Application Event log has multiple alert notifications for Event ID 257 or 258

技術的な記事 ID: KB60475
最終更新: 6/24/2020

環境

McAfee VirusScan Enterprise (VSE) 8.x

問題

The Application Event log is full of alert notifications caused by Access Protection Rule triggers.

You see multiple Event ID 257 or 258 entries.

システムの変更

You deployed VirusScan Enterprise with Access Protection rules enabled that are being commonly triggered in the environment.

原因

The local system is generating alerts from Access Protection rules when VSE runs.

解決策

Make Access Protection rules more specific.

Example:

Instead of a broad encompassing rule:

Prevent remote creation, modification, or deletion of anything in the Windows folder and subfolders

Where Process=System:Remote, Pattern=%windir%\**\*, Prevent=Write, Create, Delete

Use a more specific rule:

Prevent remote creation, modification, or deletion of any DLL files in the Windows folder and subfolders

Where Process=System:Remote, Pattern=%windir%\**\*.DLL, Prevent=Write, Create, Delete

解決策

Configure the clients to filter their alerting. All Access Protection Rules triggers are considered medium severity. (Medium severity is Level 2 between 0-lowest and 4-highest.) Apply the minimum configuration to suppress Access Protection Alerts in the application event log:

Filter the alerting to level Suppress Information, warnings & low (severity <3)

Click Start, Programs, McAfee, VirusScan Console.
Click Tools, Alerts.
In Additional Alerting Options, select the severity filter you want and click OK.
Exit VirusScan Console.

解決策

Disable Behavior Blocking Rules.

If a specific rule causes too many alerts, consider disabling it until a better rule can be devised. Or, create an exception for the process that triggers the rule.

To identify which rule is being triggered, see the access protection logs:

C:\Documents and Settings\All Users\Application Data\McAfee\Desktop Protection\AccessProtectionLog.txt
C:\Program Data\McAfee\Desktop Protection\AccessProtectionLog.txt

影響を受ける製品

VirusScan Enterprise 8.8

言語:

この記事は、次の言語で表示可能です:

English United States
Japanese

技術用語集

用語集にある用語をハイライトする

当社の技術用語集を参照してください。

Knowledge Center

Application Event log has multiple alert notifications for Event ID 257 or 258

環境

問題

システムの変更

原因

解決策

解決策

解決策

影響を受ける製品

言語:

技術用語集

Title

Title

Knowledge Center

Application Event log has multiple alert notifications for Event ID 257 or 258

環境

問題

システムの変更

原因

解決策

解決策

解決策

影響を受ける製品

言語:

技術用語集

地域を選択してください

Title

Title