After applying security patches for January 2020 the Symantec Management Agent would not start on Site Servers or Client Machines with McAfee antivirus running

book

Article ID: 184921

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server) Task Server

Issue/Introduction

After applying the security updates for January 2020, the Symantec Management Agent was unable to start on all Site Servers. As a result clients were unable to obtain a Task Server to connect to, or to register with Task Servers.

The Windows Event Logs (Application) had a river of errors similar to the following (this one is in Spanish)

 

The Windows application event logs have this:
"Malware Behavior: Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.

Cause

The error basically shows that the latest McAfee patterns detected that AeXNSAgent.exe and AtrsHost.exe on the Task Servers was exhibiting malware behaviors when invoking Crypt32.dll contained in the January updates. The behavior was in attempting to access the RSA Machine Keys which are necessary for certificate management and other features the service(s) have a legitimate need to perform.  This is nothing different than what they have always done before January 2020.

It was reported that Microsoft's SCCM was also affected.

Environment

ITMS 8.x

Resolution

McAfee discusses this problem in KB85494.  

The only work around currently is to add exclusions for AeXNSAgent.exe and AtrsHost.exe