4 Replies Latest reply on Aug 6, 2013 2:06 PM by dmease729

    What protects the mfevtp service?

    dmease729

      Hi,

       

      I have a group of other techies I am working with who have a requirement to amend the system ACLs on services running on internal servers.  We are running VSE8.8 and HIPS8.0.  With VSE Access Protection disabled and both HIPS IPS and Firewall services disabled (although note that we get the same result with HIPS IPS enabled), we can successfully change the SACLs on the following services:

       

      mctaskmanager
      mcshield
      mcafeeframework
      entercetpagent

       

      we get access denied errors when attempting to change the SACLs for the following, however:

       

      mfevtp
      mfefire

       

      I am posting to the VSE forums as they seem to be the most likely place for this question - what is protecting mfevtp?  When access protection is disabled in VSE, I note that in services.msc, when right clicking the mfevtp (McAfee Validation Trust Protection) service, the options to start and stop are greyed out, and these options become available for the other services when access protection is disabled.  Same actually goes for mfefire (McAfee Firewall Core Service).  Obviously this may not be directly linked to the SACL change, however it looks like something else is protecting these services, so I am guessing it is related?

       

      Any help with this greatly appreciated!

       

      cheers,

        • 1. Re: What protects the mfevtp service?
          wwarren

          Yes, there is an additional protection mechanism in place to prevent folks (and malware, since there's no way to distinguish the two) from messing with the ACLs .

          • 2. Re: What protects the mfevtp service?
            dmease729

            Thanks for confirming WWarren - are you aware of whether this applies to mfefire as well as mfevtp?  If it applies to mfefire, is there any reason it doesnt also apply to enterceptagent?  And lastly, is there any way around this if a business requirement dictates the need (either with or without further McAfee assistance and an NDA! :-D)

            • 3. Re: What protects the mfevtp service?
              wwarren

              I'm not aware of it extending to mfefire, but, someone from HIP team could confirm (I'm guessing there's a HIP forum). It would be perfectly reasonable to assume it benefits from the same protection.

              in the same air of the question regarding enterceptAgent, why not also VirusScan's other processes like McShield and even the McAfee Agent... well, I assume because we wanted to protect with extra security only those components we feel are most critical - the others are already protected sufficiently to thwart malicious intent.

               

              Yes, there is a way around it. It's not something that has been asked before so I would suggest working with an Account Manager to make the business requirement known and see what folks need on our side to consider allowing it.

              • 4. Re: What protects the mfevtp service?
                dmease729

                Cheers Wwarren,

                 

                Speed of responses appreciated!  I will start a new discussion in the HIPS forum for mfefire.  I thought that would be the answer regarding the way around it - I will communicate to the account :-)

                 

                Thanks once again,