cancel
Showing results forΒ 
Search instead forΒ 
Did you mean:Β 
jround
Level 9
Report Inappropriate Content
Message 1 of 10

ENS On Access scanner preventing an application from running but not logging anything

We have a server that runs a custom application, with ENS 10.5 or 10.6 it will not start up correctly but as soon as we untick 'enable on access scanning' it works fine...

The trouble is nothing is logged in the ENS console to indicate what McAfee is blocking and we have excluded all the custom application files/folders from scanning in the policy but still the same 😞

Any ideas on what else we can do to resolve as obviously leaving on access scanning turned off long term is a security risk

9 Replies
jround
Level 9
Report Inappropriate Content
Message 2 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 3 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

Thank you for posting your query

I request you to kindly take a look at the OnAccessScan_Activity.log file located at 

C:\ProgramData\McAfee\Endpoint Security\Logs

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 4 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

You may also log a service request with the McAfee Technical support team. Also run the process monitor while the issue is reproduced and share the process monitor logs with them. They will analyze the logs and let you know what is causing the issue 

 

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 5 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

Hi @jround,

As suggested above, I would recommend logging a Service request with us for this.

Why?

The exclusions may not works as expected if you have High risk and Low risk process configured in your On Access Scanning policy.

It is important to investigate if On Access Scanner is making a detection here. If no, then debug logs for On Access Scanner might help us dig in more. A probable involvement of Engineering Team might also be needed for which a Service request with appropriate Debug logs and other logs like Procmon and AmTrace are required.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

Hi @jround,

Also, Kudos to you for your excellent work in isolating component and finding out which component causes the issue!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
jround
Level 9
Report Inappropriate Content
Message 7 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

The log is quite bare unfortunately

29/10/2019 14:48:14 mfetp(5400.3460) <SYSTEM> oasbl.OAS.Activity: Telling OAS compliant status became RED - OAS disabled by user
29/10/2019 14:48:14 mfetp(5400.3460) <SYSTEM> oasbl.OAS.Activity: Added reason to compliance status - REASON_OAS_DISABLED
29/10/2019 14:48:14 mfetp(5400.3464) <SYSTEM> oasbl.OAS.Activity: AMCore content version = 3875.0
29/10/2019 14:50:52 mfetp(4660.8424) <SYSTEM> oasbl.OAS.Activity: Telling OAS compliant status became RED - OAS disabled by user
29/10/2019 14:50:52 mfetp(4660.8424) <SYSTEM> oasbl.OAS.Activity: Added reason to compliance status - REASON_OAS_DISABLED
29/10/2019 14:50:52 mfetp(4660.5284) <SYSTEM> oasbl.OAS.Activity: AMCore content version = 3875.0

However I have got a little closer now we're out of business hours here so I could tweak without upsetting anyone, under 'Standard Process Types' for the Threat Prevention On Access Scan policy we have set in ePO for the server if I simply untick 'On network drives' under What to scan the issue is resolved

Looking in the software it does connect to a UNC path but to itself e.g. the server is called SERVER1 and the path is \\server1\datashare, so I am not sure why McAfee is getting in the way of this connection or if we can exclude a particular UNC path in the policy

McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

We do not have the option to add exclusions to a UNC path in On Access Scan Policy, however you may try to map the folder and try excluding it as shown in the image below

 

On Access Scan Exclusion.PNG

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 9 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

Hi @jround,

Thank you for your update. Once again very good job in precisely finding out the issue and practically the workaround/solution as well! Kudos to that!

I am afraid the ON Access Scan activity log by default would only log detections and hence we require debug logging enabled.

Regarding the exclusion of UNC path, Can you try it once locally just to be sure it is working as expected? I have attached a screenshot for your kind perusal.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
McAfee Employee AdithyanT
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: ENS On Access scanner preventing an application from running but not logging anything

Hi @jround,

Also Kindly please find below if the best practice recommendations where for performance optimization excluding scan of network drives may be implemented provided you are aware of the impact.

Link: https://docs.mcafee.com/bundle/endpoint-security-10.6.0-threat-prevention-client-product-guide-windo...

You can also toggle between Scanning only during read or only during write and check where the actual impact is from.

A humble suggestion would be to tighten up the NTFS permission on this folder to ensure it is safe despite the exclusion.

I sincerely hope this helps.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community