Little bit of a wierd situation here - not sure if I am missing anything, but brain is baffled.
Enviroment: VSE8.8 (patch 1) with latest DATs and 5400.1158 engine running on Win2k8 R2 SP1. VSE exclusion policy is default process only (1 policy for all processes).
Issue: mcshield.exe spiking to 90% when certain actions carried out on server
Troubleshooting so far: Use of profiler (see https://community.mcafee.com/message/283845), perfmon monitoring during certain server actions, EICAR tests, VSE configuration checks.
Specific exclusion background: So, we have an excluded folder configured, H:\program_files\my_temp_folder\ (+subdirs). Most of the 'action' happens in that folder.
What I have just seen:
- Looking at profiler 10 top files, 8 out of the top 10 files had the extension XYZ. All XYZ files are contained in the excluded folder above
- When looking at the VSE on-access statistics last scanned field, I noticed that on occasion the following is shown: H:\PROGRA~1\MY_TEM~1\XXXXXX~1.XYZ where XXXXXX is 6 hex characters (just what the app does)
- Using notepad, when writing the EICAR test string to a file C:\EICARTEST1.txt, the test string is detected.
- Using notepad, when writing the EICAR test string to a file H:\program_files\my_temp_folder\EICARTEST2.txt, the test string is not detected.
- If I open up H:\program_files\my_temp_folder\ in Windows Explorer, and look at perfmon at the same time (process -> %processor time -> mcshield), when there is a lot of 'action' in this folder, it corresponds with the excessive CPU utilisation of this process.
Now one of the guys I am working with has suggested it is something to do with the 8.3 naming convention being enabled on the server. I have advised that I dont believe this is the case, as 8.3 naming convention needs to be enabled for an ePO install on server 2008 R2, and this would be a little wierd if it were the case. HOWEVER, on seeing what I have seen above, I have to say I am agreeing with him - although I cannot find anything relevant. I also thought that potentially the server may have been reporting physical and not logical mappings for filepaths, however if this were the case, my second EICAR test above would have resulted in a detection surely?
PS - I have also raised a support case for this.
What happens if you add an exlusion which is configured like this: H:\PROGRA~1\MY_TEM~1\
So that you actually also exclude the 8.3 configured folder name?
@Pato - valid point, I will get this tried out. Have duly kicked myself
@Alexn - I have configured the exclusion as per my initial post - H:\program_files\my_temp_folder\ (+subdirs) - have I misunderstood your comment?
Yes, Follow this kb and click browse under exclusions tab and point to that directory which you want to exclude, use wildcards if you want two three or four level deep exclusions.Remove the previous and add them following this kb, do not forget to click apply.
@Tristan - H is a local partition
@Alexn - I have already configured the exclusion. I have configured H:\program_files\my_temp_folder\ and selected 'also include subfolders', as I want to exclude that folder and all subfolders. Are you advising that I have done this wrong? Genuine question, as I advised in my opening comment of the exclusion I configured, and also gave an example of the file location that I am querying?
Are you setting exclusions like this?
It isn't 8.3 naming. That doesn't have measurable overhead on a hard drive made after 1995. Let's eliminate that up front. And this isn't required for the execution of VSE -- just the installation of ePO.
Also, you should definitely try this with patch 2. I would do this first before anything else.
If you are trying to exclude a directory, it must end in a "\". I call this the Slash Rule(tm). If you don't use a slash then it is interpretted as a file. Checking "Include Subfolders" will then have no effect at all. Adding wildcards on the end turns it back into a file.
Essentially we have to figure out why the filter driver seems not to be working the way we expect. Try to exclude by file type. Try to exclude by the process doing the work (the superior method). Ultimately you may need someone to look at the McAfee Profiler output to see if we can help you.
Regardless of the 8.3, to cover all angles the exclusions are now configured in this format (alongside old ones), and I am awaiting a retest. Essentially I know its not 8.3 due to the EICAR test carried out, but just going through the motions!
In response to the above:
- I would love to update the patch level, however am subject to change control - the time taken to get through change control, and also the reasoning for the upgrade are both problems at present. Until I get buy-in from McAfee support recommending the patch upgrade (which shouldnt be too long now!) it is unlikely the client will proceed with this option. Valid suggestion though!
- I have copied the exclusion verbatim - I have a trailing slash as required.
- I have already suggested process exclusions (adding as low-risk process, and deselecting scan on read/write - or just excluding more to be a little more secure) - sorry, missed that bit of background off!
Regarding profiler, I have a separate open support case for this also, related to https://community.mcafee.com/message/283845Message was edited by: dmease729 on 16/04/13 11:12:31 CDT
is there a specific reason why you should use full (absolute) paths to exclude files?
Not to mention that they are vulnerable to an action where something/someone just changes the drive letter (mapping) and suddenly your exclusions become worthless, they may be requiring more time to evaluate than to use generic exclusions (even folder ones).
I'd also like to add that sometimes the paths are not evaluated as you specify here but like this: Device\Harddisk\blabla\blabla2...and won't match your strings.
If I may suggest you consider the following preference order of specifying exclusions:
- use generic file names or extensions (like *.log, cust*.lo?)
- use generic fragment paths with the above (like \**\Temp\**\*.log
- use paths with full file names (if necessary)
- never use full paths with drive letters (i do not see - but challenge me - its worth because if you need to exclude a specific file that resides nowhere else than there, which you could specify without using the drive letter anyway.
I encourage everyone to challenge my best partices here, really, but this is the practice that I considered reasonable.
Thanks for listening.
AttilaMessage was edited by: apoling on 17/04/13 09:32:37 CEST