I would like to ask the IT personell of a customers' site to switch off any McAfee checking on the entire
deployment of our products at the customers' site. That is:
Excluding all files and directories in which our distribution is deployed.
Exclude any network interception on all protocols and ports our software is using (DB-servers, other service)
Since I myself do not know McAfee products, I have no idea what to tell the customer he has to do.
Reason behind: We suspect performance degradation whenever McAfee products are intercepting
file- and network access.
The customer is using VSE Enterprise 8.8 and ePO server. Besides that VMWARE vSphere 4 is being used.
Any exclusion creates an element of risk - there are better ways of tweaking the product to ensure performance and security are balanced. I'm moving this over to the VSE folks for better attention.
First step. What is your product? .Net app deployed via browser? Client side executable linking to SQL database? ...etc.. Knowing what your product is doing will make it easier to suggest a fix.
If your customer is using EPO then i would have thought there must be a competent IT person onsite managing it.
Simply provide him/her with Executable names, file extensions or file paths of your applications and they will be able to add the nessesary exclusions into EPO.
One easy fix is to disable the scanning of network files on the client machines. If McAfee is on the file server there's no need to scan the files twice.
There is also exclusions that could be added the DB server. These are usually suggested by the DB software supplier. For instance there are recommendations from Microsoft for SQL exclusions. http://support.microsoft.com/kb/309422. But as SamSwift (and Microsoft) says this will introduce an element of risk.
Message was edited by: Tristan on 03/08/11 17:35:29 IST
Thanks. Database is Unify (formerly Gupta, formerly Centura, formerly Gupta). The other product is a server that opens a couple of connections to our applications in the network. There can be open 50 to 100 sockets at once. The server is listening at a fixed port number and the communication sockets are chosen by the OS in the moment of the connection.
I don't know whether McAfee intercepts packets on the wire or through the network card as well, but if that's the case I would rather like to disable that behaviour.
Our deployment is on a shared directory on the server which is mapped to a network drive on the Windows clients.
The Server is a 2008R2/64 virtualized, as already mentioned).
Nachricht geändert durch krischu on 03.08.11 11:59:47 CDT
Allow me to give you some perspective from the other side of the fence.
If I had a dime for every vendor or individual who asked to switch off (security tool that they view as intrusive) for their "special egg" product or computer I'd have... a lot of dimes. It's an easy kneejerk reaction to ask for something to be disabled so you don't have to dig to figure out the real problem.
So, before you ask your customer to do this, ask yourself "Have I bothered to test my program with the major AV vendors? If not, am I making my problem a problem for all must customers?"
AV is mandated endpoint protection for an awful lot of regulated entities. Kneejerking and saying "disable AV" without having done your own analysis on your own systems narrowing things down to a specific and reasonable subset of directories to be excluded is going to get some cold reception from your custeroms' information security department, and depending on the risk governance maturity of the organization, may get you excluded from consideration if you can't figure out how to run well with AV in place.
Doing some testing and seeing what your database might benefit from by some targetted exclusions in its filestores might be an excellent place to start.
I agree with what you are saying and, believe me, I'm revising my code at the moment to find weak or time critical passages. I will come out probably with a better version of my server as a byproduct of the whole examination.
Nonetheless I still don't have an answer to my question about what McAfee is doing to my network sockets and network traffic. Does it hook into the network card driver?
And if it does, how do I prevent it from doing so? Not that I'm trying to disadvise my customer from maximizing his security policy, it's just that I would like to measure the performance impact of McAfee or whether there is such.
To my knowledge Virus Scan Enterprise doesn't do any packet filtering or port monitoring (that would be a firewall product) it does do some blocking of traffic on smtp and irc ports but they're out right blocks so would prevent your apps working not slow them down.
Is this VSE we're talking about or another McAfee product?
Yes, VSE. What yould the other products be that you are referring that do hooks in network drivers?
I've heard that on large sites with ePO servers much network traffic can be generated when these servers tallk to each other
and that a certain policy of building groups among the servers and managed clients could reduce this network traffic.
Obviously a McAfee Firewall is going to be using network hooks!! (a lot more than VSE would if it does use any at all)
Have you looked into it being a IP routing/DNS lookup issue?
Does the client use a proxy server in their environment.?
Do they use the Microsoft proxy client for ISA (or Forefront TMG as it's known now)? I which case are all your data packets a being routed via the proxy server and a delay being introduced that way.
Do you use IP or FQDN to access your database? Is there a delay being introduced when DNS lookups are being performed.
Have you definitively pin-pointed this slow down to being an issue caused by a McAfee product