cancel
Showing results for 
Search instead for 
Did you mean: 
Tristan
Level 15
Report Inappropriate Content
Message 1 of 16

Scan Processes on Enable

Jump to solution

I've just been reading the email from McAfee President & CEO Dave Dewalt about the 5958 false positive issue.

<Quote>

McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.

</Quote>

Luckily we left the 'Scan Processes on Enable' in EPO to the default setting of OFF and therefore weren't affected.

Reading through other posts on the forums point to this option could potentialy be causing other issues such as high CPU usage during DAT updates etc..

Ignoring everything that been going the past few days.....

Should we enable this option, is it just a 'Maximum protection' setting and it's safe to have it disabled?

1 Solution

Accepted Solutions
rmetzger
Level 14
Report Inappropriate Content
Message 9 of 16

Re: Scan Processes on Enable

Jump to solution

Tristan wrote:

I've just been reading the email from McAfee President & CEO Dave Dewalt about the 5958 false positive issue.

<Quote>

McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.

</Quote>

Luckily we left the 'Scan Processes on Enable' in EPO to the default setting of OFF and therefore weren't affected.

Reading through other posts on the forums point to this option could potentialy be causing other issues such as high CPU usage during DAT updates etc..

Ignoring everything that been going the past few days.....

Should we enable this option, is it just a 'Maximum protection' setting and it's safe to have it disabled?

Hi Tristan,

from VSE_8.7i_Patch 3.pdf:


2. Issue:

       With the improved functionality of the on-access scanner memory scan, lower and middle ranged systems may see a

performance impact at startup and after a successful AutoUpdate of the engine or DATs. Currently the Process on enable option is enabled by default on the shipping version of VirusScan Enterprise 8.7i. McAfee recommends that in a managed environment, disable this option prior to deployment of the Patch, until the impact of memory scanning can be determined for your environment. It is not possible to maintain both the more comprehensive scanning that comes with Patch 1 and later, and the former level of scanning. Therefore, only the more comprehensive scan is used.



NOTE FOR CURRENT AND NEW USERS:


    • The Patch installation does not modify current settings to disable the Process on enable option.
    • The VirusScan 8.7i NAP and extension that are included with the Patch do change the McAfee Default policy, but do notmodify the My Default policy, or any custom policy settings that were made prior to the check-in of the new NAP/extension.
    • The VirusScan Enterprise 8.7i Repost with Patch now installs with the Process on enable option disabled, unless the

Maximum Security option is selected during the installation.

  • As I read this, from a default fresh installed system with Patch 1 or greater (reposted), ScanProcessesOnEnable is off.
  • On a system that is upgraded to Patch 1 or higher from the original version, ScanProcessesOnEnable is left alone, with whatever setting that was there originally.
  • ePO Default policies are not changed from previous settings, when checking in the new patch (v1 or greater).
  • If the Maximum Security option is selected during installation (not the default), ScanProcessesOnEnable is turned ON regardless of the patch version.

from https://kc.mcafee.com/corporate/index?page=content&id=kb60651 :


NOTE: After applying  Patch 1 or later, McAfee recommends that you disable the option  to scan processes on enable unless you require the Maximum Protection configuration for Access Protection in your environment. This  setting is intended for environments where security is more important  than performance. Process scanning is resource intensive and can  negatively affect system performance.

So, according to these documents, ScanProcessesOnEnable (the Process On Enable option) should be disabled as your default setting unless Maximum Protection is of paramount importance.

Hope this clarifies the setting.

Ron Metzger

Message was edited by: rmetzger (visual formatting) on 4/22/10 11:00:59 AM GMT-05:00

Message was edited by: rmetzger on 4/22/10 11:02:15 AM GMT-05:00
15 Replies
twenden
Level 13
Report Inappropriate Content
Message 2 of 16

Re: Scan Processes on Enable

Jump to solution

We have it turned off in our environment also. Have had no issues with it turned off. In fact, I am glad we did that since we managed to avoid the headaches from yesterday.

