Problem: McAfee logs show that ArcGIS Server pkill.exe attempts to terminate McAfee processes
When the ArcGIS GIS Server Windows Service is stopped or restarted, the McAfee VirusScan Enterprise (VSE) Access Protection logs have entries that indicate that ArcGIS is attempting to terminate McAfee processes.
The McAfee VirusScan Enterprise Access Protection rule is designed to block all processes that run the terminate process privilege. This rule is triggered because it is a self-protection rule to avoid any third-party applications or malware from disabling VSE protection when a process explicitly interacts with a protected process. This is why VSE detects and blocks the ArcGIS GIS Server pkill.exe process.
Solution or Workaround
The following are possible workarounds for this issue:
Stop the ArcGIS Server pkill.exe process from terminating McAfee processes
Note: Run the following command as an administrator.
- Navigate to Windows Start and type cmd in the Search programs and files dialog box.
- Right-click the cmd icon and click Run as administrator.
- In the command prompt interface, type the following to kill a process with the given Windows ProcessID (pid):
C:\Program Files\ArcGIS\Server\bin\pkill.exe" -P (Include the PID of the McAfee processes here.)
- Press Enter.
Note: The following Microsoft document explains how to locate a PID for a process: Finding the Process ID.
Include the pkill.exe process in the McAfee Exclusion listInclude the following ArcGIS GIS Server pkill.exe process path in the McAfee exclusion list:
The McAfee Knowledge Center document explains how to add exclusions: How to resolve issues caused by Access Protection rules and Behavior Blocking.
Note: Apart from the two solution options mentioned above, the ArcGIS GIS Server pkill.exe process is designed to only terminate processes if the following three conditions are met: 1. The process has to be named javaw.exe, ArcSOC.exe or rmid.exe. 2. The ArcGIS GIS Server login account must be the owner of the processes. 3. The process must be started using an executable from within the ArcGIS GIS Server installation folder.
- Esri Support: Problem: McAfee AntiVirus software detects acoder.exe as a virus
- Esri Support: Problem: The ArcGIS GeoEvent Extension for Server fails to launch on servers running McAfee Enterprise Suite Anti-Virus
- Esri Support: FAQ: Why does anti-virus software detect a virus when scanning ArcGIS Server DVD for Solaris and Linux?