CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
View the Access Protection Log to see the messages being logged:
- Click Start, Programs, McAfee, VirusScan Console.
- Right-click Access Protection.
- Click View log file. The AccessProtectionLog.txt file opens.
NOTE: For an alternative method of viewing the Access Protection Log, see the Related Information section.
Review the recent entries in the Access Protection Log file:
Examine the log file and determine if the most recent log entries correspond to the time that the system began exhibiting problems. If the log entries do not correspond with the time that the problems occurred, the problems might not be related to Access Protection. In this scenario, refer to Knowledge Base article
KB66254.
If the log entries correspond with the problems, determine which are relevant and which are not, based on the two types of log entries. The two types are as follows:
- Messages reporting Would be blocked. Example:
8/10/2011 1:42:53 PM Would be blocked by Access Protection rule (rule is currently not enforced) MyDomain\MyUser C:\Test. C:\MyProcess.exe Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked : Execute
Messages such as these are not the source of the problem and can be ignored. A Would be blocked message is only a warning, indicating that a program could have been prevented from doing something if you had the rule configured to Block.
- Messages reporting that something was Blocked. Example:
8/22/2011 9:05:34 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Test.exe C:\MyFile.txt MyCustomRule Action blocked : Delete
This type of message shows that one of the VSE Access Protection rules has stopped a process from doing something. Use the following information to decipher the message.
- Messages reporting on a McAfee process which is normally trusted. Trust may not be established when a recent installation has been performed.
6/30/2015 4:20:59 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\Common Files\McAfee\DATReputation\mcdatrep.exe
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration
Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
This type of message shows that a McAfee process has violated one of the VSE Access Protection rules. This may occur due to no trust relationship (legacy product) or trust is not established due to a recent install. Use the following information to decipher the message.
Decipher the Access Protection Log messages:
Below is a typical blocked message that can appear in the Access Protection Logs:
9/29/2011 8:55:09 AM Blocked by Access Protection rule Domain\Username C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
The segments of the message, defined as follows, help you determine the application that is being blocked, the reason it was blocked (which Access Protection rule it triggered), and other important points:
- Domain\Username indicates the Account or Credentials of the process that was blocked.
- C:\WINDOWS\system32\CCM\CcmExec.exe indicates the name of the process that was blocked.
- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe indicates the name of the file/folder/process that is being protected.
- Common Standard Protection:Prevent termination of McAfee processes indicates the Access Protection rule name that was triggered or violated.
- Action blocked : Terminate indicates what action was being prevented.
Exclude appropriate processes from being blocked:
After determining which process is triggering which Access Protection rule, determine whether that process should continue to be blocked or whether it should be excluded. This might include following up with the owner of that process to find out what their process is doing that the Access Protection rule objects to.
If the process is trusted and is causing the problems, you can exclude it in the following way:
Open the Access Protection properties
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
Locate the Access Protection rule that you want to modify
- The left window shows Categories of different Access Protection rules. The right window shows the actual rule names.
- The Access Protection log entry that you identified also tells you which Category the rule comes from.
Example: Common Standard Protection: Prevent termination of McAfee processes.
NOTE: In this example the Category is Common Standard Protection and the rule name is Prevent termination of McAfee processes.
- Select the Category in the left Window, select the rule name in the right Window.
- Click Edit, located below the right window.
- Click inside the Processes to exclude text box.
- Move the cursor to the end of the contents of the box.
- Add a comma (,), type the name of the process to exclude, and then click OK twice.
The process is now excluded.
You can read more about configuring Access Protection rules in the Product Guide for your version.
