McAfee Data Loss Prevention Endpoint (DLP Endpoint) 9.3 McAfee ePolicy Orchestrator (ePO) 5.x、4.x McAfee VirusScan Enterprise (VSE) 8.x
問題
1
VSE アクセス保護ログに以下のコード行が記録されます。
Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch Common Maximum Protection:Prevent programs registering as a service Action blocked : Create Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2 Common Maximum Protection:Prevent programs registering as a service Action blocked : Create Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch Common Maximum Protection:Prevent programs registering as a service Action blocked : Create Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\Windows\system32\svchost.exe \Registry\Machine\System\CurrentControlSet\Services\LanmanServer\Shares Common Maximum Protection:Prevent programs registering as a service Action blocked : Create Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch Common Maximum Protection:Prevent programs registering as a service Action blocked : Create Blocked by Access Protection rule NT AUTHORITY\LOCAL SERVICE C:\Windows\system32\svchost.exe \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2 Common Maximum Protection:Prevent programs registering as a service Action blocked : Create
問題
2
イベント ビューアーに、以下に情報が記録されます。
Error 1 :
ログ名: アプリケーション ソース: McLogEvent イベント ID: 257 タスク カテゴリ: なし レベル: 情報 キーワード: クラシック ユーザー: SYSTEM 説明: アクセス保護ルールによりブロックされました。 Access to object \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2 was blocked by rule Common Maximum Protection:Prevent programs registering as a service. Event Xml: 257 4 0 0x80000000000000 23620 Application
Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2 was blocked by rule Common Maximum Protection:Prevent programs registering as a service.
Error 2 :
Log Name: Application Source: McLogEvent Event ID: 257 Task Category: None Level: Information Keywords: Classic User: SYSTEM Description: Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch was blocked by rule Common Maximum Protection:Prevent programs registering as a service. Event Xml: 257 4 0 0x80000000000000 23619 Application
Blocked by access protection rule. Access to object \REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch was blocked by rule Common Maximum Protection:Prevent programs registering as a service.
原因
Common Maximum Protection (共通最大保護) カテゴリの VSE アクセス保護ルール Prevent programs registering as a service (プログラムのサービスとしての登録を防止) でブロックを実行するようにレジストリが設定されています。
