cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 3

Lots of Scan Timed Out events

Hello,

MOVE AV Client 3.5.1.117 and McAfee Agent 5.0.0.2620. I see quite a lot of "Scan Timed Out" events on multiple servers (2012 and 2012 R2). Here are some files that cause time outs:

C:\Windows\Installer\ffa90.msp

C:\Windows\Installer\f488f3b.msp

C:\Windows\Installer\f488f0f.msp

C:\Windows\Installer\ffb48.msi

C:\Windows\Installer\ffaf3.msi

C:\9e0f8fea913f8e21ed2bb7308b851a\1033_enu_lp\x64\setup\sppowerpivot.msi

They all seem to be legit and related to Windows Updates. Is it OK to exclude C:\Windows\Installer\*.msp and C:\Windows\Installer\*.msi from scanning? I'm not sure how to deal with the last one though since the directory name is random.

Thanks.

2 Replies
Highlighted
Level 7
Report Inappropriate Content
Message 2 of 3

Re: Lots of Scan Timed Out events

Hi Nov1ce,

We've encountered a lot of similar issues in our environment with MOVE Agentless in our VMware Horizon View environment.

Even really odd scans of VMware Tools, VMware Horizon View Agent, PCoIP Logs etc.. (this was certainly the case with MOVE 2.6; I don't dare remove the exclusions on the migrated 3.5 policy we are running now!) that the product really should be aware of out of the box.

Essentially the question you need to ask yourself is "is it causing a problem?"

I've seen several occasions where a scan time-out has indeed caused programs to not function correctly and implementing a scanning exemption has solved the problem.

C:\Windows\Installer is a cache location (used for future repairs and during the initial installation of any MSI file) and therefore should be ok to implement an exemption on that path (that is on the assumption that MOVE removes any malicious MSI installers initially when downloaded before they are executed).

Regarding the last one - again, if this is causing an issue (and the specific file sppowerpivot.msi is having an issue installing), you can use a single file exemption these days (just put an exemption in for sppowerpivot.msi) or if part of the path is consistent, use a wildcard character for the part of the path which isn't.

e.g. C:\*\x64\setup\

In summary, the initial setup of MOVE for a given environment can be a bit of a "whack-a-mole" affair to initially tune the scanning policies, however, you will eventually come to a point where the scanning timeouts will rarely feature in the logs and the few events which remains will be for random files (e.g. a cached Internet Explorer file) that you could never make a reliable exemption for them.

Hope that helps!


Highlighted
Level 8
Report Inappropriate Content
Message 3 of 3

Re: Lots of Scan Timed Out events

Hi Paul,

Thank you for your reply!


Paul_N wrote:



Essentially the question you need to ask yourself is "is it causing a problem?"



That's a good question. I think it's not causing any issues apart from polluting the logs and unnecessarily consuming resources. At least in the ePO it says Action Taken: allowed access.

However, in our case all virtual servers are managed with SCCM. It took me some time to make SCCM and MOVE clients become friends, but I've seen a case when the service pack for MSSQL failed to install. Could be a coincidence though (it was pushed by the SCCM client) -- the following file was scanned by MOVE client and timed out:

C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB2979597\ServicePack\x64\setup\sql_tools.msp

After I added an exception for C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\* it fixed the problem.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community