2 Replies Latest reply on Mar 10, 2014 10:07 AM by epository

    mfeann.exe and Registry violations - Infection or Misconfiguration?

    epository

      All,

       

      I have a few computers generating about 100k 1092 events daily.

       

      The threat source is mfeann.exe... below is the output.

       

      99% of these events are occuring on a very small number of computers...however, it appears to be coming from mfeann.exe which a legit McAfee process.

       

      Is this an infection or is this a misconfiguraiton?

       

      Below is my Pivot Table export

       

       

       

       

      Common Standard  Protection:Prevent modification of McAfee files and settings92710
      C:\Program Files (x86)\McAfee\VirusScan  Enterprise\mfeann.exe92710
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection11
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\DesktopProtection\OASState11
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\Alert  Client\VSE14122
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesCleaned13094
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesDeleted13097
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesInfected13094
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesMoved13097
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\dwFilesScanned13092
      \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On  Access Scanner\McShield\szLastScanned13092
        • 1. Re: mfeann.exe and Registry violations - Infection or Misconfiguration?
          epository

          A little more info from the On Access log:......so, is Mcafee triggering on itself?  and why?

           

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\szLastScanned    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesScanned    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesInfected    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesCleaned    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesDeleted    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\dwFilesMoved    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Create

          3/10/2014    8:34:11 AM    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\Alert Client\VSE    Common Standard Protection:Prevent modification of McAfee files and settings    Action blocked : Write

          • 2. Re: mfeann.exe and Registry violations - Infection or Misconfiguration?
            epository

            Ok, i figured this out.

             

            I looked at the McAfee Default Access Protection policy for VSE 8.8 and then compared it to the policy being applied.

             

            Someone built new policies but removed mfeann.exe from the "Processes to Exclude:" list.

             

            Anyhow, this exclusion wipes out about 100k extraneous events per day that should never have been generated.

             

            Now I gotta wait for it to propagate out....