2 Replies Latest reply on Aug 9, 2016 11:40 AM by wwarren

    McAfee VSE 8.8 Access Protection log? Was this Malware?

    anvin0001

      I am trying to analyze this Access Protection log which was detected by McAfee VSE below.

      Has anyone one of you guys here experienced this on a local machine?

       

      8/6/2016 22:44:57 Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\WINDOWS\SYSTEM32\SVCHOST.EXE C:\ProgramData\McAfee\Common Framework\DB:Win32App_1 Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings Action blocked : Create

       

      Thanks

        • 1. Re: McAfee VSE 8.8 Access Protection log? Was this Malware?
          anvin0001

          I cannot believe nobody here knows this.

          This is unexcepible.

          Now I know nobody ever uses McAfee because even their support forums are a disgrace.

          • 2. Re: McAfee VSE 8.8 Access Protection log? Was this Malware?
            wwarren

            What is it you do not understand about the log entry?

             

            To interpret the log, you can extract these details from it -

            1. The process that violated a rule was named SVCHOST.EXE; and based on the path, you can confirm it was the Windows SVCHost.exe, which is a process that can be compromised by malware. But there is no way to know that from this log entry if it was malware or not. Because this is an Access Protection violation entry. AP rules do not know about malware, they only know about behaviors.

            2. The target of SVCHost's action was a protected file object; protected by an AP rule (the rule which is described in the event entry).

            3. The action SVCHost tried to undertake was a "Create". In other words, it tried to create that object or tried to get access to it, and was blocked.

             

            Access Protection rules are "primitive"

            There is no intelligence to them beyond "Process xyz tried to perform Action abc and was blocked". It is impossible to know if it's malware or not.

             

            In saying that, if you look at Endpoint Security 10.2 we add intelligence to Access Protection and more to create a feature called Dynamic Application Containment. This feature will essentially answer your question for you, on whether it is malware or not, by means of a collection of rules where as a process violates rules it becomes more and more suspicious to the point where its behavior alone will convict it as malware.

            2 of 2 people found this helpful