hey all,
I've been having a real hard time with threat prevention causing system instability on Linux hosts, specifically with On-Access Scanning. It's to the point that I've had to disable it on all of them.
What are some basic guidelines for On-access scanning? Should I be omitting /var/log? How about if I'm on Azure, should I omit /opt/microsoft/omsagent? On a postfix server it looks like I need to disabable access to /var/opt/postfix so the server doesn't fall over.
I've tried troubleshooting these events and the McAfee logs only show "unknown error :4" when trying to access files along with complaining about files not existing. Nothing of any real value appears to be in isecoasmgr.log
Skipping all of these directories is to get the system stable again but I feel like it also defeats the purpose of the product. Should I be looking for solutions other than McAfee? Has anyone had decent success?
Solved! Go to Solution.
After working with support, this appears to be the correct approach. I'm finding little documentation on here so I'll post some commands hoping it helps someone else.
969 ./isecav --getoasconfig --processlist 970 ./isecav --getoasconfig --exclusionlist --profile lowrisk 976 ./isecav --addprocess --lowrisk /usr/libexec/postfix/pickup 977 ./isecav --getoasconfig --processlist 978 ./isecav --getoasconfig --exclusionlist --profile lowrisk 989 ./isecav --setoasprofileconfig --profile lowrisk --addexclusionrw --excludepaths /usr/libexec/postfix/pickup 990 ./isecav --getoasconfig --exclusionlist --profile lowrisk Turn on logging to verify effect. Don't leave on or may crash machine. To enable On-Access Scan activity monitor 992 ./isecav --oasactivitylog enable To disable On-Access Scan activity monitor: /opt/isec/ens/threatprevention/bin/isecav --oasactivitylog disable
It may not be the worst thing to go ahead and omit directories that are heavily accessed for your OAS policy. That's what I've ended up doing with several of my systems. As a result I have scheduled On-Demand scans that run to try and catch anything that may have gone under the radar, however, files can still be held due to the filetype and the scans inability to read / release them properly.
A big point for LTP, from what I've understood, is the scanning aspect and Exploit Prevention cababilities. We're currently not using EP in our environment so we rely on scanning to try and cover our systems.
Have you tried doing just a memory scan and turning OAS off in the policy on the systems you're having trouble with?
Thanks for the detailed reply. Yes disabling OAS is the only thing that alleviates the problem for us. I'm not certain if this as a long term solution would be acceptible as a security posture though. I'll have to look more into it and see what kind of flexability I can get.
After working with support, this appears to be the correct approach. I'm finding little documentation on here so I'll post some commands hoping it helps someone else.
969 ./isecav --getoasconfig --processlist 970 ./isecav --getoasconfig --exclusionlist --profile lowrisk 976 ./isecav --addprocess --lowrisk /usr/libexec/postfix/pickup 977 ./isecav --getoasconfig --processlist 978 ./isecav --getoasconfig --exclusionlist --profile lowrisk 989 ./isecav --setoasprofileconfig --profile lowrisk --addexclusionrw --excludepaths /usr/libexec/postfix/pickup 990 ./isecav --getoasconfig --exclusionlist --profile lowrisk Turn on logging to verify effect. Don't leave on or may crash machine. To enable On-Access Scan activity monitor 992 ./isecav --oasactivitylog enable To disable On-Access Scan activity monitor: /opt/isec/ens/threatprevention/bin/isecav --oasactivitylog disable
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA