Dell Endpoint Security Suite Enterprise and McAfee May Alert on CylanceSvc.exe at Every Boot

Affected Products:

Dell Endpoint Security Suite Enterprise

Affected Versions:

v2.8 to 2.9

Figure 1: (English Only) Alert in Server Console

The events in the C:\Programdata\Dell\Dell Data Protection\DellAgent.log may have entries similar to this:

 [04912] (00008) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfefw.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

 [04912] (00007) W AVAS : received Information threat protection event: BO=SP Id=1092
 [04912] (00007) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfewc.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

 [04912] (00004) W AVAS : received Information threat protection event: BO=SP Id=1092
 [04912] (00004) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfeesp.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

 [04912] (00007) W AVAS : received Information threat protection event: BO=SP Id=1092
 [04912] (00007) W AVAS : NT AUTHORITY\SYSTEM ran C:\Program Files\Dell\Dell Data Protection\Advanced Threat Protection\CylanceSvc.exe, which attempted to access the process mfewch.exe, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

The McAfee SelfProtection_Activity.log may have entries like the following:

mfeesp(7716.9896)  ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran CYLANCESVC.EXE, which attempted to access MFEWC.EXE, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

mfeesp(7716.9896)  ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran CYLANCESVC.EXE, which attempted to access MFEESP.EXE, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

mfeesp(7716.9896)  ApBl.SP.Activity: NT AUTHORITY\SYSTEM ran CYLANCESVC.EXE, which attempted to access MFEFW.EXE, violating the rule "Core Protection - Protect McAfee processes from unauthorized access and termination", and was blocked. For information about how to respond to this event, see KB85494.

mfeesp(7716.9900)  ApBl.SP.Activity: SPRINGSCREATIVE\jcampbe-la ran IE4UINIT.EXE, which tried to access HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\ENABLE BROWSER EXTENSIONS, violating the rule "Web Control - Protect plug-in registry keys and values", and was blocked. For information about how to respond to this event, see KB85494.

The signing certificate from McAfee is not respecting the Cylance certificate and requires an update.

The issue is resolved in Dell Endpoint Security Suite Enterprise v3.0 for Windows.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.