cancel
Showing results for 
Search instead for 
Did you mean: 
ruudkr
Level 7
Report Inappropriate Content
Message 11 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

We are also facing these issues and I would like to create some exceptions for BO too.

What is the correct way of configuring those? Is it like bccol says? Or like DeanBaker is asking?

I would not like to configure the exceptions to generic and weaken the safety of BO detection.

Reliable Contributor ansarias
Reliable Contributor
Report Inappropriate Content
Message 12 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

Hello,

On Citrix servers Buffer overflow protection should be disable as suggested by McAfee, If its enable than citrix application will not work. I faced same issue with my account and with exclusion also did not help me.

For Client PCs you can try with exclusions.

Re: Configuring buffer overflow exclusions VSE 8.8

In our case users report poor web app performance after going to McAfee 8.8 patch 4 on XenApp 6.5. We are using IE8 for compatibility reasons. Disabling BOP and DEP has not helped. The poor performance appears to be related to web apps that use Java in some way. If I disable OnAccess Scanning then the performance improves immediately.

Does anyone have any updates?

Reliable Contributor ansarias
Reliable Contributor
Report Inappropriate Content
Message 14 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

Hello,

There should be recommended McAfee exclusion for XenApp 6.5 application. Add those files and folder into OAS policy and see if its help to resolve the issue

Re: Configuring buffer overflow exclusions VSE 8.8

Hi,

I have added all the recommended exclusions but that has not helped. The issue certainly appears to be some process or file needing exclusion. Only Java related web apps appear to be impacted.

I can launch a web app that uses Java in some way and just watch IE spin while it tries to load the content. At the same time the CPU is spiking because the McShield service is consuming most of the resources. If I stop the McShield service or disable OAS then the web apps perform perfectly. If I just let IE run the content eventually loads after 30-40 seconds and IE stabilizes. So to me it appears OAS is doing its job by scanning the process or file(s). Once that scan is done and that process / file(s) is cached then IE is fine for the duration of that session. If I log off and relaunch then the behavior returns.

I've added the **\Sun\ exclusion. However, it still appears all "Sun" folders still aren't being excluded. I confirmed this by looking at the last scanned entry in the console when using a web app. Any recommendations there?

Thanks!

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 16 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

I confirmed this by looking at the last scanned entry in the console when using a web app

That's not an accurate method.

Use the VSE Profiler to tell you what is being scanned.

Also make sure you're not actually facing ScriptScan performance overhead, rather than the On Access Scanner.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: Configuring buffer overflow exclusions VSE 8.8

Thanks! I'll give Profiler a shot. ScriptScan is disabled

Re: Configuring buffer overflow exclusions VSE 8.8

Profiler returned some JavaScript and temporary internet files. No silver bullet.

I've asked McAfee support and awaiting a reply but you may know the answer. Is it true that ScriptScan isn't actually disabled until you unregister the scriptsn.dll file even if it is disabled in ePO?

I'm seeing better performance after following this workaround:

McAfee KnowledgeBase - ScriptScan causes significant performance hit/load delay on websites

McAfee Employee wwarren
McAfee Employee
Report Inappropriate Content
Message 19 of 21

Re: Configuring buffer overflow exclusions VSE 8.8

The DLL will still be loaded in the process that's running VBScript or JScript. It won't be doing scanning if the policy is disabled, but it's still adding as much overhead as it takes for it to receive the instruction and pass it along.

If you want an idea of just how many instructions are being passed through it, turn the feature on, and also enable its debugging capability:

[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\Script Scanner]

Add a REG_SZ called DebugDumpDirectory, and give it a path, e.g. C:\Test\

Making the change will require disabling Access Protection temporarily, and restarting any process that may have already loaded the ScriptScan DLL.


The feature will write to that folder every single script it sees that is being scanned. And that lets you know how many operations are running by it, even without scanning turned on. So, some overhead will be unavoidable, but it won't be noticeable unless you're dealing with massive volumes of scripts in short space of time.

The workaround you noted takes the DLL out of the picture entirely.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
Highlighted

Re: Configuring buffer overflow exclusions VSE 8.8

Users are still complaining of slow performance even after unregistering the DLL. I really thought I was onto something. I'll have to go back to McAfee support at this point and will post any updates.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community