1 2 3 Previous Next 22 Replies Latest reply on Aug 6, 2015 4:29 AM by bretzeli

    DAT Reputation Message

    charleslatty

      Hi,

       

      Can anyone help me with this meesage.

       

      I have  a customer who is getting the following error after he had installed the DAT Reputation extension in epo,

       

      Threat Name: McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files

      and settings Threat Category: 'File' class or access Target File Name: C:\Program Files\Common Files\McAfee\DATReputation\mcdatrep.exe

       

      Can anyone tell me what this means and how to resolve it please?

       

      Many thanks

       

      Charles Latty

        • 1. Re: DAT Reputation Message
          tomz2

          (Mods - Please move to ePO or VSE)

           

          Hi Charles,

           

          This is not a threat. What you are seeing is the McAfee DAT Reputation Access Protection rule firing. I believe this is a known issue and does not impact functionality of the product. Someone from the product team may see this and be able to provide additional detail.

          • 2. Re: DAT Reputation Message
            catdaddy

            Moved to ePolicy Orchestrator > ( ePO)  > Discussions as asked for better assistance.

            If needed to be moved elsewhere, please apprise.

             

            By Moderator

            Cliff

            • 3. Re: DAT Reputation Message
              charleslatty

              HI,

               

              Thank you very much for your prompt reply

              • 4. Re: DAT Reputation Message
                wwarren

                I concur with tomz2, it's probably benign.

                 

                However, if you could provide more details of the event it'll be good to know if you're seeing McDATRep.exe being blocked by a VSE access protection rule, or if it's a DAT Reputation rule that was added to VSE which is now firing.

                If the former, you can avoid the noise (assuming it's creating noise) by adding McDATRep.exe as an excluded process for the applicable rule.

                If the latter, you cannot avoid the noise except to turn off Access Protection - which isn't a good idea. So for that scenario you'd reach out to Support to see if the DAT Reputation rule can be tweaked.

                • 5. Re: DAT Reputation Message
                  catdaddy

                  @wwarren,

                                    I had initially moved this thread to (VSE). If it needs to be moved back, please apprise.

                   

                  All the Best

                  Catdaddy

                  McAfee Volunteer Moderator

                  (Consumer Products)

                  • 6. Re: DAT Reputation Message
                    charleslatty

                    HI,

                     

                    Can you please tell me how i can exclude McDATRep.exe as an excluded process please?

                     

                    Many thanks

                    • 7. Re: DAT Reputation Message
                      binny

                      Hi charleslatty,

                       

                      This looks like the same thing I started getting a couple of days ago.

                      I didn't even know what DAT reputation was until I started getting threat events like this coming from our clients.  "McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings". After working out what DAT reputation was I installed the ePO extension and changed the settings to disable DAT reputation to try and stop all the notifications. Then I got even more, over 1000 yesterday. Its like it is blocking the ePO from making any changes.

                       

                      Other Info -

                      ePO - 5.1.1

                      VSE - 8.8.0.1385 - Updated about 2 weeks ago

                      Agent - 4.8.0.1938 - Ditto

                       

                      Event

                      Threat Source Process Name: C:\WINDOWS\CCM\CCMEXEC.EXE

                      Threat Target File Path: C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\DATREPUTATION\MCDATREP.EXE

                       

                      Event ID:1092
                      Threat Severity:Notice
                      Threat Name:McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings
                      Threat Type:access protection
                      Action Taken:deny terminate
                      Threat Handled:true
                      Analyzer Detection Method:OAS

                       

                      Also I am having trouble deploying SAE too, It only partially installs and fails on some machines. At the same time I get a couple of the above DAT reputation events. I don't know why it would be related at all tbh but seems to be.

                      I have looked through the Access Protection policies and cannot find a policy that matches this anywhere so I am a bit stumped.

                      Any advice from this forum would be appreciated.

                      • 8. Re: DAT Reputation Message
                        wwarren

                        The event is occurring for 3 reasons which together allow this event.

                         

                        1. This application's behavior: C:\WINDOWS\CCM\CCMEXEC.EXE

                        It enumerates running processes, and does so with an inappropriate AccessMask (it includes the process_terminate privilege, which it has no business obtaining that privilege).

                        But because it does, and because of #2 & #3, that event occurs.

                         

                        2. DAT Reputation installed an Access Protection rule file, to expand VSE's set of access protection rules to enforce.

                         

                        3. DAT Reputation defined in their Access Protection rule file, to protect their own process from (you guessed it...) Termination.

                         

                        The only thing you can do at this point from a VirusScan perspective, is disable Access Protection until such time the DAT Reputation team modify the AP rule file that's being added to VSE (to either exclude CCMEXEC or to not create events, or to expose the rule in the User Interface to allow customers to add exclusions themselves).

                        I'm pretty sure the current plan is to eliminate the events as a short-term option.

                        • 9. Re: DAT Reputation Message
                          charleslatty

                          Hi,

                           

                          Thank you very much for the reply,it was very helpful

                          1 2 3 Previous Next