In our environment, we usually take the defaults as we have been burned before by making changes.

akl71
Level 10
Report Inappropriate Content
Message 3 of 16

Re: Scan Processes on Enable

Jump to solution

We have also turned off this option (and no problems)

Re: Scan Processes on Enable

Jump to solution

I had this setting disabled and we still had a hiccup yesterday.  When the weekly scheduled system scans started, all machines (XPsp3, 8.7i) threw the DCOM access error and went into a 30 second shutdown error.  All machines reported the false positive.  When the machiens rebooted, they were fine.  If I were to initiate a scan on demand, the system would error and shutdown again.  So while it didn't wreak the havoc on my company as it did on others, the statement that having that setting off, is not true.  There were still issues.

rmetzger
Level 14
Report Inappropriate Content
Message 5 of 16

Re: Scan Processes on Enable

Jump to solution

mikegrills wrote:

I had this setting disabled and we still had a hiccup yesterday.  When the weekly scheduled system scans started, all machines (XPsp3, 8.7i) threw the DCOM access error and went into a 30 second shutdown error.  All machines reported the false positive.  When the machiens rebooted, they were fine.  If I were to initiate a scan on demand, the system would error and shutdown again.  So while it didn't wreak the havoc on my company as it did on others, the statement that having that setting off, is not true.  There were still issues.

Interesting Mike,

Could you tell us whether SvcHost.exe has been 'damaged' on these systems?

Could you run the SuperDAT remediation Tool listed here: http://vil.nai.com/vil/5958_false.htm .

This might fix the On Demand Scan issues. Let us know if it helps.

Ron Metzger

Re: Scan Processes on Enable

Jump to solution

Ron,

The svchost.exe was not damaged at all as access was denied.

Partial Entry from EPO4.5

Threat Target File Path:C:\WINDOWS\system32\svchost.exe
Event Category:Malware detected
Event ID:1292
Threat Severity:Critical
Threat Name:W32/Wecorl.a
Threat Type:Virus
Action Taken:None
Threat Handled:false
Analyzer Detection Method:(managed) Weekly Workstation  Scan
Threat Event Descriptions
Event Description:file infected. Undetermined clean error, OAS  denied access and continued

I was able to roll back DATs and disabled tasks until the newer DAT was released.  I have newest DAT and I don't seem to have an issue with scanning with my test computer.   If I find that on the next scan for the workstations on the network,  I will use the remediation tool.

rmetzger
Level 14
Report Inappropriate Content
Message 7 of 16

Re: Scan Processes on Enable

Jump to solution

mikegrills wrote:

Ron,

The svchost.exe was not damaged at all as access was denied.

Partial Entry from EPO4.5

Threat Target File Path:C:\WINDOWS\system32\svchost.exe
Event Category:Malware detected
Event ID:1292
Threat Severity:Critical
Threat Name:W32/Wecorl.a
Threat Type:Virus
Action Taken:None
Threat Handled:false
Analyzer Detection Method:(managed) Weekly Workstation  Scan
Threat Event Descriptions
Event Description:file infected. Undetermined clean error, OAS  denied access and continued

I was able to roll back DATs and disabled tasks until the newer DAT was released.  I have newest DAT and I don't seem to have an issue with scanning with my test computer.   If I find that on the next scan for the workstations on the network,  I will use the remediation tool.

Kind of makes sense. If the 5958 DAT was in place, it stopped Svchost.exe from being allowed to execute, though since you had 'Scan Process On Enable' = Off, the file was left alone. So, SvcHost.exe was rendered mute and any process that needed it would not run. However, it was left untouched as a binary file is concerned (and not quarantined). Updating to a later DAT via the ExtraDAT or 5959 (or later) would have released the false detection and allowed SvcHost.exe to execute as normal.

