I cannot believe nobody here knows this.
This is unexcepible.
Now I know nobody ever uses McAfee because even their support forums are a disgrace.
2 of 2 people found this helpful
What is it you do not understand about the log entry?
To interpret the log, you can extract these details from it -
1. The process that violated a rule was named SVCHOST.EXE; and based on the path, you can confirm it was the Windows SVCHost.exe, which is a process that can be compromised by malware. But there is no way to know that from this log entry if it was malware or not. Because this is an Access Protection violation entry. AP rules do not know about malware, they only know about behaviors.
2. The target of SVCHost's action was a protected file object; protected by an AP rule (the rule which is described in the event entry).
3. The action SVCHost tried to undertake was a "Create". In other words, it tried to create that object or tried to get access to it, and was blocked.
Access Protection rules are "primitive"
There is no intelligence to them beyond "Process xyz tried to perform Action abc and was blocked". It is impossible to know if it's malware or not.
In saying that, if you look at Endpoint Security 10.2 we add intelligence to Access Protection and more to create a feature called Dynamic Application Containment. This feature will essentially answer your question for you, on whether it is malware or not, by means of a collection of rules where as a process violates rules it becomes more and more suspicious to the point where its behavior alone will convict it as malware.