Showing results for 
Search instead for 
Did you mean: 
Level 9
Report Inappropriate Content
Message 1 of 1

Fileserver overload


We had a bit of an issue last week when I got calls from the server team that I should stop scanning one pf the fileservers... Responded that no scan was planned or scheduled and that the scanner (process in Task Manager) was not active. (Yet, there was a lot of ENS activity and CPU was overloaded).

After searching for a (long) while, we found out that a user had decided that it should be OK to just copy/move several hundred thousand files from one disk to the fileserver.

So, when the files arrived, ENS-APP kicked in and I started getting loads of 1095-Events (Remote creation of files).  The (Agent or ENS10 on the) fileserver was active for more than 2 days uploading those events to the ePO server.

I'm wondering how to avoid repeating this situation in the future.

*) Should we just disregard 1095-Events ? The signal-to-noise ratio is ridiculous at this point, but I don't like the idea of losing this information in case I need to search the source/cause of an issue.

*) Should we stop logging the specific event (1095 - "Remotely creating or modifying files or folders", this is not the one protecting the Windows folder, nor the "Program Files" folders)?

What is the combined opinion of the community on this?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center