cancel
Showing results for 
Search instead for 
Did you mean: 

ENS on-access scan for linux

Jump to solution

Hello,

We are using Endpoint Security Threat Prevention version 10.6.7.118 on our opensuse 12.3 servers.
Currently we are facing high load issues. I created policy, to skip on-access scans on db and /var/log.
It doesn't seem like any of mcafee process is hogging CPU. 

On-access scan activity log is mostly:
Nov 20 10:15:01 host.name AMManageFAEvent Scan Request sent for the file: /run/systemd/users/0
Nov 20 10:15:01 host.name AMManageFAEvent Scan Response received for the file: /run/systemd/users/0
Nov 20 10:15:01 host.name AMManageFAEvent Scan Request sent for the file: /run/systemd/sessions/6244
Nov 20 10:15:01 host.name AMManageFAEvent Scan Response received for the file: /run/systemd/sessions/6244
Nov 20 10:15:01 host.name AMManageFAEvent Scan Request sent for the file: /run/systemd/users/0

Should I create more exclusions? If so, then what are your suggestions?
 

1 Solution

Accepted Solutions
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: ENS on-access scan for linux

Jump to solution

Main location from where the scan seems to be coming is /home/bwcmsys/wildfly-10.1.0.Final/standalone/tmp/vfs/deployment/deployment1f41769e0f39fa01/ECMWeb.war-457181e470269b1a/Scripts/Views/Workflow2/. 

Can we get /home/bwcmsys/wildfly-10.1.0.Final/standalone/tmp/** added into exclusion on the machine and check the status once?

View solution in original post

8 Replies
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 2 of 9

Re: ENS on-access scan for linux

Jump to solution

Hello @Stelmachf 

Thanks for your post here.

As per my understanding you are not seeing any high CPU/Memory been used by McAfee process. However the overall server performance has degraded? Is that correct understanding?

Before I suggest exclusion, would like to know if you disable OAS does the issue gets resolve? Just for test on one server disable the OAS for couple of minute and check if the issue gets resolve. If yes, then we can look at the exclusions point of view. 

If disabling OAS does not resolve the problem then exclusions not going to work and we have to look at completely different direction. 

Do let me know on the outcome of the test and also IM me the isecscanactionmgr log.

Re: ENS on-access scan for linux

Jump to solution

Hello @patrakshar 

Yes, disabling OAS lowers load back to normal.


Where can I find the logs you are asking for?


McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 4 of 9

Re: ENS on-access scan for linux

Jump to solution

You can see the article https://kc.mcafee.com/corporate/index?page=content&id=KB88812 for the log locations.

McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 5 of 9

Re: ENS on-access scan for linux

Jump to solution

you can share me that log file in message?

Re: ENS on-access scan for linux

Jump to solution

That article is for McAfee Endpoint Security for Linux Threat Prevention (ENSLTP) 10.2.x

No file/directory like: /opt/isec/ens/threatprevention/var/isecoasmgr.log
The closest i have is /opt/isec/ens/threatprevention and the only thing in this directory is bin.

sudo find / -name "isecoasmgr.log" also didn'tt find isecoasmgr.log

This server is managed  by ePO, does it change anything?

McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: ENS on-access scan for linux

Jump to solution

My bad. Please see the article https://kc.mcafee.com/corporate/index?page=content&id=KB89711. This has the logs details that needs to be looked at.

McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 8 of 9

Re: ENS on-access scan for linux

Jump to solution

Main location from where the scan seems to be coming is /home/bwcmsys/wildfly-10.1.0.Final/standalone/tmp/vfs/deployment/deployment1f41769e0f39fa01/ECMWeb.war-457181e470269b1a/Scripts/Views/Workflow2/. 

Can we get /home/bwcmsys/wildfly-10.1.0.Final/standalone/tmp/** added into exclusion on the machine and check the status once?

View solution in original post

Re: ENS on-access scan for linux

Jump to solution

I added exclusion. 

I will come back with an answer if it help after the weekend.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community