Monitoring Splunk

Is it normal for Splunkd to attempt to terminate the McAfee Processes?

foxmccloud
Explorer

Hello,

I'm using McAfee VirusScan Enterprise and Host Intrusion Prevention (HIPS), and HIPS is reporting that Splunkd is triggering the following signature: "Prevent termination of McAfee processes".

It's attempting to "open with terminate" and "open with modify" the McAfee Process Validation Service (mfevtps.exe). It does this tens of thousands of times and is creating a lot of noise in the logs.

Is this normal behavior for Splunk? Does anyone know what it's actually trying to do to the McAfee service? Is it possible to make it stop?

Thanks.

0 Karma

foxmccloud
Explorer

9eagles, we never resolved this issue. It's possible it was a false positive. When using Sysinternals Process Explorer to open the file properties of mfevtps.exe and view the threads it was running, McAfee triggered the signature for "Prevent termination of McAfee processes", even though we weren't trying to terminate it. We've since shut down the server and plan to rebuild it due to other issues, so we're no longer troubleshooting.

0 Karma

9eagles
Explorer

Was this ever resolved?
I have the same problem although we have the exclusions in place as mentioned https://docs.splunk.com/Documentation/Splunk/7.1.1/ReleaseNotes/RunningSplunkalongsideWindowsantivir...

This is the error we receive in ePO:
***VIOLATION: [7] ------- Violation Logged ---- Size 888 ----
SignatureID="1052"
SignatureName="Linux Agent Shielding - Module Access"
SeverityLevel="4"
Reaction="3"
ProcessUserName="bin"
Process="/opt/splunk/bin/splunkd"
IncidentTime="2018-12-05 18:59:26"
AllowEx="True"
SigRuleClass="UNIX_misc"
ProcessId="2"
Session="11497"
SigRuleDirective="killagent"/>
name="process chain" allowex="False">/usr/lib/systemd/systemd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="process chain" allowex="False">/opt/splunk/bin/splunkd
name="uid" allowex="True">1002
name="pid" allowex="True">11497
name="signal" allowex="True">unknown


0 Karma

woodcock
Esteemed Legend
0 Karma

vidhyaArumalla
Path Finder

Ideally it should not conflict with McAfee Processes, please check if any port conflict exists

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Splunk advises not running anti-virus software on your Splunk servers as it can degrade performance. At the very least, you should exclude Splunk processes in McAfee. See https://docs.splunk.com/Documentation/Splunk/7.1.1/ReleaseNotes/RunningSplunkalongsideWindowsantivir....

---
If this reply helps you, an upvote would be appreciated.
0 Karma

foxmccloud
Explorer

I've already made these exceptions and McAfee is not interfering with Splunk processes; rather it's the other way around. Splunk is trying to terminate a McAfee process and I want to rule out process injection as a cause.

0 Karma

woodcock
Esteemed Legend

That makes no sense whatsoever. Splunk does not have this capability. I question the conclusions of whatever thing is telling you that this is happening.

0 Karma

MonkeyK
Builder

I do not think that this is normal. My company uses McAfee endpoint protection and I do not see these events.

woodcock
Esteemed Legend

I would definitely open a support case.

Azeemering
Builder

I tihink this is normal / ok.

The access protection rule Prevent Termination of McAfee Processes is triggered during the log in, log off, shut down, and locking processes. The splunkd process is accessing and enumerating the running processes with a permission set that allows it to terminate processes, though it might not actually be attempting to terminate processes.

You can add the splunkd process to exclusions in the VSE policies (Access Protection policies)

Just make sure you check this with Splunk support first.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!