VirusScan Enterprise Access Protection blocks excluded processes

技术文章 ID: KB84900
上次修改时间: 6/24/2020

环境

McAfee VirusScan Enterprise (VSE) 8.8 Patch 5

问题

Access Protection (AP) blocks an excluded process.

AP rules designed to block execution of processes (where there are processes to exclude defined for that rule) might also block the excluded processes. In other words, the excluded processes are not being properly excluded.

Mitigating factors

The issue does not affect Windows XP 64.
The issue is applicable only to AP rules that block the Execute action.
The rule must be enabled to Block; the issue does not occur for Report-only configurations.
The rule must also contain Processes to Exclude.

问题

AP does not honor the Processes To Exclude list.

系统更改

You installed Patch 5 for VirusScan Enterprise 8.8.

原因

The VSE technology that facilitates AP changes in Patch 5 now uses Arbitrary Access Control (AAC). AAC includes a backward compatible translation layer for interpreting the VSE AP rules to convert them to AAC rules.

This issue occurs because AP rules that block the EXECUTE action continue to block any Processes to Exclude. The translated rule involves a User-mode check and a Kernel-mode check, but only the User-mode check is honoring the excluded processes list. When the kernel-mode check occurs, it results in a deny. So, the net response of the rule processing is to Block.

解决方案

This issue is resolved in VSE 8.8 Patch 6 and later.

VSE 8.8 Patch 16 is the latest patch available from the Downloads tab on the ServicePortal at https://support.mcafee.com/downloads.

NOTE: VSE 8.8 Patch 16 supports all supported Windows operating systems.

解决方法

When the affected AP rule is one of the VSE default AP rules that has been enabled, you can do one of the following:

Disable the affected rule.
Disable the affected rule and create your own version of it.

You can still maintain effectiveness of the rule by enabling the block Read option instead of Execute.
Downgrading is possible but not recommended. It requires that you uninstall all installed McAfee products that use common driver code, and then reinstall those products while ensuring VSE is on the older patch level. (Check with Technical Support if you are uncertain which of your products are affected.)

NOTE: Installing upgrades to other McAfee products that use our common driver code and updating to the 15.3 core version can also introduce this issue for VSE.

When the affected AP rule is one you have created, you can do one of the following:

Disable the affected rule.
Modify the affected rule and remove the option to block Execute.

You can still maintain the effectiveness of the rule by enabling the block Read option.
Revisit the purpose of the rule. Can the problem be solved using a different approach that does not require blocking the Execute action?

受影响的产品

Known Issue/Product Defect
VirusScan Enterprise 8.8

语言:

此文章有以下语言版本：

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

技术术语词汇表

突出显示词汇表术语

请花点时间浏览一下我们的技术术语词汇表。

Knowledge Center

VirusScan Enterprise Access Protection blocks excluded processes

环境

问题

问题

系统更改

原因

解决方案

解决方法

相关信息

受影响的产品

语言:

技术术语词汇表

Title

Title

Knowledge Center

VirusScan Enterprise Access Protection blocks excluded processes

环境

问题

问题

系统更改

原因

解决方案

解决方法

相关信息

受影响的产品

语言:

技术术语词汇表

选择您的区域

Title

Title