1 of 1 people found this helpful
So this is enterprise I will move it tp virusscan enterprise there you will get better assistance than in the consumer area. IF you feel another area better please let me know
Oh, Hi. This sounds like a very good suggestion. please go ahead.
What you are seeing here is not that your app is being detected as a false positive, persay. The VSE component that is showing an issue with this EXE is Access Protection. Access Protection provides a set of pre-defined rules that can be used to prevent applications from taking actions that could destabilize a system through such actions as uninstalling AV, terminating certain Windows processes, etc.
In this case, C:\Users\v10615\Downloads\SumatraPDF-3.1.1-64-install (1).exe is seen "attempting" to terminate two McAfee processes. This behavior is often a false positive due to an improper access mask. SCCM's agent is an example of this. The other end of the spectrum is that this particular installer is malicious and is actually trying to do damage and terminate AV. If there is concern, your IT security team should have access to ServicePortal and can submit the exe as a sample for analysis.
The question that needs to be answered is - Is the installation / use of SumatraPDF prevented? In the log snippet you provided, it simply looks like the installer is potentially impacted. If the installer executes and the app then works correctly, no whitelisting should be needed. If the installer fails to launch or the app is impacted, then your IT security team may need to review policies and tune to allow the app to function while ensuring security.
thanks for the detailed answer. I fill forward it to the IT security guys. Of course their first answer was "don't use the software!" :-(
Your question is right on. I cannot understand what the install files have to do with the sumatra.exe file that is being blocked. I used Sumatra for ages without problems. Only recently I a having this problem. the files have been there for months but McAfee still blocks sumatra after i deleted them.
Anyway, hopefully they'll send it over to the ServicePortal.
Lots of thanks, Marco