cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

On-access vs on-demand (agentless)

Jump to solution

I'm using agentless MOVE (VMware with NSX, Guest Introspection and SVM appliances).

I'm new to this particular product/setup, but have some past experience with more common McAfee products.

I think I have a good grasp of how on-demand vs on-access works.  I had a recent discussion with someone who stated that the agentless MOVE *required* on-access policies because that's "how it works".  Is that true?

Is on-demand basically useless on an gentless MOVE environment and on-access *must* be enabled?

That conceptually doesn't make a whole lot of sense to me.

1 Solution

Accepted Solutions
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: On-access vs on-demand (agentless)

Jump to solution

If you refer to the topic Enable and configure on-demand scans on page 31 

It says By default, on-demand scans are not enabled. Other scan settings (for example, exclusions) are
inherited from the client scan policy. 

OAS and ODS are basically independent of each other in a MOVE agentless environment: Yes, they are independent of each other

If you read the above statement, by default, MOVE (whether Multiplatform or Agentless) has only OAS, while ODS is disabled. Hence, we do not recommend shutting down OAS

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

4 Replies
McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: On-access vs on-demand (agentless)

Jump to solution

Thank you for posting your query, I hope this information gives you a better understanding of OAS and ODS in McAfee Move

Agentless deployment method integrates with VMware NSX Manager and VMware vShield. It protects your virtual environment from malware without a McAfee Agent for easy deployment and setup. This deployment provides virus protection for VMs on the hypervisor.

The Agentless deployment option:
• Uses the VMware vShield Endpoint API to receive scan requests from VMs on the hypervisor.
• Relies on McAfee VirusScan Enterprise for Linux for SVM scanning and updates.
• Uses McAfee ePO to manage the McAfee MOVE AntiVirus configuration on the SVM.
• Uses McAfee Agent for policy and event handling.
• Uses McAfee ePO for reports on viruses that are discovered on the VMs.

On-access scanning
The on-access scanner examines files on the computer as the user accesses them, and provides continuous, real-time detection of threats.

The on-access scanner integrates with the system at the lowest levels (File-System Filter Driver) and scans files where they first enter the system. The on-access scanner delivers notifications to the System Service interface when detections occur.

When an attempt is made to open, close, or rename a file, the scanner intercepts the operation and takes these actions.

1 The scanner determines if the file should be scanned based on this criteria:
• The file’s extension matches the configuration.
• The file has not been cached, excluded, or previously scanned.
2 If the file meets the scanning criteria, the scanner compares the information in the file to the known malware signatures in the currently loaded DAT files.
• If the file is clean, the result is cached and the read, write, or rename operation is granted.
• If the file contains a threat, the operation is denied and the configured action is taken.
3 If the file doesn't meet the scanning requirements, the scanner caches the file and grants the operation.


On-demand scanning
The on-demand scanner examines the client systems for potential threats at regular intervals or at convenient times.

Use on-demand scans to supplement the continuous protection of the on-access scanner, such as to scan latent and inactive processes. You can also schedule regular scans at times that do not interfere with your work.

How on-demand scanning works
The on-demand scanner searches files, folders, and registry for any malware that might have infected the computer.

You decide when and how often the on-demand scans occur. You can scan at a scheduled time, or at startup.
1 The on-demand scanner uses the following criteria to determine if the item must be scanned:
• The file extension matches the configuration.
• The file hasn't been cached, excluded, or previously scanned (if the scanner uses the scan cache).

If you configure McAfee GTI, the scanner uses heuristics to check for suspicious files.
2 If the file meets the scanning criteria, the scanner compares the information in the item to the known malware signatures in the currently loaded AMCore content files.
• If the file is clean, the result is cached, and the scanner checks the next item.
• If the file contains a threat, the scanner takes the configured action.

For example, if the action is to clean the file, the scanner:
1 Uses information in the currently loaded AMCore content file to clean the file.
2 Records the results in the activity log.
3 Notifies the user that it detected a threat in the file, and includes the item name and the action taken.
3 If the item doesn't meet the scanning requirements, the scanner doesn't check it. The scanner continues until all data is scanned.
The on-demand scan detection list is cleared when the next on-demand scan starts.

I request you to kindly refer to page 27 for more details and page 30 for Optimizing the scanning performance on systems from the link below
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/26000/PD26576/en_US/...

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Re: On-access vs on-demand (agentless)

Jump to solution

Thank you for the details.  There's definitely a few things in there that I'll need to re-read and digest.

Now, specifically back to one thing that I was wondering about...  OAS and ODS are basically independent of each other in a MOVE agentless environment?

It was suggested by a co-worker that MOVE agentless *is* OAS.  I'm actually considering shutting down OAS until there are enough cycles to consider working through all of the exceptions.

McAfee Employee Thussain
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: On-access vs on-demand (agentless)

Jump to solution

If you refer to the topic Enable and configure on-demand scans on page 31 

It says By default, on-demand scans are not enabled. Other scan settings (for example, exclusions) are
inherited from the client scan policy. 

OAS and ODS are basically independent of each other in a MOVE agentless environment: Yes, they are independent of each other

If you read the above statement, by default, MOVE (whether Multiplatform or Agentless) has only OAS, while ODS is disabled. Hence, we do not recommend shutting down OAS

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

View solution in original post

McAfee Employee jsam
McAfee Employee
Report Inappropriate Content
Message 5 of 5

Re: On-access vs on-demand (agentless)

Jump to solution

Hi, strongly recommend you dont disable OAS. If you do you are unprotected. 

If you are seeing scan timeouts reported due to file locking / access then review your exclusions policy .

For windows systems start here  MS EXCLUSIONS = https://social.technet.microsoft.com/wiki/contents/articles/953.microsoft-anti-virus-exclusion-list....

https://support.microsoft.com/en-us/help/822158/virus-scanning-recommendations-for-enterprise-comput...

In addition, I would schedule the MOVE AGL scan diagnostic task in ePO client tasks to run on the AGL SVM`s . Ideally schedule these for your business peak so you get an idea what is driving load. 

This will generate data back to ePo which can can see by running  the ePO Move top ten reports. Use this to fine tune your exclusions.

With AGL make sure your OAS policies are being delivered to the SVM `s and applied to the relevant Vm`s correctly via the policy collector by checking for the existence of this file on the SVM . /opt/McAfee/move/etc/oaspolicyaggr.xml

If it`s not there then OAS exclusions policies wont be applied and performance of your AGL protected VM`s will be affected.

 

 

Want to Ask a Question?
Many members like to perform a search first in case other customers have already asked and answered a similar question. However, to ask a question, first select a forum then click on Post a Topic. You must sign in or log in with your existing credentials.

McAfee Service Portal customers please use your existing username and password to log into the community.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community