Non-configurable VirusScan Enterprise Access Protection rule "G_BehavioralScan:BS01" is triggered on systems when the HOSTS file is accessed

Technical Articles ID: KB87857
Last Modified: 1/29/2020

Environment

McAfee VirusScan Enterprise (VSE) 8.8 Patch 8

For details of VSE supported environments, see KB51111.

Problem

The VSE AccessProtectionLog.txt contains lines similar to the following:

<date> Would be blocked by Access Protection rule (rule is currently not enforced) <User> C:\PROGRAM FILES (X86)\NOTEPAD++\NOTEPAD++.EXE C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS G_BehavioralScan:BS01 Action blocked : Write

System Change

You installed VSE 8.8 Patch 8.

Cause

The log entry is an Access Protection notification that a process, "NOTEPAD++.EXE" in the above example, has tried to modify or access the HOSTS file. Access Protection does not enforce this rule, and access to the requested resource by the requesting process is granted.

Some processes, such as VPN clients, might need to frequently modify or open and close the HOSTS file during their normal operation. So, the rule might be triggered more or less frequently.

Also, an event is created on the client that is uploaded to the ePolicy Orchestrator (ePO) server. This event notifies the ePO administrator that the rule has been triggered (ePO Event ID: 1095). The rule can't be configured or changed through ePO policy or the VSE GUI.

Solution

VSE 8.8 Patch 8 erroneously reports on this rule. In VSE 8.8 Patch 9, the behavior is changed so that the rule is in non-reporting mode. So, it is not available for management through ePO policy or the VSE GUI.

This issue is resolved in VirusScan Enterprise 8.8.0 Update 9, which is available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Updates are cumulative; Technical Support recommends that you install the latest one.

Related Information

Common search terms to find this article: G_BehavioralScan, BS01

Affected Products

Known Issue/Product Defect
VirusScan Enterprise 8.8

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Japanese
Portuguese Brasileiro

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center

Non-configurable VirusScan Enterprise Access Protection rule "G_BehavioralScan:BS01" is triggered on systems when the HOSTS file is accessed

Environment

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Title

Title

Knowledge Center

Non-configurable VirusScan Enterprise Access Protection rule "G_BehavioralScan:BS01" is triggered on systems when the HOSTS file is accessed

Environment

Problem

System Change

Cause

Solution

Related Information

Affected Products

Languages:

Glossary of Technical Terms

Choose your region

Title

Title