(Mods - Please move to ePO or VSE)
This is not a threat. What you are seeing is the McAfee DAT Reputation Access Protection rule firing. I believe this is a known issue and does not impact functionality of the product. Someone from the product team may see this and be able to provide additional detail.
Moved to ePolicy Orchestrator > ( ePO) > Discussions as asked for better assistance.
If needed to be moved elsewhere, please apprise.
Thank you very much for your prompt reply
I concur with tomz2, it's probably benign.
However, if you could provide more details of the event it'll be good to know if you're seeing McDATRep.exe being blocked by a VSE access protection rule, or if it's a DAT Reputation rule that was added to VSE which is now firing.
If the former, you can avoid the noise (assuming it's creating noise) by adding McDATRep.exe as an excluded process for the applicable rule.
If the latter, you cannot avoid the noise except to turn off Access Protection - which isn't a good idea. So for that scenario you'd reach out to Support to see if the DAT Reputation rule can be tweaked.
I had initially moved this thread to (VSE). If it needs to be moved back, please apprise.
All the Best
McAfee Volunteer Moderator
Can you please tell me how i can exclude McDATRep.exe as an excluded process please?
This looks like the same thing I started getting a couple of days ago.
I didn't even know what DAT reputation was until I started getting threat events like this coming from our clients. "McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings". After working out what DAT reputation was I installed the ePO extension and changed the settings to disable DAT reputation to try and stop all the notifications. Then I got even more, over 1000 yesterday. Its like it is blocking the ePO from making any changes.
Other Info -
ePO - 5.1.1
VSE - 22.214.171.1245 - Updated about 2 weeks ago
Agent - 126.96.36.1998 - Ditto
Threat Source Process Name: C:\WINDOWS\CCM\CCMEXEC.EXE
Threat Target File Path: C:\PROGRAM FILES (X86)\COMMON FILES\MCAFEE\DATREPUTATION\MCDATREP.EXE
Event ID: 1092 Threat Severity: Notice Threat Name: McAfee DAT Reputation:Prevent modification of McAfee DAT Reputation files and settings Threat Type: access protection Action Taken: deny terminate Threat Handled: true Analyzer Detection Method: OAS
Also I am having trouble deploying SAE too, It only partially installs and fails on some machines. At the same time I get a couple of the above DAT reputation events. I don't know why it would be related at all tbh but seems to be.
I have looked through the Access Protection policies and cannot find a policy that matches this anywhere so I am a bit stumped.
Any advice from this forum would be appreciated.
The event is occurring for 3 reasons which together allow this event.
1. This application's behavior: C:\WINDOWS\CCM\CCMEXEC.EXE
It enumerates running processes, and does so with an inappropriate AccessMask (it includes the process_terminate privilege, which it has no business obtaining that privilege).
But because it does, and because of #2 & #3, that event occurs.
2. DAT Reputation installed an Access Protection rule file, to expand VSE's set of access protection rules to enforce.
3. DAT Reputation defined in their Access Protection rule file, to protect their own process from (you guessed it...) Termination.
The only thing you can do at this point from a VirusScan perspective, is disable Access Protection until such time the DAT Reputation team modify the AP rule file that's being added to VSE (to either exclude CCMEXEC or to not create events, or to expose the rule in the User Interface to allow customers to add exclusions themselves).
I'm pretty sure the current plan is to eliminate the events as a short-term option.
Thank you very much for the reply,it was very helpful