Loading...

Knowledge Center


How to resolve issues caused by Access Protection rules and Behavior Blocking
Technical Articles ID:   KB73080
Last Modified:  11/3/2016
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.x

Summary

This article provides troubleshooting steps and advice to assist in the following common scenarios:
  • An application stops working after installing VSE.
  • Email stops sending successfully after installing VSE.
  • A McAfee process has not established trust with Access Protection due to a recent install.
This article explains how to determine if the VSE Access Protection feature is the source of these issues and, if so, provides steps to resolve these issues.

Problem

An issue is written to the Access Protection log in one of the following formats:
  • A rule was violated, and the rule is set to Warn only:
    <date> <time> Would be blocked by Access Protection rule (rule is currently not enforced) <domain>\<username> ProcessName Target RuleName Action blocked : <action>
     
  • A rule was violated, and the rule is set to Warn and Block:
    <date> <time> Blocked by Access Protection rule <domain>\<username> ProcessName Target RuleName Action blocked : <action>

Solution

CAUTION: This article contains information about opening or modifying the registry.
  • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
  • Before proceeding, Technical Support strongly recommends that you back up your registry and understand the restore process. For more information, see: http://support.microsoft.com/kb/256986.
  • Do not run a REG file that is not confirmed to be a genuine registry import file.


View the Access Protection Log to see the messages being logged:
  1. Click Start, Programs, McAfeeVirusScan Console.
  2. Right-click Access Protection.
  3. Click View log file. The AccessProtectionLog.txt file opens.
NOTE: For an alternative method of viewing the Access Protection Log, see the Related Information section.


Review the recent entries in the Access Protection Log file:
Examine the log file and determine if the most recent log entries correspond to the time that the system began exhibiting problems. If the log entries do not correspond with the time that the problems occurred, the problems might not be related to Access Protection. In this scenario, refer to Knowledge Base article KB66254.

If the log entries correspond with the problems, determine which are relevant and which are not, based on the two types of log entries. The two types are as follows:
  • Messages reporting Would be blocked. Example:

    8/10/2011 1:42:53 PM Would be blocked by Access Protection rule (rule is currently not enforced) MyDomain\MyUser C:\Test. C:\MyProcess.exe Common Standard Protection:Prevent common programs from running files from the Temp folder Action blocked : Execute

    Messages such as these are not the source of the problem and can be ignored. A Would be blocked message is only a warning, indicating that a program could have been prevented from doing something if you had the rule configured to Block.

     
  • Messages reporting that something was Blocked. Example:

    8/22/2011 9:05:34 AM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Test.exe C:\MyFile.txt MyCustomRule Action blocked : Delete

    This type of message shows that one of the VSE Access Protection rules has stopped a process from doing something. Use the following information to decipher the message.

  • Messages reporting on a McAfee process which is normally trusted. Trust may not be established when a recent installation has been performed.

    6/30/2015 4:20:59 PM Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Program Files (x86)\Common Files\McAfee\DATReputation\mcdatrep.exe
    \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration
    Common Standard Protection:Prevent modification of McAfee files and settings Action blocked : Write

    This type of message shows that a McAfee process has violated one of the VSE Access Protection rules. This may occur due to no trust relationship (legacy product) or trust is not established due to a recent install. Use the following information to decipher the message.


Decipher the Access Protection Log messages:
Below is a typical blocked message that can appear in the Access Protection Logs:
 
9/29/2011 8:55:09 AM Blocked by Access Protection rule Domain\Username C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
 

The segments of the message, defined as follows, help you determine the application that is being blocked, the reason it was blocked (which Access Protection rule it triggered), and other important points:
  • Domain\Username indicates the Account or Credentials of the process that was blocked.
  • C:\WINDOWS\system32\CCM\CcmExec.exe indicates the name of the process that was blocked.
  • C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe indicates the name of the file/folder/process that is being protected.
  • Common Standard Protection:Prevent termination of McAfee processes indicates the Access Protection rule name that was triggered or violated.
  • Action blocked : Terminate indicates what action was being prevented.


Exclude appropriate processes from being blocked:
After determining which process is triggering which Access Protection rule, determine whether that process should continue to be blocked or whether it should be excluded. This might include following up with the owner of that process to find out what their process is doing that the Access Protection rule objects to.

If the process is trusted and is causing the problems, you can exclude it in the following way: 

Open the Access Protection properties
  1. Click StartProgramsMcAfeeVirusScan Console.
  2. Double-click Access Protection.
Locate the Access Protection rule that you want to modify
  • The left window shows Categories of different Access Protection rules. The right window shows the actual rule names.
  • The Access Protection log entry that you identified also tells you which Category the rule comes from.
Example: Common Standard Protection: Prevent termination of McAfee processes. 

NOTE: In this example the Category is Common Standard Protection and the rule name is Prevent termination of McAfee processes.
  1. Select the Category in the left Window, select the rule name in the right Window.
  2. Click Edit, located below the right window.
  3. Click inside the Processes to exclude text box.
  4. Move the cursor to the end of the contents of the box.
  5. Add a comma (,), type the name of the process to exclude, and then click OK twice. 
The process is now excluded.
 
You can read more about configuring Access Protection rules in the Product Guide for your version.
For a full list of product documents, go to the ServicePortal at: http://support.mcafee.com. Click Knowledge Center, and select Product Documentation from the Knowledge Base list.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.