CAUTION: This article contains information about opening or modifying the registry.
- The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
- Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
- Do not run a REG file that is not confirmed to be a genuine registry import file.
View the Access Protection Log to see the messages being logged:
- Click Start, Programs, McAfee, VirusScan Console.
- Right-click Access Protection.
- Click View log file. The AccessProtectionLog.txt file opens.
NOTE: For an alternative method of viewing the Access Protection Log, see the Related Information section.
Review the recent entries in the Access Protection Log file:
Examine the log file and determine if the most recent log entries correspond to the time that the system began to exhibit problems. If the log entries do not correspond with the time that the problems occurred, the problems might not be related to Access Protection. In this scenario, see
KB66254.
If the log entries correspond with the problems, determine which are relevant and which are not, based on the two types of log entries. The two types are as follows:
- Messages reporting Would be blocked. Example:
Would be blocked by Access Protection rule (rule is currently not enforced) MyDomain\MyUser C:\Test. C:\MyProcess.exe Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked : Execute
Messages such as these are not the source of the problem and can be ignored. A Would be blocked message is only a warning. It indicates that a program could have been prevented from doing something if you had the rule configured to Block.
- Messages reporting that something was Blocked. Example:
Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Test.exe C:\MyFile.txt MyCustomRule Action blocked: Delete
This type of message shows that one of the VSE Access Protection rules has stopped a process from doing something. Use the following information to decipher the message.
- Messages reporting on a McAfee process which is normally trusted. Trust might not be established when a recent installation has been performed.
Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\Common Files\McAfee\DATReputation\mcdatrep.exe
\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration
Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write
This type of message shows that a McAfee process has violated one of the VSE Access Protection rules. It might occur due to no trust relationship (legacy product) or trust is not established due to a recent install. Use the following information to decipher the message.
Decipher the Access Protection Log messages:
Below is a typical blocked message that can appear in the Access Protection Logs:
Blocked by Access Protection rule Domain\Username C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
The segments of the message, defined as follows, help you determine the application that is being blocked, the reason it was blocked (which Access Protection rule it triggered), and other important points:
- Domain\Username - indicates the Account or Credentials of the process that was blocked.
- C:\WINDOWS\system32\CCM\CcmExec.exe - indicates the name of the process that was blocked.
- C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe - indicates the name of the file/folder/process that is being protected.
- Common Standard Protection:Prevent termination of McAfee processes - indicates the Access Protection rule name that was triggered or violated.
- Action blocked : Terminate - indicates what action was being prevented.
Exclude appropriate processes from being blocked:
After you determine which process triggers which Access Protection rule, determine whether that process must continue to be blocked or must be excluded. This process might include following up with the owner of that process to find out what their process is doing that the Access Protection rule objects to.
If the process is trusted and causes the problems, you can exclude it in the following way:
Open the Access Protection properties
- Click Start, Programs, McAfee, VirusScan Console.
- Double-click Access Protection.
Locate the Access Protection rule that you want to modify
- The left window shows Categories of different Access Protection rules. The right window shows the actual rule names.
- The Access Protection log entry that you identified also tells you which Category the rule comes from.
Example: Common Standard Protection: Prevent termination of McAfee processes.
NOTE: In this example, the Category is Common Standard Protection and the rule name is Prevent termination of McAfee processes.
- Select the Category in the left Window, select the rule name in the right Window.
- Click Edit.
- Click inside the Processes to exclude textbox.
- Move the cursor to the end of the contents of the textbox.
- Add a comma (,), type the name of the process to exclude, and then click OK twice.
The process is now excluded.
You can read more about configuring Access Protection rules in the Product Guide for your version.
