5 Replies Latest reply: Jun 17, 2014 2:27 AM by cedbourbon RSS

    McAfee VSE 8.8 & svchost.exe


      Hello everybody,


      Since our upgrade on a new EPO server (4.6) , we have this alert on most of our computers in EPO:


      Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework    Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings    Action blocked : Write


      I think I'ts not safe to allow svchost process in "Prevent modification of McAfee Common Management Agent files and settings".

      But I'd like to know what can I do ?


      Thanks for your help !



        • 1. Re: McAfee VSE 8.8 & svchost.exe



          svchost.exe is a generic host process name for services that run from dynamic-link libraries”.Microsoft has moved all functionality from internal windows services to .dll files instead of .exe. From programming prospective it make more sense fro reusebility  but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born. So ther are many services running in window and devided into logical groups and against each logical group there is  a svchost.exe who loads them.


          Now to resolve your issue


          The process is trying to acees Registry keys and being blocked.

          Go to common standard protection and under prevent modification of McAfee common managent agent files and settings > add exception.

          • 2. Re: McAfee VSE 8.8 & svchost.exe

            Uh... The real answer is nothing. Just leave it alone. That's part of Virus Scan's Self-protection.

            • 3. Re: McAfee VSE 8.8 & svchost.exe



              Thanks for your answer.

              @Peter: I'd like to leave it alone but I've a lot of log related to svchost and this registry key., my Epo say me near 50k related to this event...

              Difficult to find something with all theses logs...  But on other side, I'dont like to open a door if I allow svchost process.

              • 4. Re: McAfee VSE 8.8 & svchost.exe
                Attila Polinger

                Hello Vadim,


                svchost.exe being a type of software that runs .DLLs in its memory space is also a potential cover for malware that manage to register themselves to this process. If a lot of events are  generated due to this process's action you are right to get suspicious.


                Activating the Access Protection rule "Prevent programs registering to autorun" allows defending svchost.exe from being abused via such move by malware, not to mention, this rule may have exceptions by process names to finetune the rule.

                Please check if you have this rule enabled (block and report).

                If not, please enable it.


                (You can also check what entries are registered under svchost regkey (HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost\); you can compare two identical hosts where one does not send events you mention and one that does. The difference can be a starting point of further investigation if you want.)



                • 5. Re: McAfee VSE 8.8 & svchost.exe

                  Hi !


                  Maybe there is a part of your answer here : https://kc.mcafee.com/corporate/index?page=content&id=KB53365.