5 Replies Latest reply on Mar 22, 2016 7:07 PM by squonk_109

    2 policy settings for the same?!?

    bandit61

      in the access protection policy you have to selections to prevent termination of mcafee processes.

      which one is the stronger?

       

      see file attached:

      access_protection_policy_1.jpg

        • 1. Re: 2 policy settings for the same?!?
          alex.hawke

          The blue is geared towards manual stopping of service. The red is the rule to disallow applications from terminating processes.

          • 2. Re: 2 policy settings for the same?!?
            squonk_109

            Just to add a note: The prevent termination of McAfee services should be set to block to stop users and malware from terminating protection.

            Keep in mind you will get events generated due to programs requesting the right to terminate the process, even though they don't actually terminate the McAfee processes.

            Please see https://community.mcafee.com/message/217682#217682.

             

            I have had to tune out (exclude) processes like ccmexec.exe to reduce the noisy amount of event.

            Use Virustotal to make sure what you are tuning is safe.

            • 3. Re: 2 policy settings for the same?!?
              alex.hawke

              ^Perfect Explanation

              • 4. Re: 2 policy settings for the same?!?
                bandit61

                Thanks for the good & detailed explanation.

                 

                So if we unselect both, we should be able to stop McAfee services

                using the TaskManager. The problem is, if you have problems with a

                server/client the first thing is to stop mcafee, to see if the problem is

                connected with them or not, which is impossible running vse8.8.0 P6/7

                with Agent132,188,333 and W2012R2,W7,  W10. Thsi would tell us,

                that the policy (unselected) is not working right on this machines, am i right?

                • 5. Re: 2 policy settings for the same?!?
                  squonk_109

                  Are working on something just for systems that need fixing or deployment ?

                  If so, as long as it is temporary and applied to just some computers, then the risk is reduced.

                  In the past, I have put computers in a fix group and had a policy to disable the two features, then used psexec command to stop and start mcshield or kill a patch that's been stuck running for more than an hour.

                  With Agent 5.X policy agent setting for self protection on, you can no longer stop the McAfee agent service unless you change the policy for self protection.

                  The problem may be that the agent is not talking to EPO, you would have to remove products, then remove the agent.

                   

                  If you want to look at one computer, you could unlock it (assume VSE console is password protected) and disable access protection then stop mcshield.

                   

                  Hope this helps