Hello Everyone,
I have a question with regard to MOVE AV, related to block type events. We are using MOVE Multi-Platform 3.5, and I recently deployed it to about 350 servers. Most of these servers previously had VSE 8.8 on them, which I removed prior to installing the MOVE client. My questions mainly center on those type of block events I would previously see when using VSE, specifically those related to Access Protection rules.
Occasionally, I would get a call from server guys stating that something they were trying to do (patch, install, task, etc.) was getting blocked. I would then look at System Information for the device and investigate under Threat Events, where I would, in many cases, find blocks. I would then create exclusions if needed, force a policy update, and have the server admin test.
With MOVE, I don't see these types of blocks at all. I have had a few instances of Server Admins telling me something is being blocked, and I then check Threat Events and find nothing indicating a block. I have checked on the device itself, as well as the Threat Events for the Offload Scan Server assigned to the device, and the SVA Manager in use for all of them. I even ran a query of "Today's Detections per Product" and found nothing.
So my questions relate to AP type blocks in MOVE. Do these even happen? Does the AV scanning happen differently? I expected these types of blocks still, since the OSS servers are still using VSE, but I see nothing. Is it just files transferring over to the OSS, and none of the process or task type blocks that are in client VSE? Any information would be appreciated.
Solved! Go to Solution.
I agree with rajinp,
move and VSE are two completely different products.
Virusscan Features:
- OnAccess/OnDmenad scan (scriptscan)
- e-mail scan
- Buffer Overflow Protection
- Access Protection
Move Multiplatform:
- OnAccess Scan with the Move Agent
- OnDemand Scan with OSS.(Offload Scanner)
Therefore you can only see Threat Events with malware from Move Agent, no other events.
If you want more protection you can installed HIPS or Application Control on your server.
- HIPS: Replaces also an Buffer Overflow Protection (because HIPS uses generic buffer overflow instead of 20-30 "Signatures) in VSE)
- HIPS/Application Control: Memory Protection (if both are installed disable the Memory Protection Feature in Application control)
Hope this helps,
Cheers
Are you talking about Access protection in MOVE or scanning issue with MOVE ?
I am talking about Access Protection-like behavior and events while using MOVE. We previously had VSE on servers. If an admin encountered a block, for instance, while installing a patch, I could go into Events in the ePO console for that device and see the event related to the block. However, since switching to MOVE Multi-Platform, it seems that there are no longer events like that. Do these type of events even occur with MOVE? I have looked at the device itself, the Offload Scan Server, and the SVA Manager. In all of these, if there is an actual threat event, I see it, but if there is a block from something like Access Protection, I am not seeing events. I hope this explains it better.
The access protection feature is not available in MOVE Multiplatform and hence you will not get any such block events.
I agree with rajinp,
move and VSE are two completely different products.
Virusscan Features:
- OnAccess/OnDmenad scan (scriptscan)
- e-mail scan
- Buffer Overflow Protection
- Access Protection
Move Multiplatform:
- OnAccess Scan with the Move Agent
- OnDemand Scan with OSS.(Offload Scanner)
Therefore you can only see Threat Events with malware from Move Agent, no other events.
If you want more protection you can installed HIPS or Application Control on your server.
- HIPS: Replaces also an Buffer Overflow Protection (because HIPS uses generic buffer overflow instead of 20-30 "Signatures) in VSE)
- HIPS/Application Control: Memory Protection (if both are installed disable the Memory Protection Feature in Application control)
Hope this helps,
Cheers
Thank you both! This is exactly the information I was looking for.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA