recently, I have had a large number of machines start triggering Access Protection: Prevent Termination with the offending process LSM.EXE.
This process is part of the Windows OS. To be certain, I collected the LSM.exe file from two different machines that triggered AP and submitted them to VirusTotal. Both 100% clean. So I assume it is a false positive, but I want to figure out why it is something new and see if anyone else sees this or whether people have already added System32/LSM.exe to the ignored processes for prevent termination AP rule.
I have recently been upgrading machines to the 5600 engine, and the September MS patches would have recently gone on. Also, some of these machines may have recently updated from 8.8 RTM to 8.8 Patch 2.
Yes I'm seeing this too. Seems like it is the Updates as it has only just started happening and have been running the latest patch and engine for some time. Hate it when you patch and it causes other issues. Will look to add in an exclusion for it
Hi eobiont, I don0t think it's a false positive.
What VirusScan sees is that LSM.EXE is trying to access VirusScan reserved memory or that it's trying to access McAfee processes with enough privileges to stop them (don't even need to try to stop them).
This sometimes happens, for example, with the Microsoft SCCM or SMS client (because of the process inventory) and if you know it's a safe process then you can exclude it.