6 Replies Latest reply on Jan 13, 2015 11:51 AM by wwarren

    svchost.exe attempting to stop McAfee services....?

    jlockie

      I just enabled alerts for access protection.  Now I am seeing floods of "Common Standard Protection: Prevent terminationf of McAfee processes" notices for a handful of machines (mix of OS from Windows 7 to Server 2012 R2).

       

      The offending source process is svchost.exe which tells me absolutely nothing.....

       

      Does anyone have experience with this error?  It seems to me that the services are still running, except real-time.  Real-time service will not start on any of these machines, so maybe I have the cart in front of the horse.  Maybe the issue is that the real-time client install is corrupted or not working, and therefore sputters and then causes an alert.....?

        • 1. Re: svchost.exe attempting to stop McAfee services....?
          Hayton

          Moved to Business > Endpoint Security > VirusScan Enterprise

           

          There is a KnowledgeBase document about this which also names svchost.exe as the cause of those messages

          https://kc.mcafee.com/corporate/index?page=content&id=KB53876

          • 2. Re: svchost.exe attempting to stop McAfee services....?
            wwarren

            The offending source process is svchost.exe which tells me absolutely nothing.....

            It tells you what you need to know.

            SVChost.exe (or a DLL that it has loaded) is enumerating our processes using an ACCESS_MASK that includes the TERMINATE privilege explicitly.

            If we allowed that operation to succeed (such as when the AP rule was disabled) then SVCHost.exe could terminate our protected processes - thus, we do not allow it when that AP rule is enabled, and it should _always_ be enabled.

             

            SVCHost is a notorious strong-arm for malware, allowing malware to run with SYSTEM credentials. There isn't enough data here to know if it is malware or a legitimate application using SVCHost.

            But you say that the real-time scanner is not starting.  That, is where your focus should be for now.  I suggest engaging our Support team for assistance, indicating you may have malware disabling the product.

            • 3. Re: svchost.exe attempting to stop McAfee services....?
              jlockie

              Thank you!  I read the KB too (which I am not sure applies since we are running VSE 8.8).  That KB described what you also did (the terminate privelege).

               

              So is McAfee able to remove that TERMINATE privilege?  Or are you simply reporting that because a DLL has enumerated in such a way that it in practice could stop the services, and therefore will be reported as if it has.  I would agree with this strategy from McAfee (one reason I really like this product).


              Is there any way to determine which DLL is doing this?

               

              It is a bit more concerning that one of the McAfee services is actually stopped and unable to be started.  These are fairly new systems though, with clean scans.....

              • 4. Re: svchost.exe attempting to stop McAfee services....?
                wwarren

                We can stop the process from obtaining that privilege.

                We cannot stop the process from exercising that privilege once obtained. This is why the rule triggers on many legitimate applications too, well, legitimate but poorly programmed. As stated earlier, the rule triggers because the requesting process has explicitly said "I want to be able Terminate this process", and that's not OK.

                 

                There isn't a programmatic way for us to identify the DLL. But you can use Process Explorer to see what DLLs are loaded in the process and cast suspicion upon any non-Microsoft DLLs found.

                 

                Indeed the McAfee service not starting is of greater concern. And because the possible causes behind it a many I suggest tackling it with a Support person.

                • 5. Re: svchost.exe attempting to stop McAfee services....?
                  jlockie

                  Thanks!  I'll open a ticket and post back if it's anything helpful (regarding real-time not starting or crashing on some systems).

                   

                  So it must not be real-time that is catching this DLL behavior, because I get these alerts on the systems that have a crashed real-time service.  It must be the VirusScan engine because this is a piece of access protection.  I am wondering what real-time is doing then.....?

                  • 6. Re: svchost.exe attempting to stop McAfee services....?
                    wwarren

                    The alert is coming from Access Protection, which functions independently of the real-time scanner (it didn't used to in the past, so maybe that is confusing to some folk).

                    The virusscan engine is used by the real-time scanner.