The remediation tool would retrieve the proper version of SvcHost.exe and copied it back to %SystemRoot%\System32 where it belongs. Since SvcHost.exe is already the correct version, the tool probably is not needed.

Thanks for the reply.

Ron Metzger

tonyb99
Level 13
Report Inappropriate Content
Message 8 of 16

Re: Scan Processes on Enable

Jump to solution

I also wasnt running scan on enable (as we still have a lot of underpowered machines) I got hits on 20 or so machines with 8.7sp3.

Each of them tried to quarantine svhost.exe and they all stated they had done so with the appropriate file in the quarantine folder, but they all kept the file and just rebooted once, all updated normally to the 59 DAT when it was released without having to apply any additional remediation.

Dodged a big bullet there

rmetzger
Level 14
Report Inappropriate Content
Message 9 of 16

Re: Scan Processes on Enable

Jump to solution

Tristan wrote:

I've just been reading the email from McAfee President & CEO Dave Dewalt about the 5958 false positive issue.

<Quote>

McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.

</Quote>

Luckily we left the 'Scan Processes on Enable' in EPO to the default setting of OFF and therefore weren't affected.

Reading through other posts on the forums point to this option could potentialy be causing other issues such as high CPU usage during DAT updates etc..

Ignoring everything that been going the past few days.....

Should we enable this option, is it just a 'Maximum protection' setting and it's safe to have it disabled?

Hi Tristan,

from VSE_8.7i_Patch 3.pdf:


2. Issue:

       With the improved functionality of the on-access scanner memory scan, lower and middle ranged systems may see a

performance impact at startup and after a successful AutoUpdate of the engine or DATs. Currently the Process on enable option is enabled by default on the shipping version of VirusScan Enterprise 8.7i. McAfee recommends that in a managed environment, disable this option prior to deployment of the Patch, until the impact of memory scanning can be determined for your environment. It is not possible to maintain both the more comprehensive scanning that comes with Patch 1 and later, and the former level of scanning. Therefore, only the more comprehensive scan is used.



NOTE FOR CURRENT AND NEW USERS:


    • The Patch installation does not modify current settings to disable the Process on enable option.
    • The VirusScan 8.7i NAP and extension that are included with the Patch do change the McAfee Default policy, but do notmodify the My Default policy, or any custom policy settings that were made prior to the check-in of the new NAP/extension.
    • The VirusScan Enterprise 8.7i Repost with Patch now installs with the Process on enable option disabled, unless the

Maximum Security option is selected during the installation.

  • As I read this, from a default fresh installed system with Patch 1 or greater (reposted), ScanProcessesOnEnable is off.
  • On a system that is upgraded to Patch 1 or higher from the original version, ScanProcessesOnEnable is left alone, with whatever setting that was there originally.
  • ePO Default policies are not changed from previous settings, when checking in the new patch (v1 or greater).
  • If the Maximum Security option is selected during installation (not the default), ScanProcessesOnEnable is turned ON regardless of the patch version.

from https://kc.mcafee.com/corporate/index?page=content&id=kb60651 :


NOTE: After applying  Patch 1 or later, McAfee recommends that you disable the option  to scan processes on enable unless you require the Maximum Protection configuration for Access Protection in your environment. This  setting is intended for environments where security is more important  than performance. Process scanning is resource intensive and can  negatively affect system performance.

So, according to these documents, ScanProcessesOnEnable (the Process On Enable option) should be disabled as your default setting unless Maximum Protection is of paramount importance.

Hope this clarifies the setting.

Ron Metzger

Message was edited by: rmetzger (visual formatting) on 4/22/10 11:00:59 AM GMT-05:00

Message was edited by: rmetzger on 4/22/10 11:02:15 AM GMT-05:00
Tac
Level 7
Report Inappropriate Content
Message 10 of 16

Re: Scan Processes on Enable

Jump to solution

Is the Scan Process on Enable a feature of 8.7i

I do not seem to find it in version 8.5i

Thanks.