Hello,
I'm using McAfee VirusScan Enterprise and Host Intrusion Prevention (HIPS), and HIPS is reporting that Splunkd is triggering the following signature: "Prevent termination of McAfee processes".
It's attempting to "open with terminate" and "open with modify" the McAfee Process Validation Service (mfevtps.exe). It does this tens of thousands of times and is creating a lot of noise in the logs.
Is this normal behavior for Splunk? Does anyone know what it's actually trying to do to the McAfee service? Is it possible to make it stop?
Thanks.
9eagles, we never resolved this issue. It's possible it was a false positive. When using Sysinternals Process Explorer to open the file properties of mfevtps.exe and view the threads it was running, McAfee triggered the signature for "Prevent termination of McAfee processes", even though we weren't trying to terminate it. We've since shut down the server and plan to rebuild it due to other issues, so we're no longer troubleshooting.
Was this ever resolved?
I have the same problem although we have the exclusions in place as mentioned https://docs.splunk.com/Documentation/Splunk/7.1.1/ReleaseNotes/RunningSplunkalongsideWindowsantivir...
This is the error we receive in ePO:
***VIOLATION: [7] ------- Violation Logged ---- Size 888 ----
SignatureID="1052"
SignatureName="Linux Agent Shielding - Module Access"
SeverityLevel="4"
Reaction="3"
ProcessUserName="bin"
Process="/opt/splunk/bin/splunkd"
IncidentTime="2018-12-05 18:59:26"
AllowEx="True"
SigRuleClass="UNIX_misc"
ProcessId="2"
Session="11497"
SigRuleDirective="killagent"/>
name="process chain" allowex="False">/usr/lib/systemd/systemd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="uid" allowex="True">1002
name="pid" allowex="True">11497
name="signal" allowex="True">unknown
Ideally it should not conflict with McAfee Processes, please check if any port conflict exists
Splunk advises not running anti-virus software on your Splunk servers as it can degrade performance. At the very least, you should exclude Splunk processes in McAfee. See https://docs.splunk.com/Documentation/Splunk/7.1.1/ReleaseNotes/RunningSplunkalongsideWindowsantivir....
I've already made these exceptions and McAfee is not interfering with Splunk processes; rather it's the other way around. Splunk is trying to terminate a McAfee process and I want to rule out process injection as a cause.
That makes no sense whatsoever. Splunk does not have this capability. I question the conclusions of whatever thing is telling you that this is happening.
I do not think that this is normal. My company uses McAfee endpoint protection and I do not see these events.
I would definitely open a support case.
I tihink this is normal / ok.
The access protection rule Prevent Termination of McAfee Processes is triggered during the log in, log off, shut down, and locking processes. The splunkd process is accessing and enumerating the running processes with a permission set that allows it to terminate processes, though it might not actually be attempting to terminate processes.
You can add the splunkd process to exclusions in the VSE policies (Access Protection policies)
Just make sure you check this with Splunk support first.