Loading...

知识中心


Windows 8、8.1 和 2012 Server 上触发通用标准保护规则“禁止终止 McAfee 进程”
技术文章 ID:   KB84015
上次修改时间:  2015/05/8
已评级:


环境

McAfee VirusScan Enterprise (VSE) 8.8 补丁 3 及更高版本
Microsoft Windows 8、8.1
Microsoft Windows 2012 Server

问题

在登录、注销、关闭和锁定进程期间,都会触发访问保护规则禁止中止 McAfee 进程

以下是记录在访问保护日志中的内容示例:

 
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Windows\system32\mfevtps.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Windows\system32\mfevtps.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:52 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\Common Framework\naPrdMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VSCore\x64\mfehidin.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Windows\system32\mfevtps.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
2/20/2015 12:52:53 PM Blocked by Access Protection rule  NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe C:\Program Files (x86)\McAfee\VirusScan Enterprise\mfeann.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate


原因

在 SvcHost.exe 或第三方进程中运行的某个服务正在访问和枚举具有允许终止进程的权限集的运行中进程,尽管它实际上可能并未尝试终止进程。

Svchost.exe 是您计算机中的一个进程,用于托管或承载其他个别 Windows 用于执行各种功能的服务。例如,Windows Defender 使用一个由 svchost.exe 进程所托管的服务。计算机上可以运行多个 svchost.exe 实例,每个实例承载不同的服务。svchost.exe 其中的一个实例可能托管程序的单个服务,而另一个实例可能托管与 Windows 相关的多个服务。您可以使用“任务管理器”来查看 svchost.exe 的每个实例下运行的是哪些服务。

某些第三方应用程序会枚举具有终止进程权限的进程。这会导致每分钟触发规则许多次,具体取决于应用程序。

解决方案

这是一个预期行为,VSE 的功能与设计一致。

该规则之所以被触发是因为它是一个自我保护规则,用作一项安全性措施以避免任何第三方装置或恶意软件禁用 VSE 保护。

如果想了解进一步的根本原因或信息,请联系 Microsoft。

免责声明

本文内容源于英文。如果英文内容与其翻译内容之间存在差异,应始终以英文内容为准。本文部分内容是使用 Microsoft 的机器翻译技术进行翻译的。

对此文档进行评级

受影响的产品

Beta Translate with

Select a desired language below to translate this page.