cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

ENS Quick Scan

Jump to solution

Dear All,

We have a memory scan in place for Workstations and Servers. Ideally the memory scan would be completed within 5-8 minutes in a given scenario. However in our case, the scan runs for 20-30 minutes, can someone suggest if this is normal?

We think this could be a bug. Please share your thoughts and suggestions.

TIA

Venu
2 Solutions

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: ENS Quick Scan

Jump to solution

@vnaidu please contact support as we'd need to review your settings and other system variables to advise on if this is a normal speed or not. There is no "benchmark" as such as each enviornment is completely different.

It does seem slightly high though.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: ENS Quick Scan

Jump to solution

By selecting "Allow" you are saying that you trust this certificate. The event you saw, did not mean there is an issue as such present on the machine. It is merely demonstrating to you that a third party dll was found to be injecting itself into our processes during the installation. But the SYSPREP tool found the dll to be signed or otherwise trusted. By selecting allow, you are adding this certificate to the "trust store". It allows third-party software to function, while allowing McAfee to maintain a
trust boundary.

For more on dll injections and certificate trust you can see: https://kc.mcafee.com/corporate/index?page=content&id=KB88085

More on the SYSPREP tool can be found here: https://kc.mcafee.com/agent/index?page=content&id=KB89860

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

6 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: ENS Quick Scan

Jump to solution

@vnaidu please contact support as we'd need to review your settings and other system variables to advise on if this is a normal speed or not. There is no "benchmark" as such as each enviornment is completely different.

It does seem slightly high though.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted

Re: ENS Quick Scan

Jump to solution

@chealey 

Thank you for the reply, though I see the duration was drastically decreasd from 20 mins to 8.2 minutes during my todays testing on my environment, so I guess no need to raise a service request. However, I have noticed some threat events which says the below. So I had to google it to get the KB article KB88085, which is quite confusing. I would like to have this MfeSysPrep.exe obtained. Can you help me with this or should I again raise an SR with McAfee. May be if you could help me with this, it would be time saving rather talking to McAfee.

Event Category:

Malware detected
Event ID:34865
Threat Severity:Critical
Threat Name:Self Protection - protect McAfee processes
Threat Type:Self Protection
Action Taken:Blocked
Threat Handled: 
Analyzer Detection Method: 
Events received from managed systems  
Event Description:DLL Injection Event
Endpoint Security  
First Action Status:Not available
Second Action Status:Not available
Description:Injected DLL was signed by certificate: C-DK, S-Ballerup, L-Ballerup, O-SafeCom a/s, OU-Digital ID Class 3 - Microsoft Software Validation v2, CN-SafeCom a/s
Attack Vector Type:Local System
Venu
Highlighted

Re: ENS Quick Scan

Jump to solution

@chealey 

Should I tweak the ENS Common Options policy as I see the certifiactes were already updated for them.

the log file reads like the below:

1/24/2019 10:44:37 AM   mfeesp(20084.19632) <SYSTEM> ApBl.SP.Activity: XXXXX\USER ran LOGDEBUGSETTER.EXE, which attempted to access SCAPPPRINTLOADER64.DLL, violating the rule "Core Protection - Sanitize McAfee processes", and was blocked. For information about how to respond to this event, see KB85494.

While checking the ENS common options, I see the below certificate valid. So is it worty adding LoGDEBUGSETTER.EXE in the exclusions?

Untitled4.png

Venu
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENS Quick Scan

Jump to solution

Hi @vnaidu 

Did you get this during the installation period? In which case this is normal as the SYSPREP tool runs on the system during installation and looks for injectors. If it finds any you will get this event.

So in this case, the tool found this dll:

Injected DLL was signed by certificate: C-DK, S-Ballerup, L-Ballerup, O-SafeCom a/s, OU-Digital ID Class 3 - Microsoft Software Validation v2, CN-SafeCom a/s

 

You can now check in the ENS common policy to allow this certificate or not.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: ENS Quick Scan

Jump to solution

@chealey 

 

Thank you for the explination in detail. So I just ticked the allow check box, which means it should not create this issue right?

 

TIA

Venu
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 7

Re: ENS Quick Scan

Jump to solution

By selecting "Allow" you are saying that you trust this certificate. The event you saw, did not mean there is an issue as such present on the machine. It is merely demonstrating to you that a third party dll was found to be injecting itself into our processes during the installation. But the SYSPREP tool found the dll to be signed or otherwise trusted. By selecting allow, you are adding this certificate to the "trust store". It allows third-party software to function, while allowing McAfee to maintain a
trust boundary.

For more on dll injections and certificate trust you can see: https://kc.mcafee.com/corporate/index?page=content&id=KB88085

More on the SYSPREP tool can be found here: https://kc.mcafee.com/agent/index?page=content&id=KB89860

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community