3 Replies Latest reply on Oct 29, 2014 2:02 PM by wapatoo

    On restart ePO dent terminate HealthService.exe


      Running this in a test environment and have come across an issue. When we have a system power off/on/restart we have a the access protection "Deny terminate" of "Common Standard Protection:Prevent termination of McAfee processes" with System Center Operations Manager




      This only happens on the client machines


      I don't know what would be causing this? Is SCOM asking to terminate McAfee?


      Any help would be great. Thanks in advance.



        • 1. Re: On restart ePO dent terminate HealthService.exe
          Peter M

          Moved to ePO for better handling. - Mod

          • 2. Re: On restart ePO dent terminate HealthService.exe

            I believe McAfee re-designed this access protection rule in VSE 8.8 so that it will only trigger if the process is explicitly seeking the right to terminate the process. However, I have ran into the exact same issue with ccmexec.exe (SMS) in VSE 8.8 where I pretty much know that process is doing no such thing. Ultimately, it might not be the intent of the process, but the code sets the chain of events in motion causing for a request to be made to acquire the terminate privilege explicitly, and then the McAfee access protection rule will inevitably trigger.

            From McAfee:

            A service running within SVCHost.exe or a third-party process is accessing and enumerating the running processes with a permission set that allows it to terminate processes, though it might not actually be attempting to terminate processes. Some third-party applications enumerate processes with the privilege to terminate processes. This can cause the rule to be triggered many times per minute, depending on the application.


            The easy solution is to just exclude 2007\HealthService.exe from the rule since you trust it.

            • 3. Re: On restart ePO dent terminate HealthService.exe

              Thank you for the fast reply. I went ahead and added an exclusion and will continue to monitor the test environment.