cancel
Showing results for 
Search instead for 
Did you mean: 
krmason
Level 8
Report Inappropriate Content
Message 1 of 10

Issues with Linuxshield

We are currently trying to install Linuxshield on our servers which are running SUSE Enterprise 10 SP2 with Novell OES SP1.  We are finding that linuxshield is causing the servers to run %100 percent CPU time and creating havoc with our servers.  Here is an email from our server specialists that explain part of the problem:

1) Because LinuxShield is 3rd party software, it is not integrated into the SLES distribution package management channels. Furthermore, since LinuxShield (as does any virus scanner) requires kernel-version specific modules, version dependencies between operating system (SLES) and virus scanner (LinuxShield) must be manually resolved, often hindering our ability to update our operating systems to Novell's latest released packages.

2) Both LinuxShield and EPO have displayed a tendency to permanently peg CPU utilization to 100% until manually killed from the command line. This seriously affects performance and availability of services on OES2 Linux.

Has anyone else experienced this problem?  We are at the point now that we are going to remove McAfee from our servers all together.  I am hoping this is just a configuration issue.

I was also looking for exclusions for linuxsheild but can't find any in the knowledge base.

Any help would be appreciated.

Ken mason

9 Replies
foliveir
Level 11
Report Inappropriate Content
Message 2 of 10

Re: Issues with Linuxshield

Hello Ken,

McAfee KB # 53375 describes in detail which versions of the Kernel and Operating system are supported. Regarding your point #2 I haven't heard anything similar so I would advise you to contact McAfee Support and raise a Service Request.

Hope this helps,

Fausto Oliveira

mhutton
Level 7
Report Inappropriate Content
Message 3 of 10

Re: Issues with Linuxshield

We are evaluating Linuxshield with Sles 10.2, OES2.1 64 bit with the original 2.16.60-0.21-smp kernel.  We are updating Linuxshield to the latest version and still experiencing what appears to be a memory leak that consumes memory until the system locks up.  Is this a 64 bit bug?

foliveir
Level 11
Report Inappropriate Content
Message 4 of 10

Re: Issues with Linuxshield

Hello Mike,

The lock up seems to be a similar issue to the one portraited in McAfee KB # KB65587 where running auditd and On Access Scanner lead to the system becoming unusable.

Can you try to disable the auditd and check if the phenomenon still happens ?

@ Ken, this may also help you can you check if auditd is also the root cause in your environment ?

Hope this helps,

mhutton
Level 7
Report Inappropriate Content
Message 5 of 10

Re: Issues with Linuxshield

I tried stopping, then killing the auditd process.  This has no effect on the memory leak.  Does anyone have any other ideas?

Re: Issues with Linuxshield

Hi Mike,

Probably a good idea for you to ping McAfee Technical Support and raise a case for this.

Let me know how you get on.

Cheers,

Rod.

sveld
Level 7
Report Inappropriate Content
Message 7 of 10

Re: Issues with Linuxshield

I see the exact same issue at several sites. Did you find a solution for this yet?

Best regards, Sebastiaan Veld

krmason
Level 8
Report Inappropriate Content
Message 8 of 10

Re: Issues with Linuxshield

No, unfortunately we have not found an answer and are not getting much help from technical support.  the decisions was made to look at other solutions as we feel that the interest in McAfee to support Linuxsheild is not a high priority at this time

sveld
Level 7
Report Inappropriate Content
Message 9 of 10

Re: Issues with Linuxshield

Mnn, I was afraid that this would be the answer. Ubelievable that such an expensive product works so bad, one of the reasons I've put on hold the license renewel for these customers.

sveld
Level 7
Report Inappropriate Content
Message 10 of 10

Re: Issues with Linuxshield

I beleive I've it all working correctly now;

-Disabled auditd as suggested (tough auditd should be supported as it's enabled by default, at least on SLES)

-Removed the folling folders from scanninf (inclusing subfolders): /dev, /proc, /var/log, /var/opt/novell, /admin, /_admin

It's stabel for a few weeks now.

Hope this helps.