Hi folks, my name is Vinayak Sharma and I would like to share some information regarding McAfee Access protection rule and ccmexec.exe behavior.
I have read a few McAfee articles where people were complaining about ccmexec.exe and why it triggers the McAfee Protection rule for all of the McAfee services: Prevent termination of McAfee processes i.e. FrameworkService.exe, VsTskMgr.exe, mfeann.exe, naPrdMgr.exe, mcshield.exe, UdaterUI.exe, McTray.exe and mcconsol.exe.
We can see the activity logged into the McAfee access protection log which is AccessProtectionLog.txt:
Blocked by Access Protection rule NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe Common Standard Protection:Prevent termination of McAfee processes Action blocked : Terminate
As per the article published by McAfee, it says that you need to exclude the ccmexec.exe process from the rule so this process does not terminate McAfee programs even though it does seek the "terminate process" privilege.
Here are my findings on this. When we install Configuration Manager Server it will by default enable the software metering agent on all of the client machines. The software metering agent monitors the software usage data on Configuration Manager 2007 clients, and with that said, the ConfigMgr 2007 client collects the usage data for all of the McAfee services so it needs read permissions on all of the McAfee *.exe files:
As you can see from the diagram above, ccmexec.exe is trying to query the file mcshield.exe and after that you can see that ccmexec.exe is trying to write the values into the mtrmgr.log which is the software metering log file where the ConfigMgr client stores all of the file usage information to forward to the server.
When the ConfigMgr agent collects the usage data for the McAfee services, The McAfee agent triggers an event that ccmexec.exe is trying to terminate the process. So because of this, we can see that ccmexec.exe does not really want to terminate the McAfee process, it is just seeking the right to read the file information and usage for software metering and inventory collection purposes. The workaround is to create the Access protection rule in McAfee as per KB71970.
Vinayak Sharma | System Center Support Engineer
App-V Team blog: http://blogs.technet.com/appv/ AVIcode Team blog: http://blogs.technet.com/b/avicode ConfigMgr Support Team blog: http://blogs.technet.com/configurationmgr/ DPM Team blog: http://blogs.technet.com/dpm/ MED-V Team blog: http://blogs.technet.com/medv/ OOB Support Team blog: http://blogs.technet.com/oob/ Opalis Team blog: http://blogs.technet.com/opalis Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ OpsMgr Support Team blog: http://blogs.technet.com/operationsmgr/ SCMDM Support Team blog: http://blogs.technet.com/mdm/ SCVMM Team blog: http://blogs.technet.com/scvmm Server App-V Team blog: http://blogs.technet.com/b/serverappv Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center Essentials Team blog: http://blogs.technet.com/b/systemcenteressentials WSUS Support Team blog: http://blogs.technet.com/sus/
Good work vinayank. It is good article in terms of the content and topic and really helpful in troubkeshooting. You should put some tags so that it should be easliy searchable.
and Keep working.
Great work bro, you have provided a valuable info. Keep it up!!!
Great article, too bad you didn't include the Data column in ProcMon that shows what rights were requested when the file handle was opened. ccmexec.exe has a nasty habit of opening all files with Full Rights just to read file properties. If Microsoft would follow their own coding best practices and open the file with only the required permissions to perform the QueryBasicFileInformation action, McAfee wouldn't care. The same thing happens with the "Hardware Inventory" that collects which EXEs/DLLs are saved to disk. If you have any tools (not just McAfee) configured to block execute file system access to known-bad file names, ccmexec.exe will never inventory those files.
Thank you for sharing.
I am looking at AccessProtectionLog.txt in Windows 7 SP1 with McAfee 8.8 client and the error is not there.
Is it something resolved?
Does excluding ccmexec.exe from access protection works with SCCM 2012 too.
As i have upgraded my SCCM 2012 site to SCCM 2012 SP1 & McAfee was installed on the server because of which i was not able to update the boot image.