The blue is geared towards manual stopping of service. The red is the rule to disallow applications from terminating processes.
Just to add a note: The prevent termination of McAfee services should be set to block to stop users and malware from terminating protection.
Keep in mind you will get events generated due to programs requesting the right to terminate the process, even though they don't actually terminate the McAfee processes.
I have had to tune out (exclude) processes like ccmexec.exe to reduce the noisy amount of event.
Use Virustotal to make sure what you are tuning is safe.
Thanks for the good & detailed explanation.
So if we unselect both, we should be able to stop McAfee services
using the TaskManager. The problem is, if you have problems with a
server/client the first thing is to stop mcafee, to see if the problem is
connected with them or not, which is impossible running vse8.8.0 P6/7
with Agent132,188,333 and W2012R2,W7, W10. Thsi would tell us,
that the policy (unselected) is not working right on this machines, am i right?
Are working on something just for systems that need fixing or deployment ?
If so, as long as it is temporary and applied to just some computers, then the risk is reduced.
In the past, I have put computers in a fix group and had a policy to disable the two features, then used psexec command to stop and start mcshield or kill a patch that's been stuck running for more than an hour.
With Agent 5.X policy agent setting for self protection on, you can no longer stop the McAfee agent service unless you change the policy for self protection.
The problem may be that the agent is not talking to EPO, you would have to remove products, then remove the agent.
If you want to look at one computer, you could unlock it (assume VSE console is password protected) and disable access protection then stop mcshield.
Hope this helps