O Dell Endpoint Security Suite Enterprise e o McAfee podem alertar sobre CylanceSvc.exe em Todas as inicializações

Produtos afetados:

Dell Endpoint Security Suite Enterprise

Versões afetadas:

v2.8 to 2.9

Figura 1: (Somente em inglês) Alerta no console do servidor

Os eventos no C:\Programdata\Dell\Dell Data Protection\DellAgent.log podem ter entradas semelhantes a esta:

 [04912] (00008) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfefw.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

 [04912] (00007) W AVAS : received Information threat protection event: BO=SP Id=1092
 [04912] (00007) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfewc.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

 [04912] (00004) W AVAS : received Information threat protection event: BO=SP Id=1092
 [04912] (00004) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfeesp.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

 [04912] (00007) W AVAS : received Information threat protection event: BO=SP Id=1092
 [04912] (00007) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfewch.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

O switch McAfee SelfProtection_Activity.log podem ter entradas como a seguinte:

mfeesp(7716.9896)  ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran CYLANCESVC.EXE, which attempted to access MFEWC.EXE, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

mfeesp(7716.9896)  ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran CYLANCESVC.EXE, which attempted to access MFEESP.EXE, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

mfeesp(7716.9896)  ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran CYLANCESVC.EXE, which attempted to access MFEFW.EXE, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

mfeesp(7716.9900)  ApBl.SP.Activity: SPRINGSCREATIVE\jcampbe-la ran IE4UINIT.EXE, which tried to access HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ENABLE BROWSER EXTENSIONS, violating the rule "Web Control - Protect plug-in registry keys and values", and was blocked. For information about how to respond to this event, see KB85494.

O certificado de assinatura da McAfee não está respeitando o certificado do Cylance e requer uma atualização.

Esse problema foi resolvido no Dell Endpoint Security Suite Enterprise v3.0 para Windows.

Para entrar em contato com o suporte, consulte Números de telefone do suporte internacional do Dell Data Security.
Acesse o TechDirect para gerar uma solicitação de suporte técnico on-line.
Para obter insights e recursos adicionais, participe do Fórum da comunidade de segurança da Dell.