Information regarding McAfee Access protection rule and ConfigMgr 2007 ccmexec.exe behavior

InfoButtonHi folks, my name is Vinayak Sharma and I would like to share some information regarding McAfee Access protection rule and ccmexec.exe behavior.

I have read a few McAfee articles where people were complaining about ccmexec.exe and why it triggers the McAfee Protection rule for all of the McAfee services: Prevent termination of McAfee processes i.e. FrameworkService.exe, VsTskMgr.exe, mfeann.exe, naPrdMgr.exe, mcshield.exe, UdaterUI.exe, McTray.exe and mcconsol.exe.

We can see the activity logged into the McAfee access protection log which is AccessProtectionLog.txt:

Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate

As per the article published by McAfee, it says that you need to exclude the ccmexec.exe process from the rule so this process does not terminate McAfee programs even though it does seek the "terminate process" privilege.

Here are my findings on this. When we install Configuration Manager Server it will by default enable the software metering agent on all of the client machines. The software metering agent monitors the software usage data on Configuration Manager 2007 clients, and with that said, the ConfigMgr 2007 client collects the usage data for all of the McAfee services so it needs read permissions on all of the McAfee *.exe files:

clip_image002

As you can see from the diagram above, ccmexec.exe is trying to query the file mcshield.exe and after that you can see that ccmexec.exe is trying to write the values into the mtrmgr.log which is the software metering log file where the ConfigMgr client stores all of the file usage information to forward to the server.

When the ConfigMgr agent collects the usage data for the McAfee services, The McAfee agent triggers an event that ccmexec.exe is trying to terminate the process.  So because of this, we can see that ccmexec.exe does not really want to terminate the McAfee process, it is just seeking the right to read the file information and usage for software metering and inventory collection purposes. The workaround is to create the Access protection rule in McAfee as per KB71970.

Vinayak Sharma | System Center Support Engineer

App-V Team blog: http://blogs.technet.com/appv/
AVIcode Team blog: http://blogs.technet.com/b/avicode
ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/
DPM Team blog: http://blogs.technet.com/dpm/
MED-V Team blog: http://blogs.technet.com/medv/
OOB Support Team blog: http://blogs.technet.com/oob/
Opalis Team blog: http://blogs.technet.com/opalis
Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/
SCMDM Support Team blog: http://blogs.technet.com/mdm/
SCVMM Team blog: http://blogs.technet.com/scvmm
Server App-V Team blog: http://blogs.technet.com/b/serverappv
Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials
WSUS Support Team blog: http://blogs.technet.com/sus/

clip_image001 clip_image002