Loading...

Knowledge Center


Application Event log has multiple alert notifications for Event ID 257 or 258 (VirusScan Enterprise 8.7i and later)
Technical Articles ID:   KB60475
Last Modified:  11/2/2016
Rated:


Environment

McAfee VirusScan Enterprise 8.x
 

Problem

Application Event log is full of alert notifications caused by Access Protection Rule triggers.

Multiple Event ID 257 or 258 entries.

System Change

Deployed VirusScan Enterprise with Access Protection rules enabled that are being commonly triggered in the environment.

Cause

The local machine is generating Alerts from Access Protection rules when running VSE 8.7i or later.

Solution

Make Access Protection rules more specific.

Example:

Instead of a broad encompassing rule:

Prevent remote creation/modification/deletion of anything in the Windows folder and subfolders

Where Process=System:Remote, Pattern=%windir%\**\*, Prevent=Write, Create, Delete

Use a more specific rule:

Prevent remote creation/modification/deletion of any DLL files in the Windows folder and subfolders

Where Process=System:Remote, Pattern=%windir%\**\*.DLL, Prevent=Write, Create, Delete

Solution

Configure the clients to filter their alerting. All Access Protection Rules triggers are considered medium severity (Level 2 between 0-lowest and 4-highest). Apply the minimum configuration to suppress Access Protection Alerts in the application event log:

Filter the alerting to level Suppress Information, warnings & low (severity <3)
  1. Click Start, Programs, McAfee, VirusScan Console.
  2. Click Tools, Alerts.
  3. Under Additional Alerting Options select the desired severity filter and click OK.
  4. Exit VirusScan Console.

Solution

Disable Behavior Blocking Rules.
 
If a specific rule is causing too many alerts, consider disabling it until a better rule can be devised or create an exception for the process triggering the rule.
 
To identify which rule is being triggered refer to the access protection logs:
  • C:\Documents and Settings\All Users\Application Data\McAfee\Desktop Protection\AccessProtectionLog.txt
  • C:\Program Data\McAfee\Desktop Protection\AccessProtectionLog.txt

Rate this document

Did this article resolve your issue?

Please provide any comments below

Affected Products


VirusScan Enterprise 8.8

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.