1 2 Previous Next 15 Replies Latest reply: Feb 5, 2015 5:45 AM by bretzeli RSS

    Event ID 1092 - Services.exe

    c8822131

      Hi all,

       

      I've recently implented ePO 4.6.6 along with VSE 8.8 and HIPS 8 on to a number of test endpoint for a pilot of up to date McAfee products and almost stright away seeing a very high number of the following events in a 7 day period:

       

      Detecting Prod ID (deprecated): VIRUSCAN8800
      Detecting Product Name: VirusScan Enterprise
      Detecting Product Version: 8.8

      Threat Source Process Name: C:\windows\system32\services.exe
      Threat Source URL: 

      Threat Target User Name: NT AUTHORITY\SYSTEM

      Threat Target File Path: \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine
      Event Category: 'Registry' class or access
      Event ID: 1092
      Threat Severity: Notice
      Threat Name: Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings
      Threat Type: access protection
      Action Taken: deny delete
      Threat Handled: true
      Analyzer Detection Method: OAS

       

      Threat events received from managed systems  

      Event Description: Access Protection rule violation detected and blocked

       

      Should services.exe be added to the exclusions list for the "Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings" ?

       

      Thanks

       

      Mike

        • 1. Re: Event ID 1092 - Services.exe
          andrep1

          services.exe can be used by many program, it is a pretty wide exclusion to put in. Also note access protection is one of the best features of Virusscan and it has or it will save you "derriere" at some point with potentially catching an unknow threat.

           

          It might be better to find the true cause of the trigger. To give you an example, we had a commercial application that was looking at all processes running on a device in order to find its own "zombie" processes to terminate them. The developper had decided to ask for terminate rights when trying to attach the processes and that triggerd an access protection rule for us. We got the developper to change their code. In you case, it looks like a process is scanning the registry and might be asking for excessive rights.

           

          Is there a pattern to those triggers (every x hours, same time for all devices, correlation to an inventory or endpoint management task) ?

           

          Message was edited by: andrep1 on 10/07/13 10:46:46 EDT AM
          • 2. Re: Event ID 1092 - Services.exe
            c8822131

            Hi Andre,

             

            Apologies for not replying sooner but I've raised an SR with support to investigate, and we're hopefully coming to the end of a very long investigation !

             

            By the way we noticed the follwoing event was being generated in the AP logs (I've pulled these from recent logs by the way because it's still triggering the event) :

             

            16/10/2013 10:56:14 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\windows\system32\services.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

             

            16/10/2013 12:27:07 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\windows\system32\services.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

             

            16/10/2013 14:22:05 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\windows\system32\services.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

             

            16/10/2013 16:02:24 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\windows\system32\services.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete

             

            Hoping to get this sorted this week

            • 3. Re: Event ID 1092 - Services.exe
              eleftheria

              hello all,

               

              I have the very same problem.

              The same event is generated (as informative event on the event viewer too) that reports that services.exe has the intention to delete some entries of the McAfee registry. If the related McAfee rure is enabled, the deletion of the registry fields will be prevented and reported. Else, the following registry fields will be deleted:

              \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion

              \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion

              I am trying to find which of the installed software is interested on deleting these fields, with no success so far.

              I managed to capture the event with microsoft's ProcessMonitor tool. Here is the image of the stack at that time.stack.jpg

               

              Many thanks

              Eleftheria

              • 4. Re: Event ID 1092 - Services.exe
                c8822131

                Hi there,

                 

                In our case it wasn't malware causing this event to trigger so often.

                 

                The issue is caused by a GPO refresh which is "touching" registry keys for McAfee VSE which in turn triggers the event  1092 - Deny Delete

                 

                GPO by default updates every 90 minutes with a random offset of 0 to 30 minutes this corresponds with events generated in ePO. 

                 

                The following article from MS helped in discovering the root cause :

                http://technet.microsoft.com/en-us/library/cc940895.aspx

                 

                Seems that GPO refresh is causing the services.exe process to interact with the HKLM\SOFTWARE\McAFee\AVEngine key... and not only that… it is interacting with ALL the keys under HKLM\SOFTWARE

                 

                Since we've upgraded endpoints from Windows XP to Windows 7 and a new set of GPOs the problem has decreased as has the number of events per week.

                 

                I hope this helps.

                • 5. Re: Event ID 1092 - Services.exe
                  eleftheria

                  Hello,

                   

                  It seems that the workaround that eliminated the problem is to add 'services.exe' & 'McScript_InUse.exe' within 'Processes to exclude' at McAfee rule 'Access Protection Properties -> Common Standard Protection -> Prevent Modification of McAfee Scan Engine files and settings.'

                   

                  Note: we chacked with Process Monitor tracer which process was opening the registry key that later the services.exe was trying to delete, and it was 'McScript_InUse.exe'

                   

                  Note: in our case too the trigger was Group Policy Update (that comes either via the ADIR or we can force it to happen localy by 'gpupdate /force'), but I can not say which exact policy rule..

                   

                  Regards

                  eleftheria

                   

                  Message was edited by: eleftheria on 3/31/14 9:12:04 AM CDT
                  • 6. Re: Event ID 1092 - Services.exe
                    c8822131

                    Be careful with excluding that process, services.exe is used by a lot of processes. We were advised NOT to ignore it.

                    • 7. Re: Event ID 1092 - Services.exe
                      epository

                      Running inot the same issues here.

                       

                      Basically, cant exclude services.exe and svchost.exe, so these rules can never be put in "Block" Mode.

                       

                      Looking for some advice, but....its a pain....just have to mod all our queries to prevent these from showing up.

                      • 8. Re: Event ID 1092 - Services.exe
                        llamamecomoquieras

                        Hi,

                         

                        Please open a case with McAfee support to show them that many people are facing this issue and then maybe you will get a fix/solution for that better to untick report or exclude process. The issues needs to go to developers and the way to reach them is to report the issue to McAfee opening a case.

                        Best regards

                        José María

                        • 9. Re: Event ID 1092 - Services.exe
                          ansarias

                          Hello,

                           

                          Could you please check On Access Scanner logs and see any logs relevant to this?

                          1 2 Previous Next