cancel
Showing results for 
Search instead for 
Did you mean: 
Harper
Level 7
Report Inappropriate Content
Message 1 of 5

How can McAfee VSE delete a file from CD-R

We see Event ID: 1027 reacting to malicious files on a CD/DVD-R Disk (NOT RE-WRITABLE)
McAfee reports it as
Action Taken: Deleted
and
Event Description: "Infected file deleted"

is McAfee actually burning an additional session in which it virtually deletes files?
How exactly is McAfee VSE or other McAfee Products actually achieving the end result of deletion of the infected file?

4 Replies
McAfee Employee MarkCMc
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: How can McAfee VSE delete a file from CD-R

No, if the disc is not re-writable, Virusscan can not bypass that limitation. It would create a quarantined version of the file on the hard drive and follow your primary and secondary actions set by policy. (clean then delete by default). It should mark the file for deletion after reboot which of course would fail. I think if you had an action of deny access it would prevent the file from executing though. As you can imagine, the scenario of infected files on cd-r's does not come up often these days as the 700MB size limitation is too restrictive and user-unfriendly in most modern situations...no offense intended. 🙂

Harper
Level 7
Report Inappropriate Content
Message 3 of 5

Re: How can McAfee VSE delete a file from CD-R

No Offense taken at all 🙂

This raises more questions though as McAfee Log actually shows the entries of
Action Taken: Deleted
and
Event Description: "Infected file deleted"

While the Disk may not have been closed out, the Session was.

McAfee Employee johma
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: How can McAfee VSE delete a file from CD-R

HI Harper, 

The logs stating "deleted" as a status can be attributed to a file that was deleted or marked for deletion. Where a hard disk is the source of the file then the file the relevant action will be carried out immediately or there after on next reboot pending a file lock that needs to be released prior to actual removal. Access to the file at this point should not be possible either way.

When working with CD's it is not possible to delete the file form the disk regardless of the disk status. 

You are correct in your statement. If a CD has been written ( filled ) and closed/finalized, then the media is read only and files cannot be removed. 

Where a smaller "session" has been written to the disk, windows provides the opportunity to use the CD as if it was "closed" by writing a table of contents to the CD. this allows Windows to read the disk and work as normal without wasting usable space. 

Where new files are added, then an updated version of the table of contents is written to the disk after the new files have been added. 

You can write as many updates to the disk as you like, but each time you loose approximately 50mb of storage for each updated table of contents in addition to the space required for the added files until the disk is finalized/closed.

The only way to actively delete a file from a CD ( that has not been 'finalized' ) is to use Windows or other third party CD software to remove the file/re-create a new table of contents/session that does not include the unwanted file/s and to Finalize the CD when appropriate.

This is out of scope for an Anti Malware product due to restrictions of the CD technology used.

This maybe an opportunity to add Product Enhancement Request to add an additional note to the logs to state "detection of possible read only media, files may not be deleted" or applicable statement.




Was my reply helpful?


If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: How can McAfee VSE delete a file from CD-R

I presume this is being detected/reported during your on-access scans (OAS), since I don't think this would be possible for on-demand scans (ODS).

That said, is your OAS policies configured to scan "When reading from disk" or "Opened for backup"?  If so, then I think it may be possible for VSE to delete a source file reference targeted for a CD-R session while buffering in-memory (before commit).

As indicated by McAfee Employee's above, I don't think it's physically possible to delete a CD-R target file once the buffered session is committed, finalized, and closed -- effectively making the CD-R target file read-only on physical media.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community