cancel
Showing results for 
Search instead for 
Did you mean: 

Threat prevention best practice on Linux hosts

Jump to solution

hey all,

I've been having a real hard time with threat prevention causing system instability on Linux hosts, specifically with On-Access Scanning. It's to the point that I've had to disable it on all of them.

 

What are some basic guidelines for On-access scanning? Should I be omitting /var/log? How about if I'm on Azure, should I omit /opt/microsoft/omsagent? On a postfix server it looks like I need to disabable access to /var/opt/postfix so the server doesn't fall over.

I've tried troubleshooting these events and the McAfee logs only show "unknown error :4" when trying to access files along with complaining about files not existing. Nothing of any real value appears to be in isecoasmgr.log

Skipping all of these directories is to get the system stable again but I feel like it also defeats the purpose of the product. Should I be looking for solutions other than McAfee? Has anyone had decent success?

2 Solutions

Accepted Solutions
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Threat prevention best practice on Linux hosts

Jump to solution
For sure, I'd recommend also looking into excluding it by process if you haven't already. Just be sure the policy is updated accordingly to use your list of processes and not having the option for "Let McAfee Decide" selected under the Low Risk tab 🙂

Hope this helps!

Re: Threat prevention best practice on Linux hosts

Jump to solution

After working with support, this appears to be the correct approach. I'm finding little documentation on here so I'll post some commands hoping it helps someone else.

 

  969  ./isecav --getoasconfig --processlist
  970  ./isecav --getoasconfig --exclusionlist --profile lowrisk

 976  ./isecav --addprocess --lowrisk /usr/libexec/postfix/pickup
  977  ./isecav --getoasconfig --processlist
  978  ./isecav --getoasconfig --exclusionlist --profile lowrisk

  989  ./isecav --setoasprofileconfig --profile lowrisk --addexclusionrw --excludepaths /usr/libexec/postfix/pickup
  990  ./isecav --getoasconfig --exclusionlist --profile lowrisk


Turn on logging to verify effect. Don't leave on or may crash machine.

To enable On-Access Scan activity monitor

  992  ./isecav --oasactivitylog enable


To disable On-Access Scan activity monitor:
 
/opt/isec/ens/threatprevention/bin/isecav --oasactivitylog disable

6 Replies
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: Threat prevention best practice on Linux hosts

Jump to solution

It may not be the worst thing to go ahead and omit directories that are heavily accessed for your OAS policy. That's what I've ended up doing with several of my systems. As a result I have scheduled On-Demand scans that run to try and catch anything that may have gone under the radar, however, files can still be held due to the filetype and the scans inability to read / release them properly.

 

A big point for LTP, from what I've understood, is the scanning aspect and Exploit Prevention cababilities. We're currently not using EP in our environment so we rely on scanning to try and cover our systems.

 

Have you tried doing just a memory scan and turning OAS off in the policy on the systems you're having trouble with?

Re: Threat prevention best practice on Linux hosts

Jump to solution

Thanks for the detailed reply. Yes disabling OAS is the only thing that alleviates the problem for us. I'm not certain if this as a long term solution would be acceptible as a security posture though. I'll have to look more into it and see what kind of flexability I can get.

Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Threat prevention best practice on Linux hosts

Jump to solution
For sure, I'd recommend also looking into excluding it by process if you haven't already. Just be sure the policy is updated accordingly to use your list of processes and not having the option for "Let McAfee Decide" selected under the Low Risk tab 🙂

Hope this helps!

Re: Threat prevention best practice on Linux hosts

Jump to solution

After working with support, this appears to be the correct approach. I'm finding little documentation on here so I'll post some commands hoping it helps someone else.

 

  969  ./isecav --getoasconfig --processlist
  970  ./isecav --getoasconfig --exclusionlist --profile lowrisk

 976  ./isecav --addprocess --lowrisk /usr/libexec/postfix/pickup
  977  ./isecav --getoasconfig --processlist
  978  ./isecav --getoasconfig --exclusionlist --profile lowrisk

  989  ./isecav --setoasprofileconfig --profile lowrisk --addexclusionrw --excludepaths /usr/libexec/postfix/pickup
  990  ./isecav --getoasconfig --exclusionlist --profile lowrisk


Turn on logging to verify effect. Don't leave on or may crash machine.

To enable On-Access Scan activity monitor

  992  ./isecav --oasactivitylog enable


To disable On-Access Scan activity monitor:
 
/opt/isec/ens/threatprevention/bin/isecav --oasactivitylog disable

Re: Threat prevention best practice on Linux hosts

Jump to solution
forgot, monitor file 997 cat /opt/isec/ens/threatprevention/var/isectpdactivity.log
Highlighted
Reliable Contributor User91972758
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

Re: Threat prevention best practice on Linux hosts

Jump to solution
These are awesome! I'm going to add this to my notes. I usually just manually add them through my OAS policy in ePO so this is quite a bit more efficient being able to do this in CLI.

Glad to know it seems things are getting better.
More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community