Mcshield.exe is trying to terminate smss.exe

Discussion in 'ProcessGuard' started by Elliot, Jun 26, 2005.

Thread Status:
Not open for further replies.
  1. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Hello,

    I've been using Windows 2003 Server Enterprise(from msdn), McAfee Virus Scan Enterprise + Antispyware 8.0, ProcessGuard v3.150 Free.

    Today PG alarted me that C:\Program Files\Network Associates\VirusScan\Mcshield.exe is blocked from terminating C:\Windows\system32\smss.exe. I haven't encountered this alart before, and I wonder why mcshield wanted to do that.

    Should I allow it or not?

    Thanks for your help.
     
  2. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    Hi Elliot,

    This is the info that WinPatrol has for smss.exe:

    Session Manager Subsystem - SMSS.EXE

    An early part of the Windows Boot sequence this "native" application is responsible for many boot tasks including chkdsk, security tokens, driver initialization, WinLogon and other tasks required before the user interface is available.
    It's also used during Windows setup allowing users to install or repair installations before the Windows UI is activated.

    Default Processes in Windows 2000 (Q263201)

    Safe

    Required

    Microsoft.com

    So unless it is case sensitive and the difference in caps versus lowercase letters means something (like malware versus legit program), it doesn't sound like it should. Have you tried posting about this at the McAfee Help Forums to see if anyone there could explain why this might be happening?
     
  3. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Thank you JRCATES! Good idea. I've posted there.
     
  4. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    I guarantee that the smss.exe was genuine windows file, no malware.
     
  5. JRCATES

    JRCATES Registered Member

    Joined:
    Apr 7, 2005
    Posts:
    1,203
    Location:
    USA
    You're welcome, Elliot, glad to be of some help.

    I have a feeling that you're probably right as well (about it being a "legitimate" program)....but at least this way it can be brought to McAfee's attention, so that perhaps they can issue a fix if it is an FP of sorts. At least hopefully you'll get an answer as to "why" it is happening.....
     
  6. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    I don't think that mcshield.exe wanted to terminate smss.exe because it was recoginized as a malicious program. There isn't any message regards to virus or malicious program. And after the action was breaked by PG, mcshield.exe hadn't issue any error message.

    It maybe an inner mechanism of mcsheild. Anyhow, I want to allow this action temporarily to see what would happen to my system.
     
  7. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Too few people on McAfee Help Forums...
     
  8. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Yesterday, I also found that at system startup, mcshield.exe would modify all processes in the system, type: ZwProtectVirtualMemory. Maybe this was caused by the Buffer Overflow Protection funtionality? Not sure.
     
  9. Elliot

    Elliot Registered Member

    Joined:
    Nov 5, 2004
    Posts:
    41
    Perhaps, if I let PG blocked mcshield.exe from modifying and terminating other processes, some functions will fail. I tried EICAR, and it was successfully detected on-access and on-demand. Till now I haven't seen any funtional error. I don't know how to test the Buffer Overflow Protection.
     
Thread Status:
Not open for further replies.