cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

McAfee 8.7 does not detect virus when on a domain

Hello,

I have McAfee installed on all the 25 computers running Windows XP on my network. The computers are connected to a server running Windows SBS 2003 running a domain. Recently I encountered a virus attack on the system. I had the Access Protection, Buffer protection and the On Access Scanner turned on for all the computers.

After digging in I discovered that the server had no virus, but the other PCs had. Moreover, when I logged in as administrator with the PCs on the Local computer (instead of the domain) - McAfee detected virus instantly. Also, it detects the virus when I do a system scan but shows it up again and again after each scan. It doesn't detect it with on access scanner though.

So I am guessing that McAfee isn't detecting viruses / or has some rights issues when on a domain on the client PCs. I need to know how I should get it to work even on the client PCs.

Any help would be appreciated.

Thank You

Ankit Saboo

Labels (2)
Tags (2)
15 Replies
ajacobs
Level 12
Report Inappropriate Content
Message 2 of 16

Re: McAfee 8.7 does not detect virus when on a domain

I've moved this thread to our VirusScan Enterprise product area. Hopefully someone with product expertise can help you soon.

Re: McAfee 8.7 does not detect virus when on a domain

Very Very Interesting


I faced the same problem in many PCs in my domain. W2K8 native domain. ePO running on W2K3 R2 and clients running XP SP2/SP3. people were complaining very slow system. I saw lots of services in the task manager. got suspicious. scanned the whole PC, caught enough viruses for lunch. another 6 or 7 PCs with same scenario. how the hell did viruses end up in the system? the only way any data can enter our network is through two IT administrator PCs. their PCs were clean. I didnt care to report it back then. We have multiple virusscaning on the email gateway.

May be one more reason for McAfee to stop 'patching' and release a brand new version built from the ground up to defend new threats. Google for best antivirus or security suite; I promise, results are not in McAfee's best interest. It was OK 5 years back when enterprise used internet only for sending email. now even the office kitchen has computer. companies acknowledge internet as a business medium. slow and steady release is not going to work anymore.

I've been hearing VirusScan 9.0 for a long time (even before 8.7i). The rumors were that it will have next gen antispyware and access protection. I for one, would really like that rumor to become real. Having the  largest virus signature database wouldnt help much if the program using  the engine doesnt do its job. Access protection in 8.7i was a very good start, but nothing progressed after that. I really wish to see access protection identify the files by the hash or digital signature rather than just name (which can be faked). If you create TEMP folder in any drive, access protection will block applications running from there. It was supposed to detect whether the temp folder is on a system drive; unfortunately, it doesn't. McAfee grew larger than I imagined; during the process it lost control of its products. But I still standby along with other loyal people to see it make a comeback with "enterprise" products that are made for this internet age.

1ndian

Message was edited by: easy1ndian on 3/13/10 11:15:27 AM GMT+04:00
Mal09
Level 12
Report Inappropriate Content
Message 4 of 16

Re: McAfee 8.7 does not detect virus when on a domain

You really haven't provided enough information for me to comment accurately about the situation. I'm sure many other people are in the same boat.

Can you post part of the On-Demand-Scanner log file (and/or On-Access-Scanner log file) which shows the detection names and where they were found.

Re: McAfee 8.7 does not detect virus when on a domain

Mal09 wrote:

You really haven't provided enough information for me to comment accurately about the situation. I'm sure many other people are in the same boat.

Can you post part of the On-Demand-Scanner log file (and/or On-Access-Scanner log file) which shows the detection names and where they were found.

While all this happened, I was out of town and I still am and so I do not have access to the log file. Moreover, the problem was severe and the virus was disconnecting users from the network and so, those guys have already formatted the PCs and hence we don't have the log file.

But what I can tell you is that the scanner was not detecting any virus while on the client PC when logged in on the domain and as soon as you log out and log back in on the local computer, tadaa - it showed the viruses detected by the on-access-scanner. All the viruses were in system32.

The server did not even have a single virus which proves that the on-access-scanner (or u can say mcafee antivirus) was working well on the server.

I do not have ePO installed but should that make a difference? The installation package that I built was built with the ePO capability but I did not have ePO setup on any server. Again, should that make a difference? because the setup just had ePO capability and it never said that it won't work without an ePO server.

Thank You

Message was edited by: sabooankit on 3/13/10 9:33:18 AM CST

Re: McAfee 8.7 does not detect virus when on a domain

Saboo,

I am interested in knowing the current VSE config that you have. Which engine have ypu deployed ?

5400 or the 5300 ?

Sameer

Re: McAfee 8.7 does not detect virus when on a domain

I have the same problem in 200 computers. Several times my computers have been formated, because they had viruses and McAfee did not detect. I say "McAfee did not detect" because when I installed other globally recognized brand antivirus, this found several infected files.

What can be that?

I have a W2008Server, ePO 4.5 (patched), VS 8.7p4 engine 5400 and last DAT, AntiSpyware add on and SiteAdvisor 3

My clients are WinXP sp3 with VS 8.7p4 engine 5400 and last DAT, AntiSpyware add on and SiteAdvisor 3

If you know something about this, please write me.

Thanks,

apoling
Level 14
Report Inappropriate Content
Message 8 of 16

Re: McAfee 8.7 does not detect virus when on a domain

Hi jgalarraga,

from your screenshot I suspect that the trojan has placed itself in the Restore folder (which behaviour I've seen several times, when seeing ODS detections) to get planted by the opsys itself. I've searched the internet and found information that "by design" the System Restore does not allow manipulating files within the restore folder (except when a trojan writes there apparently 😞 ). See: http://virusall.com/software/remrestore.php or http://www.f-prot.com/support/windows/fpwin_faq/350.html

Therefore first thing to do is to disable System restore and then once that's done, you can start an ODS scan of the system with up to date signature and engine (and no file/folder exlusions, preferably).

Attila

Re: McAfee 8.7 does not detect virus when on a domain

Thanks so much for your answer but,

I want to know WHY...... If I purchased a total protection suit and it is fully installed and configured, my computers are infected?

Therefore when uninstall mcafee and install other antivirus it detects viruses, I do not undestand.........

I tryed with McAfee Artemis, tryed with a few options of maximun protection, but I have the same problem over my 200 pcs.

thanks

HELP ME PLEASE

apoling
Level 14
Report Inappropriate Content
Message 10 of 16

Re: McAfee 8.7 does not detect virus when on a domain

You are asking a difficult question...

I've seen cases where VirusScan does not detect a certain "malware" while another AV program detected it (both were on the latest signature). Personally, I accept that 1. not all AV programs can detect always everything from the same pool/set of malware, 2. therefore an AV program should offer the most comprehensive and meaningful complementary protection techniques in addition.

Therefore I'd rather say that turning on Buffer Overflow protection, Script scanning, and my favourite: Access Protection (with relevant rules enabled for blocking and reporting) is generally enough, should be enough to prevent a new threat from getting planted.

Preventing disabling of AV services or processes is a must, for example.

Once a trojan installs onto a computer it is very hard to completely clear the computer of it, because the trojan always have one or two device drivers that loads before AV drivers or services and keep files open, continually writing registry, etc. This is why it is key to have proper Access Protection rules in place.

Artemis is good but it requires two prerequisites: you set the Artemis level properly (to be sensitive but not oversensitive) and McAfee should have the hash already in their database of the suspicious file.

I'd be glad to discuss this topic further with you outside this thread but only based on concrete settings, logs and other information.

Attila

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator