cancel
Showing results for 
Search instead for 
Did you mean: 

On Access Scanning: Hidden system files/folders scanned?

Jump to solution

Hi everyone,

This is my first post to the McAfee Community. I've learned a lot here and it's been helpful having a place to go to when I get stumped.

We're running VSE 8.7 Patch 5 and ePO 4.6. Current DAT: 6545

Recently, a few of our users were hit with a malware program that spread via USB devices. The malware would set the executable's file attributes to hidden and system. When on access scanning is enabled, the file doesn't get detected when these attributes are present on the executable. Once these attributes are removed, on access scanning immediately detects the file as malware. Does McAfee only scan for hidden files but not hidden with a system file attribute?

Thanks,

Sean

1 Solution

Accepted Solutions
Highlighted
bakerrl
Level 11
Report Inappropriate Content
Message 7 of 8

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

When you Unhide the system files it touches the file and OAS picks it up.  It is working as expected.

My question is if your are inserting a Blank USB Drive into a machine that is infected with malware then VSE should be detecting the malware BEFORE it even gets to the USB Drive.  That file should never get written.

View solution in original post

7 Replies
bakerrl
Level 11
Report Inappropriate Content
Message 2 of 8

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

VSE will scan all files regardless if they are set to hidden, system, or both.  Someone correct me if I am wrong.  That would be a huge security risk if VSE did not scan files set to hidden and system.

First is your VSE policy set to scan all files and not set to default files?

Second are you scanning on both writes and reads?  If you are only scanning on reads then the file will not get detected when it is getting written to the usb device.

How are you detecting the file?  Are you trying to open it?  Are you doing a right-click scan?

VSE does not autmoatically scan usb devices upon insertion to the machine.  It will only scan a file when it is written to or read from the USB device based on weather you are scanning on writes, scanning on reads, or both.

Message was edited by: bakerrl on 11/30/11 3:41:36 PM EST
ccroff
Level 9
Report Inappropriate Content
Message 3 of 8

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

Make sure you don't have protected operating system files excluded anywhere.

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

Thanks to bakerrl and ccroff for the responses.

Our VSE policy is set to scan all files and scanning occurs on reads and writes. I have the virus loaded on a USB thumb drive. When I navigate to the location of the malware and run an on demand scan or right-click the malware program and scan for threats, the malware is immediately found. The malware possesses both the hidden and system attributes on its files. On access scanning does not detect the malware unless I remove the hidden and system attributes. As soon as those are removed, on access scanning immediately detects and removes the malware.

What accounts for the difference in detection behavior between on demand scanning and on access scanning?

Thanks,

Sean

bakerrl
Level 11
Report Inappropriate Content
Message 5 of 8

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

In On-Access scanning the file must be touched by the user or another process.  That means the user or process must attempt to open the file to read or the user or process must be attempting to write the file to memory or disk.

On-Demand or right-click scanning is telling VSE to scan the file for malware.  It is a manual or scheduled operation.

VSE is working as expected.  The hidden or system attributes have nothing to do with it.

McShield and Scan32 use the same engine and dat so there is no difference there.

As I said before if the file is already on the the USB device, VSE (On-Access) will not "automatically" scan it unless you actually try to open it to read.  If you try to open the file by double-clicking on VSE should detect it.

What happens when you double-click on the file with the system and hidden attributes set?  Is it detected?  Of course do this on a machine not connected to your network.  i.e. stand-alone.

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

I understand the concept of the USB drive not being scanned upon being plugged in. The method I'm using to trigger the malware to be detected is to have an infected test PC and plugging in a blank USB drive (which infects the drive). I then access the USB thumb drive in Windows Explorer. The thumb drive appears to be blank, but actually contains malware files that are hidden from view. The on access scanner is silent (and I understand that is normal - no read or writes are occurring here). If I right-click on the USB drive and scan for threats, the malware is detected. When I unhide the hidden system files on the USB thumb drive, on access scanning immediately detects the malware. My question is why does unhiding the system files trigger this response in the on access scanner?

Thanks,

Sean

Highlighted
bakerrl
Level 11
Report Inappropriate Content
Message 7 of 8

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

When you Unhide the system files it touches the file and OAS picks it up.  It is working as expected.

My question is if your are inserting a Blank USB Drive into a machine that is infected with malware then VSE should be detecting the malware BEFORE it even gets to the USB Drive.  That file should never get written.

View solution in original post

Re: On Access Scanning: Hidden system files/folders scanned?

Jump to solution

bakerrl wrote:

When you Unhide the system files it touches the file and OAS picks it up.  It is working as expected.

Excellent, thank you. That's what I was hoping to hear.

       

My question is if your are inserting a Blank USB Drive into a machine that is infected with malware then VSE should be detecting the malware BEFORE it even gets to the USB Drive.  That file should never get written.


That is correct, VSE will intercept the write to the USB drive. I disabled OAS while the test PC was infected (so that I could infect the thumb drive), then enabled OAS after the drive was infected. So, under normal circumstances, VSE would've stopped the malware process running in the background and thus no writes to a USB drive would occur.

I appreciate everyone's help here.

Sean    

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community