How to resolve issues caused by Access Protection rules and Behavior Blocking

Technical Articles ID: KB73080
Last Modified: 6/29/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.x

Summary

This article provides troubleshooting steps and advice to help in the following common scenarios:

An application stops working after you install VSE.
Email stops sending successfully after you install VSE.
A McAfee process has not established trust with Access Protection due to a recent install.

This article explains how to determine if the VSE Access Protection feature is the source of these issues and, if so, provides steps to resolve these issues.

Problem

An issue is written to the Access Protection log in one of the following formats:

A rule was violated, and the rule is set to Warn only:

<date> <time> Would be blocked by Access Protection rule (rule is currently not enforced) <domain>\<username> ProcessName Target RuleName Action blocked : <action>
A rule was violated, and the rule is set to Warn and Block:

<date> <time> Blocked by Access Protection rule <domain>\<username> ProcessName Target RuleName Action blocked : <action>

Solution

CAUTION: This article contains information about opening or modifying the registry.

The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
Do not run a REG file that is not confirmed to be a genuine registry import file.

View the Access Protection Log to see the messages being logged:

Click Start, Programs, McAfee, VirusScan Console.
Right-click Access Protection.
Click View log file. The AccessProtectionLog.txt file opens.

NOTE: For an alternative method of viewing the Access Protection Log, see the Related Information section.

Review the recent entries in the Access Protection Log file:
Examine the log file and determine if the most recent log entries correspond to the time that the system began to exhibit problems. If the log entries do not correspond with the time that the problems occurred, the problems might not be related to Access Protection. In this scenario, see KB66254.

If the log entries correspond with the problems, determine which are relevant and which are not, based on the two types of log entries. The two types are as follows:

Messages reporting Would be blocked. Example:

Would be blocked by Access Protection rule (rule is currently not enforced) MyDomain\MyUser C:\Test. C:\MyProcess.exe Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked : Execute

Messages such as these are not the source of the problem and can be ignored. A Would be blocked message is only a warning. It indicates that a program could have been prevented from doing something if you had the rule configured to Block.
Messages reporting that something was Blocked. Example:

Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Test.exe C:\MyFile.txt MyCustomRule Action blocked: Delete

This type of message shows that one of the VSE Access Protection rules has stopped a process from doing something. Use the following information to decipher the message.
Messages reporting on a McAfee process which is normally trusted. Trust might not be established when a recent installation has been performed.

Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\Common Files\McAfee\DATReputation\mcdatrep.exe
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration
Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write

This type of message shows that a McAfee process has violated one of the VSE Access Protection rules. It might occur due to no trust relationship (legacy product) or trust is not established due to a recent install. Use the following information to decipher the message.

Decipher the Access Protection Log messages:
Below is a typical blocked message that can appear in the Access Protection Logs:

Blocked by Access Protection rule Domain\Username C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

The segments of the message, defined as follows, help you determine the application that is being blocked, the reason it was blocked (which Access Protection rule it triggered), and other important points:

Domain\Username - indicates the Account or Credentials of the process that was blocked.
C:\WINDOWS\system32\CCM\CcmExec.exe - indicates the name of the process that was blocked.
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe - indicates the name of the file/folder/process that is being protected.
Common Standard Protection:Prevent termination of McAfee processes - indicates the Access Protection rule name that was triggered or violated.
Action blocked : Terminate - indicates what action was being prevented.

Exclude appropriate processes from being blocked:

After you determine which process triggers which Access Protection rule, determine whether that process must continue to be blocked or must be excluded. This process might include following up with the owner of that process to find out what their process is doing that the Access Protection rule objects to.

If the process is trusted and causes the problems, you can exclude it in the following way:

Open the Access Protection properties

Click Start, Programs, McAfee, VirusScan Console.
Double-click Access Protection.

Locate the Access Protection rule that you want to modify

The left window shows Categories of different Access Protection rules. The right window shows the actual rule names.
The Access Protection log entry that you identified also tells you which Category the rule comes from.

Example: Common Standard Protection: Prevent termination of McAfee processes.

NOTE: In this example, the Category is Common Standard Protection and the rule name is Prevent termination of McAfee processes.

Select the Category in the left Window, select the rule name in the right Window.
Click Edit.
Click inside the Processes to exclude textbox.
Move the cursor to the end of the contents of the textbox.
Add a comma (,), type the name of the process to exclude, and then click OK twice.

The process is now excluded.

You can read more about configuring Access Protection rules in the Product Guide for your version.

For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

Related Information

An alternative way of viewing the Access Protection Log is as follows:

Click Start, Run, type %deflogdir% and click OK. The AccessProtectionLog.txt file displays in the Explorer window.
To open it, double-click the file.

Affected Products

Troubleshooting
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

How to resolve issues caused by Access Protection rules and Behavior Blocking

Environment

Summary

Problem

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

How to resolve issues caused by Access Protection rules and Behavior Blocking

Environment

Summary

Problem

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title