Mcshield.exe is trying to terminate smss.exe

Hello,

I've been using Windows 2003 Server Enterprise(from msdn), McAfee Virus Scan Enterprise + Antispyware 8.0, ProcessGuard v3.150 Free.

Today PG alarted me that C:\Program Files\Network Associates\VirusScan\Mcshield.exe is blocked from terminating C:\Windows\system32\smss.exe. I haven't encountered this alart before, and I wonder why mcshield wanted to do that.

Should I allow it or not?

Thanks for your help.

 

Hi Elliot,

This is the info that WinPatrol has for smss.exe:

Session Manager Subsystem - SMSS.EXE

An early part of the Windows Boot sequence this "native" application is responsible for many boot tasks including chkdsk, security tokens, driver initialization, WinLogon and other tasks required before the user interface is available.
It's also used during Windows setup allowing users to install or repair installations before the Windows UI is activated.

Default Processes in Windows 2000 (Q263201)

Safe

Required

Microsoft.com

So unless it is case sensitive and the difference in caps versus lowercase letters means something (like malware versus legit program), it doesn't sound like it should. Have you tried posting about this at the McAfee Help Forums to see if anyone there could explain why this might be happening?

 

Thank you JRCATES! Good idea. I've posted there.

 

I guarantee that the smss.exe was genuine windows file, no malware.

 

You're welcome, Elliot, glad to be of some help.

I have a feeling that you're probably right as well (about it being a "legitimate" program)....but at least this way it can be brought to McAfee's attention, so that perhaps they can issue a fix if it is an FP of sorts. At least hopefully you'll get an answer as to "why" it is happening.....

 

I don't think that mcshield.exe wanted to terminate smss.exe because it was recoginized as a malicious program. There isn't any message regards to virus or malicious program. And after the action was breaked by PG, mcshield.exe hadn't issue any error message.

It maybe an inner mechanism of mcsheild. Anyhow, I want to allow this action temporarily to see what would happen to my system.

 

Too few people on McAfee Help Forums...

 

Yesterday, I also found that at system startup, mcshield.exe would modify all processes in the system, type: ZwProtectVirtualMemory. Maybe this was caused by the Buffer Overflow Protection funtionality? Not sure.

 

Perhaps, if I let PG blocked mcshield.exe from modifying and terminating other processes, some functions will fail. I tried EICAR, and it was successfully detected on-access and on-demand. Till now I haven't seen any funtional error. I don't know how to test the Buffer Overflow Protection.