6 Replies Latest reply on Jul 27, 2015 4:21 AM by finkemch

    VirusScan Enterprise 8.8 Patch 4 is blocking McAfee's own mcdatrep.exe

    george.perkins

      Why is VSE blocking McAfee's own components?

       

      AccessProtectionLog.txt

       

      Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Program Files\Common Files\McAfee\DATReputation\mcdatrep.exe \REGISTRY\MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write

       

      This looks like a match in KB73080, but my question is, why should I have to manually exclude McAfee's own programs? Shouldn't that be done by McAfee automatically? (link: McAfee KnowledgeBase - How to resolve issues caused by Access Protection rules and Behavior Blocking)

       

      Thanks.

        • 1. Re: VirusScan Enterprise 8.8 Patch 4 is blocking McAfee's own mcdatrep.exe
          exbrit

          Moved to VSE for a faster response.

          ---

          Peter

          Moderator

          • 2. Re: VirusScan Enterprise 8.8 Patch 4 is blocking McAfee's own mcdatrep.exe
            wwarren
            why should I have to manually exclude McAfee's own programs? Shouldn't that be done by McAfee automatically?

            It can be done by us automatically, and sometimes it is. It doesn't mean it'll always be done by us.

            It is preferable to be done by us, in my opinion, but if we omit doing so the facility exists in the product to allow you to do it instead.


            It would be nice for some consistency or ground rules to be established for when we release content changes, but therein is an internal procedural weakness your innocent question is crashing into . Discussions have been had, guidelines have been laid, it remains to be seen whether we'll see something like this again in future or not to test the solidarity of our procedural improvements.

            • 3. Re: VirusScan Enterprise 8.8 Patch 4 is blocking McAfee's own mcdatrep.exe
              george.perkins

              Thanks wwarren! So the question is... are any McAfee components bothered by the registry write block to "HKLM\MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration"? (It may be simply opened for read/write, but only read, so no consequences?)

               

              I'm also bothered by some other block actions that show up in our logs, although apparently no adverse effects...? I am testing adding C:\Windows\system32\svchost.exe to the exception policy. But because svchost.exe is an essential Windows component, it too (I would imagine) should "automatically" not be blocked by VSE. Don't you think? This particular svchost.exe seems to attempt to run once per day or so. (I have no idea what svchost minion within Microsoft Windows Server 2012 R2 as not running to completion as a result.)

               

               

              7/21/2015 8:30:40 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

               

              7/21/2015 8:30:40 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

               

              7/21/2015 8:30:40 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Windows\system32\mfevtps.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

               

              7/21/2015 8:30:40 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

               

              7/21/2015 8:30:40 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

               

              7/21/2015 8:30:40 AM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

              • 4. Re: VirusScan Enterprise 8.8 Patch 4 is blocking McAfee's own mcdatrep.exe
                wwarren

                I would expect in most all cases, the interaction is benign.

                There have been instances in the past where "blocking our own stuff" wasn't benign, and it was very apparent to any/all who encountered it. Point being, if it weren't benign you'd surely know it.

                 

                In the example of McDATRep.exe touching HKLM\MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration, the outcome will be benign.

                The process is, as best I can infer (since I'm not intimately familiar with McDATRep.exe behavior/purposes), wanting to tell our scanner process to reload its configuration. A registry value exists in that key where if modified, the scanner knows to reload settings.

                 

                Regarding SVCHost as an excluded process to AP rules, explore that with caution. SVChost is a Windows service that is easily compromised by malware, and once running within SVCHost our Access Protection rules won't stop that malware when SVCHost is excluded from the rule - you'd be dependent on DAT signatures instead for stopping that malware.  And, funny thing, many of our default AP rules _already exclude_ SVCHost!  We are actually wanting to change that, such that we'd remove it from our default exclusions and turn the responsibility back over to those who need it excluded to add it - because it'll be a small subset of customers who might need the exclusion, whereas the added security from removing the SVCHost exclusion will be worth it for everyone else.

                 

                In your example log, the entries for SVCHost touching our processes suggest that there is a 3rd party loaded into SVCHost, and it's enumering the running processes... and doing so with an AccessMask that includes the TERMINATE privilege (It would be nice if developers would perform tasks with only the privileges they need). Instead of excluding SVCHost, I would endeavor to identify what DLL is being loaded by SVCHost that is performing that task. Then ask the vendor to modify their AccessMask for that routine, if possible.

                • 6. Re: VirusScan Enterprise 8.8 Patch 4 is blocking McAfee's own mcdatrep.exe
                  finkemch

                  McAfee has produce these Access Protection alerts because of the rollout of DAT reputation .

                   

                  With this extraDREP.rul (including into the DAT reputation) McAfee has inserted a local access protection rule which is unrelated to the ePO rules – We can not configure them with ePO !        

                   

                   

                   

                  We have discovered 3 versions of access protection alerts:

                   

                  1. McAfee DAT Reputation:Prevent - modification of McAfee DAT Reputation files and settings    

                   

                  C:\Program Files (x86)\Common Files\McAfee\DATReputation\mcdatrep.exe

                      

                  2. McAfee DAT Reputation:Protect - McAfee DAT Reputation AP Rule Files

                   

                  C:\PROGRAM FILES\COMMON FILES\McAfee\SYSTEMCORE\EXTRADREP.RUL

                   

                  3.    G_DATReputation:Prevent - modification of McAfee DAT Reputation files and settings

                   

                  C:\Program Files (x86)\Common Files\McAfee\DATReputation\mcdatrep.exe

                   

                  They have fixed this issue on Commonupdater3 at 15.7.2015 with disabling the reporting in extraDREP.rul (1 => 0)

                      

                          Report G_DATReputation 0

                                       Report 0

                      

                  It is stored under: {commonprogramfiles}/McAfee/SystemCore/extraDREP.rul"

                      

                  At 22.7.2015 McAfee has released the changed extraDREP.rul with disabling the report to the other repositories - now the alerts should be suppressed.