Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2072 Views 6 Replies Latest reply: Apr 10, 2014 9:07 AM by c8822131 RSS
c8822131 Newcomer 14 posts since
Jun 13, 2013
Currently Being Moderated

Jun 26, 2013 12:01 PM

Event ID 1092 - Services.exe

Hi all,

 

I've recently implented ePO 4.6.6 along with VSE 8.8 and HIPS 8 on to a number of test endpoint for a pilot of up to date McAfee products and almost stright away seeing a very high number of the following events in a 7 day period:

 

Detecting Prod ID (deprecated): VIRUSCAN8800
Detecting Product Name: VirusScan Enterprise
Detecting Product Version: 8.8

Threat Source Process Name: C:\windows\system32\services.exe
Threat Source URL: 

Threat Target User Name: NT AUTHORITY\SYSTEM

Threat Target File Path: \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine
Event Category: 'Registry' class or access
Event ID: 1092
Threat Severity: Notice
Threat Name: Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings
Threat Type: access protection
Action Taken: deny delete
Threat Handled: true
Analyzer Detection Method: OAS

 

Threat events received from managed systems  

Event Description: Access Protection rule violation detected and blocked

 

Should services.exe be added to the exclusions list for the "Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings" ?

 

Thanks

 

Mike

  • andrep1 The Place at McAfee Member 246 posts since
    Apr 26, 2011
    Currently Being Moderated
    1. Jul 10, 2013 9:46 AM (in response to c8822131)
    Re: Event ID 1092 - Services.exe

    services.exe can be used by many program, it is a pretty wide exclusion to put in. Also note access protection is one of the best features of Virusscan and it has or it will save you "derriere" at some point with potentially catching an unknow threat.

     

    It might be better to find the true cause of the trigger. To give you an example, we had a commercial application that was looking at all processes running on a device in order to find its own "zombie" processes to terminate them. The developper had decided to ask for terminate rights when trying to attach the processes and that triggerd an access protection rule for us. We got the developper to change their code. In you case, it looks like a process is scanning the registry and might be asking for excessive rights.

     

    Is there a pattern to those triggers (every x hours, same time for all devices, correlation to an inventory or endpoint management task) ?

     

    Message was edited by: andrep1 on 10/07/13 10:46:46 EDT AM
  • eleftheria Newcomer 2 posts since
    Feb 27, 2014
    Currently Being Moderated
    3. Feb 27, 2014 4:14 AM (in response to c8822131)
    Re: Event ID 1092 - Services.exe

    hello all,

     

    I have the very same problem.

    The same event is generated (as informative event on the event viewer too) that reports that services.exe has the intention to delete some entries of the McAfee registry. If the related McAfee rure is enabled, the deletion of the registry fields will be prevented and reported. Else, the following registry fields will be deleted:

    \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion

    \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion

    I am trying to find which of the installed software is interested on deleting these fields, with no success so far.

    I managed to capture the event with microsoft's ProcessMonitor tool. Here is the image of the stack at that time.stack.jpg

     

    Many thanks

    Eleftheria

  • eleftheria Newcomer 2 posts since
    Feb 27, 2014
    Currently Being Moderated
    5. Mar 31, 2014 9:12 AM (in response to c8822131)
    Re: Event ID 1092 - Services.exe

    Hello,

     

    It seems that the workaround that eliminated the problem is to add 'services.exe' & 'McScript_InUse.exe' within 'Processes to exclude' at McAfee rule 'Access Protection Properties -> Common Standard Protection -> Prevent Modification of McAfee Scan Engine files and settings.'

     

    Note: we chacked with Process Monitor tracer which process was opening the registry key that later the services.exe was trying to delete, and it was 'McScript_InUse.exe'

     

    Note: in our case too the trigger was Group Policy Update (that comes either via the ADIR or we can force it to happen localy by 'gpupdate /force'), but I can not say which exact policy rule..

     

    Regards

    eleftheria

     

    Message was edited by: eleftheria on 3/31/14 9:12:04 AM CDT

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points