search cancel

After applying security patches for January 2020 the Symantec Management Agent would not start on Site Servers or Client Machines with McAfee antivirus running


Article ID: 184921


Updated On:


IT Management Suite Task Server


After applying the security updates for January 2020, the Symantec Management Agent was unable to start on all Site Servers. As a result clients were unable to obtain a Task Server to connect to, or to register with Task Servers.

The Windows Event Logs (Application) had a river of errors similar to the following (this one is in Spanish)


The Windows application event logs have this:
"Malware Behavior: Windows EFS abuse", and was blocked. For information about how to respond to this event, see KB85494.


ITMS 8.x


The error basically shows that the latest McAfee patterns detected that AeXNSAgent.exe and AtrsHost.exe on the Task Servers was exhibiting malware behaviors when invoking Crypt32.dll contained in the January updates. The behavior was in attempting to access the RSA Machine Keys which are necessary for certificate management and other features the service(s) have a legitimate need to perform.  This is nothing different than what they have always done before January 2020.

It was reported that Microsoft's SCCM was also affected.


McAfee discusses this problem in KB85494.  

The only work around currently is to add exclusions for AeXNSAgent.exe and AtrsHost.exe