Seems to be caused by the 5922 DAT update on VirusScan Enterprise v8.5 (not occurring with v8.7) generating alerts from machines where the users are local administrators.
Engine version = 5400.1158
AntiVirus DAT version = 5924.0000
Number of detection signatures in EXTRA.DAT = None
Names of detection signatures in EXTRA.DAT = None
FROM
\\%computer%\c$\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt
19/03/2010 11:27:36 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMajor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create 19/03/2010 11:27:36 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\EngineVersionMinor Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create 19/03/2010 11:27:36 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create 19/03/2010 11:27:36 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\AVDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Create 19/03/2010 11:27:37 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete 19/03/2010 11:27:37 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\TrjDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete 19/03/2010 11:27:37 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatVersion Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete 19/03/2010 11:27:37 AM Blocked by Access Protection rule DOMAIN\user C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE \REGISTRY\MACHINE\SOFTWARE\McAfee\AVEngine\PUPDatDate Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings Action blocked : Delete
Is anyone else seeing this behavior in their VirusScan logs?
UPDATE:
As raj mentioned in the comments and andyross posted in the forums, the issue is related to the v.480 vscan.bof file, and is not limited to users with Administrative privileges.
It looks like the problem is being caused by the new BOP(Buffer Overflow Protection) DAT update that went out on March 16th. The new version 480 vscan.bof file (Buffer Overflow and Access Protection rules file) has a change in it that can results this kind of problem.
They are working on a fix but the work around is to exclude Outlook.exe from the protection rules. [1] (2010-Mar-22)
[1] Outlook causing access protection error? (2010-Mar-18) [McAfee Communities]
[2] Outlook creating/deleting keys in HKLM\SOFTWARE\McAfee\AVEngine (2010-Mar-18) [McAfee Communities]
Yes i have seen thisn and i called McAfee the answer is, Problem was with a Buffer Over Flow Dat. temp solution to include outlook.exe in the exception list and wait for the Bufferoverflow Dat to update and then take out the exception.
Thanks
Raj