English

Problem: McAfee logs show that ArcGIS Server pkill.exe attempts to terminate McAfee processes

Description

When the ArcGIS GIS Server Windows Service is stopped or restarted, the McAfee VirusScan Enterprise (VSE) Access Protection logs have entries that indicate that ArcGIS is attempting to terminate McAfee processes.
McAfee Acess Protection logs

Cause

The McAfee VirusScan Enterprise Access Protection rule is designed to block all processes that run the terminate process privilege. This rule is triggered because it is a self-protection rule to avoid any third-party applications or malware from disabling VSE protection when a process explicitly interacts with a protected process. This is why VSE detects and blocks the ArcGIS GIS Server pkill.exe process.

Solution or Workaround

The following are possible workarounds for this issue:

Stop the ArcGIS Server pkill.exe process from terminating McAfee processes

Note:
Run the following command as an administrator.
  1. Navigate to Windows Start and type cmd in the Search programs and files dialog box.
  2. Right-click the cmd icon and click Run as administrator.

    User-added image
  3. In the command prompt interface, type the following to kill a process with the given Windows ProcessID (pid):
    C:\Program Files\ArcGIS\Server\bin\pkill.exe" -P (Include the PID of the McAfee processes here.)
  4. Press Enter.
    Note:
    The following Microsoft document explains how to locate a PID for a process: Finding the Process ID.

Include the pkill.exe process in the McAfee Exclusion list

Include the following ArcGIS GIS Server pkill.exe process path in the McAfee exclusion list:
C:\Program Files\ArcGIS\Server\bin\pkill.exe
The McAfee Knowledge Center document explains how to add exclusions: How to resolve issues caused by Access Protection rules and Behavior Blocking.
Note:
Apart from the two solution options mentioned above, the ArcGIS GIS Server pkill.exe process is designed to only terminate processes if the following three conditions are met:
1. The process has to be named javaw.exe, ArcSOC.exe or rmid.exe.
2. The ArcGIS GIS Server login account must be the owner of the processes. 
3. The process must be started using an executable from within the ArcGIS GIS Server installation folder.

Related Information