Since our upgrade on a new EPO server (4.6) , we have this alert on most of our computers in EPO:
Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe \REGISTRY\MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Write
I think I'ts not safe to allow svchost process in "Prevent modification of McAfee Common Management Agent files and settings".
But I'd like to know what can I do ?
Thanks for your help !
svchost.exe is a generic host process name for services that run from dynamic-link libraries”.Microsoft has moved all functionality from internal windows services to .dll files instead of .exe. From programming prospective it make more sense fro reusebility but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born. So ther are many services running in window and devided into logical groups and against each logical group there is a svchost.exe who loads them.
Now to resolve your issue
The process is trying to acees Registry keys and being blocked.
Go to common standard protection and under prevent modification of McAfee common managent agent files and settings > add exception.
Thanks for your answer.
@Peter: I'd like to leave it alone but I've a lot of log related to svchost and this registry key., my Epo say me near 50k related to this event...
Difficult to find something with all theses logs... But on other side, I'dont like to open a door if I allow svchost process.
svchost.exe being a type of software that runs .DLLs in its memory space is also a potential cover for malware that manage to register themselves to this process. If a lot of events are generated due to this process's action you are right to get suspicious.
Activating the Access Protection rule "Prevent programs registering to autorun" allows defending svchost.exe from being abused via such move by malware, not to mention, this rule may have exceptions by process names to finetune the rule.
Please check if you have this rule enabled (block and report).
If not, please enable it.
(You can also check what entries are registered under svchost regkey (HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost\); you can compare two identical hosts where one does not send events you mention and one that does. The difference can be a starting point of further investigation if you want.)