0 Replies Latest reply on May 5, 2016 1:51 PM by justingoldberg

    McAfee Blocking McAfee Validation Trust Protection (mfevtps.exe) ; Also Full Path to SVCHOST.EXE In Exceptions?

    justingoldberg

      I see this in our ePO server's threat events often. Is there any way to prevent this from filling our logs while keeping McAfee safe? Perhaps I should add SVCHOST.EXE to the rules exceptions?

       

      Server ID:SECURITYAGENT
      Event Received Time:5/5/16 7:16:57 AM
      Event Generated Time:5/4/16 6:51:02 PM
      Agent GUID:61EE361A-0D6A-11E6-1398-A0D3C126B3F2
      Detecting Prod ID (deprecated):VIRUSCAN8800
      Detecting Product Name:VirusScan Enterprise
      Detecting Product Version:8.8
      Detecting Product Host Name:ComputerName01
      Detecting Product IPv4 Address:192.168.1.154
      Detecting Product IP Address:192.168.1.154
      Detecting Product MAC Address:
      DAT Version:
      Engine Version:
      Threat Source Host Name:_
      Threat Source IPv4 Address:192.168.1.154
      Threat Source IP Address:192.168.1.154
      Threat Source MAC Address:
      Threat Source User Name:
      Threat Source Process Name:C:\WINDOWS\SYSTEM32\SVCHOST.EXE
      Threat Source URL:
      Threat Target Host Name:ComputerName01
      Threat Target IPv4 Address:192.168.1.154
      Threat Target IP Address:192.168.1.154
      Threat Target MAC Address:
      Threat Target User Name:NT AUTHORITY\SYSTEM
      Threat Target Port Number:
      Threat Target Network Protocol:
      Threat Target Process Name:
      Threat Target File Path:C:\WINDOWS\SYSTEM32\MFEVTPS.EXE
      Event Category:'File' class or access
      Event ID:1092
      Threat Severity:Notice
      Threat Name:Common Standard Protection:Prevent termination of McAfee processes
      Threat Type:access protection
      Action Taken:deny terminate
      Threat Handled:True
      Analyzer Detection Method:OAS

      Events received from managed systems

      Event Description:Access Protection rule violation detected and blocked

       

       

      Also is it a better idea to add C:\WINDOWS\SYSTEM32\SVCHOST.EXE as an exception rather than SVCHOST.EXE, in case some malware names itself SVCHOST.EXE?