There is a KnowledgeBase document about this which also names svchost.exe as the cause of those messages
The offending source process is svchost.exe which tells me absolutely nothing.....
It tells you what you need to know.
SVChost.exe (or a DLL that it has loaded) is enumerating our processes using an ACCESS_MASK that includes the TERMINATE privilege explicitly.
If we allowed that operation to succeed (such as when the AP rule was disabled) then SVCHost.exe could terminate our protected processes - thus, we do not allow it when that AP rule is enabled, and it should _always_ be enabled.
SVCHost is a notorious strong-arm for malware, allowing malware to run with SYSTEM credentials. There isn't enough data here to know if it is malware or a legitimate application using SVCHost.
But you say that the real-time scanner is not starting. That, is where your focus should be for now. I suggest engaging our Support team for assistance, indicating you may have malware disabling the product.
Thank you! I read the KB too (which I am not sure applies since we are running VSE 8.8). That KB described what you also did (the terminate privelege).
So is McAfee able to remove that TERMINATE privilege? Or are you simply reporting that because a DLL has enumerated in such a way that it in practice could stop the services, and therefore will be reported as if it has. I would agree with this strategy from McAfee (one reason I really like this product).
Is there any way to determine which DLL is doing this?
It is a bit more concerning that one of the McAfee services is actually stopped and unable to be started. These are fairly new systems though, with clean scans.....
We can stop the process from obtaining that privilege.
We cannot stop the process from exercising that privilege once obtained. This is why the rule triggers on many legitimate applications too, well, legitimate but poorly programmed. As stated earlier, the rule triggers because the requesting process has explicitly said "I want to be able Terminate this process", and that's not OK.
There isn't a programmatic way for us to identify the DLL. But you can use Process Explorer to see what DLLs are loaded in the process and cast suspicion upon any non-Microsoft DLLs found.
Indeed the McAfee service not starting is of greater concern. And because the possible causes behind it a many I suggest tackling it with a Support person.
Thanks! I'll open a ticket and post back if it's anything helpful (regarding real-time not starting or crashing on some systems).
So it must not be real-time that is catching this DLL behavior, because I get these alerts on the systems that have a crashed real-time service. It must be the VirusScan engine because this is a piece of access protection. I am wondering what real-time is doing then.....?
The alert is coming from Access Protection, which functions independently of the real-time scanner (it didn't used to in the past, so maybe that is confusing to some folk).
The virusscan engine is used by the real-time scanner.