cancel
Showing results for 
Search instead for 
Did you mean: 

MOVE disables and re-enables every ASCI?

We're constantly seeing the MOVE status being registered in the event logs as "Protection Disabled" and then a few minutes later "Protection enabled". 

It appears to be inline with the ASCI cycle so my question is this:

Does the MOVE product get disabled during the ASCI cycle when the system communicates back to ePO for policies? 

I can understand if it has to register with a new OSS but why does it happen every hour or on every communication cycle?

Just curious to understand this a bit further as this was also how one of the virtual systems got hit with Crypto.  Either the timing was terrible or there was a directed attack which disabled MOVE.  I'd really like to think it was a timing issue and not the later.

Thanks,

Dennis

"The electric light did not come from the continuous improvements of candles." - Oren Harari
4 Replies
rajinp McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: MOVE disables and re-enables every ASCI?

This should not happen.

Just try to understand what is happening. Is there any policies which gets applied or something else.

Also see what is the status of OSS whether OSS service is getting restarted by any chance.

Re: MOVE disables and re-enables every ASCI?

We've been working this issue with McAfee support and it appears to happen if the OSS shows it has reached capacity and the MOVE system doesn't utilize the 2nd configured OSS.  The status changes to disabled and will stay that way for up to 10 minutes.  I would think a notification would be in order that OSS capacity is full (guess we'll create one ourselves) and that scanning is disabled.

Not sure why they hit capacity since we've configured each to take 285 with a cap of 300.  We have 4 OSS servers which are assigned via tags and policies with only 780 virtual systems.  According to my math we should never have an OSS hitting the max of 300 when we have a total capacity for 1200 connections and only 780 systems.  We're going to try an add an additional OSS plus an SVA.  Not sure why we'd want/need an SVA if systems are assigned but that's what we're being told to do.

"The electric light did not come from the continuous improvements of candles." - Oren Harari
Highlighted
rajinp McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: MOVE disables and re-enables every ASCI?

You are right. The primary secondary concept is not for load balancing. You need to use SVA manager to do the same.

As you said, you should not see the capacity full at 285, if the load configured is High.

Re: MOVE disables and re-enables every ASCI?

We've decided to switch from MOVE to full VSE with HIPS.  Tired of constantly having to deal with inadequate protection which doesn't equal the physical device security.  To many issues with virtual systems getting hit with crypto/ransom style malware which VSE + HIPS protects against.

"The electric light did not come from the continuous improvements of candles." - Oren Harari
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community