Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2589 Views 4 Replies Latest reply: May 7, 2013 4:05 AM by Attila Polinger RSS
vadim Newcomer 12 posts since
Jan 9, 2012
Currently Being Moderated

May 2, 2013 6:04 AM

McAfee VSE 8.8 & svchost.exe

Hello everybody,

 

Since our upgrade on a new EPO server (4.6) , we have this alert on most of our computers in EPO:

 

Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Windows\system32\svchost.exe    \REGISTRY\MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework    Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings    Action blocked : Write

 

I think I'ts not safe to allow svchost process in "Prevent modification of McAfee Common Management Agent files and settings".

But I'd like to know what can I do ?

 

Thanks for your help !

 

Vadim

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    1. May 2, 2013 10:26 AM (in response to vadim)
    Re: McAfee VSE 8.8 & svchost.exe

    Vadim,

     

    svchost.exe is a generic host process name for services that run from dynamic-link libraries”.Microsoft has moved all functionality from internal windows services to .dll files instead of .exe. From programming prospective it make more sense fro reusebility  but the problem is that you can’t launch a .dll file directly from Windows, it has to be loaded up from a running executable (.exe). Thus the svchost.exe process was born. So ther are many services running in window and devided into logical groups and against each logical group there is  a svchost.exe who loads them.

     

    Now to resolve your issue

     

    The process is trying to acees Registry keys and being blocked.

    Go to common standard protection and under prevent modification of McAfee common managent agent files and settings > add exception.


    Post Timings: 6.00 AM to 3.00PM PDT
  • petersimmons McAfee Employee 230 posts since
    Dec 22, 2009
    Currently Being Moderated
    2. May 2, 2013 1:21 PM (in response to vadim)
    Re: McAfee VSE 8.8 & svchost.exe

    Uh... The real answer is nothing. Just leave it alone. That's part of Virus Scan's Self-protection.

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009
    Currently Being Moderated
    4. May 7, 2013 4:05 AM (in response to vadim)
    Re: McAfee VSE 8.8 & svchost.exe

    Hello Vadim,

     

    svchost.exe being a type of software that runs .DLLs in its memory space is also a potential cover for malware that manage to register themselves to this process. If a lot of events are  generated due to this process's action you are right to get suspicious.

     

    Activating the Access Protection rule "Prevent programs registering to autorun" allows defending svchost.exe from being abused via such move by malware, not to mention, this rule may have exceptions by process names to finetune the rule.

    Please check if you have this rule enabled (block and report).

    If not, please enable it.

     

    (You can also check what entries are registered under svchost regkey (HKLM\Software\Microsoft\Windows NT\CurrentVersion\SvcHost\); you can compare two identical hosts where one does not send events you mention and one that does. The difference can be a starting point of further investigation if you want.)

     

    Attila

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points