cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ssadlocha
Level 10
Report Inappropriate Content
Message 1 of 6
‎03-24-2015 07:59 AM

Any Way to See Access Protection Events With MOVE AV

Jump to solution

Hello Everyone,

I have a question with regard to MOVE AV, related to block type events. We are using MOVE Multi-Platform 3.5, and I recently deployed it to about 350 servers. Most of these servers previously had VSE 8.8 on them, which I removed prior to installing the MOVE client. My questions mainly center on those type of block events I would previously see when using VSE, specifically those related to Access Protection rules.

Occasionally, I would get a call from server guys stating that something they were trying to do (patch, install, task, etc.) was getting blocked. I would then look at System Information for the device and investigate under Threat Events, where I would, in many cases, find blocks. I would then create exclusions if needed, force a policy update, and have the server admin test.

With MOVE, I don't see these types of blocks at all. I have had a few instances of Server Admins telling me something is being blocked, and I then check Threat Events and find nothing indicating a block. I have checked on the device itself, as well as the Threat Events for the Offload Scan Server assigned to the device, and the SVA Manager in use for all of them. I even ran a query of "Today's Detections per Product" and found nothing.

So my questions relate to AP type blocks in MOVE. Do these even happen? Does the AV scanning happen differently? I expected these types of blocks still, since the OSS servers are still using VSE, but I see nothing. Is it just files transferring over to the OSS, and none of the process or task type blocks that are in client VSE? Any information would be appreciated.

0 Kudos
Reply
1 Solution

Accepted Solutions
Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6
‎04-08-2015 12:16 AM

Re: Any Way to See Access Protection Events With MOVE AV

Jump to solution

I agree with rajinp,

move and VSE are two completely different products.

Virusscan Features:

- OnAccess/OnDmenad scan (scriptscan)

- e-mail scan

- Buffer Overflow Protection

- Access Protection

Move Multiplatform:

- OnAccess Scan with the Move Agent

- OnDemand Scan with OSS.(Offload Scanner)

Therefore you can only see Threat Events with malware from Move Agent, no other events.

If you want more protection you can installed HIPS or Application Control on your server.

- HIPS: Replaces also an Buffer Overflow Protection (because HIPS uses generic buffer overflow instead of 20-30 "Signatures) in VSE)

- HIPS/Application Control: Memory Protection (if both are installed disable the Memory Protection Feature in Application control)

Hope this helps,

Cheers

View solution in original post

Reply
5 Replies
rajinp
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 6
‎04-06-2015 11:31 PM

Re: Any Way to See Access Protection Events With MOVE AV

Jump to solution

Are you talking about Access protection in MOVE or scanning issue with MOVE ?

0 Kudos
Reply
ssadlocha
Level 10
Report Inappropriate Content
Message 3 of 6
‎04-07-2015 01:07 PM

Re: Any Way to See Access Protection Events With MOVE AV

Jump to solution

I am talking about Access Protection-like behavior and events while using MOVE. We previously had VSE on servers. If an admin encountered a block, for instance, while installing a patch, I could go into Events in the ePO console for that device and see the event related to the block. However, since switching to MOVE Multi-Platform, it seems that there are no longer events like that. Do these type of events even occur with MOVE? I have looked at the device itself, the Offload Scan Server, and the SVA Manager. In all of these, if there is an actual threat event, I see it, but if there is a block from something like Access Protection, I am not seeing events. I hope this explains it better.

0 Kudos
Reply
rajinp
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6
‎04-07-2015 09:28 PM

Re: Any Way to See Access Protection Events With MOVE AV

Jump to solution

The access protection feature is not available in MOVE Multiplatform and hence you will not get any such block events.

0 Kudos
Reply
Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6
‎04-08-2015 12:16 AM

Re: Any Way to See Access Protection Events With MOVE AV

Jump to solution

I agree with rajinp,

move and VSE are two completely different products.

Virusscan Features:

- OnAccess/OnDmenad scan (scriptscan)

- e-mail scan

- Buffer Overflow Protection

- Access Protection

Move Multiplatform:

- OnAccess Scan with the Move Agent

- OnDemand Scan with OSS.(Offload Scanner)

Therefore you can only see Threat Events with malware from Move Agent, no other events.

If you want more protection you can installed HIPS or Application Control on your server.

- HIPS: Replaces also an Buffer Overflow Protection (because HIPS uses generic buffer overflow instead of 20-30 "Signatures) in VSE)

- HIPS/Application Control: Memory Protection (if both are installed disable the Memory Protection Feature in Application control)

Hope this helps,

Cheers

View solution in original post

Reply
ssadlocha
Level 10
Report Inappropriate Content
Message 6 of 6
‎04-08-2015 01:40 PM

Re: Any Way to See Access Protection Events With MOVE AV

Jump to solution

Thank you both! This is exactly the information I was looking for.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC