              C:\Program Files\Common Files\McAfee\SystemCore\dainstall.exe,

              C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe,

              C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe


              I can understand having to exclude the SCCM client, but all the VSE processes too??

              • 4. Re: VSE blocking VsTskMgr.exe

                Yes,  You can go in server settings>Event filtering and unchek 1092 events. click OK.

                Further, these are ignorable and cosmatics issue. just uncheck 1092 event.

                Message was edited by: alexn on 2/26/13 12:29:03 PM CST


                Message was edited by: alexn on 2/26/13 12:50:50 PM CST
                • 5. Re: VSE blocking VsTskMgr.exe

                  I'm not a big fan of unchecking events like this.  It is an OAS Minor but it is preventing systems from updating.  Turning off the filter will simply make me not see it.  I need to resolve why VSE is blocking itself and other McAfee products.  Are we now expected to build ridiculously long exclusion lists for our VSE AP policies??




                  According to this thread - https://community.mcafee.com/thread/30702 - the McAfee services need to be excluded, but it still does not answer why this has changed.

                  • 6. Re: VSE blocking VsTskMgr.exe

                    As far as i know this was a bug in VSE 8.7i, but in your case it is VSE 8.8, SO I would request any McAfee man here to explain why VSE blocking its own processes?


                    on 2/26/13 2:15:34 PM CST
                    • 7. Re: VSE blocking VsTskMgr.exe
                      Scott Sadlocha

                      I ran into this recently in our environment. Several systems were generating thousands of blocks daily of the VsTskMgr.exe process, one of McAfee's own processes. In digging into it a bit further, I found that the exclusion for the process had as the path, Program Files (x86), but on the few PCs where it was triggering extensively, the software was installed at Program Files. Once I created another exclusion for the path on 32-bit systems, it was good to go.

                      • 8. Re: VSE blocking VsTskMgr.exe

                        I would recommend to open a case with support to advice them about this change and this exclusion missing can be added in next patch/hotfix.


                        Best regards,


                        Jose Maria

                        • 9. Re: VSE blocking VsTskMgr.exe

                          I am documenting yet another PER as this has been a consistent issue with VSE and HIPS.  Both have rules to protect McAfee processes and both have detections triggered when a McAfee process tries to update/change/modify a McAfee process.  This is similar to the "Prevent executables from running in TEMP" and then running all updates and installations FROM TEMP (i.e. C:\Windows\Temp\McAfeeLogs shows where all installations/updates occur within Temp).


                          Thanks all for the comments and thoughts.  To my knowledge this has existed since before VSE 8.x and is unlikely to stop other than having to create a myriad exclusions for McAfee products each time a new product is added to an environment.