cancel
Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

How to configure On access scan to exclude Windows update cab files

 

In my setup "scan inside archives" is disabled for on access scan. But it was noticed that whenever WSUS downloads a new windows update cab files, on access scan will scan this. As a result, the cpu load is going very high, almost to 100%.

ePO version is 8.8.0. Below is the log from one of the Hyper-V virtual machine with Windows server 2016 OS.

How to prevent OAS from scanning the Windows update cab files ?

15/2/2020 6:15:35 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Windows\SoftwareDistribution\Download\8e7f308412a77b687576929014fd65fa\Windows10.0-KB4534271-x64.cab none ()
15/2/2020 6:16:20 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Windows\SoftwareDistribution\Download\8e7f308412a77b687576929014fd65fa\Windows10.0-KB4534271-x64.cab none ()
15/2/2020 6:17:30 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Windows\SoftwareDistribution\Download\7c21750147d1fadf0e14497188f69d3a\Windows10.0-KB4534271-x64.cab none ()
15/2/2020 6:18:15 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Windows\SoftwareDistribution\Download\7c21750147d1fadf0e14497188f69d3a\Windows10.0-KB4534271-x64.cab none ()
15/2/2020 6:19:03 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Windows\SoftwareDistribution\Download\8e7f308412a77b687576929014fd65fa\Windows10.0-KB4534271-x64.cab none ()
15/2/2020 6:25:07 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe C:\Windows\SoftwareDistribution\Download\7c21750147d1fadf0e14497188f69d3a\Windows10.0-KB4534271-x64.cab none ()

 

3 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: How to configure On access scan to exclude Windows update cab files

Hi @VR9 

As recommended by Microsoft, you need to add an exclusion for .cab files:
https://support.microsoft.com/en-gb/help/900638/multiple-symptoms-occur-if-an-antivirus-scan-occurs-...

You can add an OAS exclusion based on file type as specified in the product guide (see page 49):
https://docs.mcafee.com/bundle/virusscan-enterprise-v8-8-0-product/resource/PD22941.pdf

Lastly, I would recommend looking at migrating your machines to ENS. ENS has a great feature called "Scan Avoidance". This intelligently adds exclusions for known trusted items so you don't have to. For example, these cab files are signed by Microsoft and so would be excluded from scanning in a safe way without you having to exclude anything manually.  For more information about how the option Let McAfee Decide uses the AMCore trust model for scan avoidance, see the community post at: https://community.mcafee.com/t5/Documents/Explanation-of-AMCore-Trust-Model-v1p3-pdf/ta-p/550630.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 7
Report Inappropriate Content
Message 3 of 4

Re: How to configure On access scan to exclude Windows update cab files

Thank you Chealey for the response.

Does this mean that the setting "scan inside archives" is not applicable for Windows update cab files ?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: How to configure On access scan to exclude Windows update cab files

Hi @VR9,

Thank you for your post. Cab file is a recognized archive format which will not be scanned when "scan inside archives" is not checked!

But, please not that these files are downloaded and extracted automatically during Windows update and hence this option may not be entirely helpful. Also, of course, there is a risk of letting other archives formats going unscanned!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community