cancel
Showing results for 
Search instead for 
Did you mean: 

Malware detected but not deleted

In the event viewer on my EPO 4.0 server it says that Malware was detected but no action was taken. I have all my settings set to clean and delete. Where do I set the malware setting to delete detected malware. I am running version 8.7i on the client systems.
Thanks
9 Replies

Re: Malware detected but not deleted

I'm in the exact same boat.  I just ran the query "VSE: Threats Detected in the Last 7 Days" and I'm seeing 2254 items with an event category of "Malware", a threat type of "virus", and an action  of "none" taken.  Anyone have suggestions on how to determine why this is?

apoling
Level 14
Report Inappropriate Content
Message 3 of 10

Re: Malware detected but not deleted

Hello,

please expand the report with the event code and event description. You might have two reasons: a scan timing out or a media/file that is write protected. If so, filter these event codes in reports.

Attila

rackroyd
Level 16
Report Inappropriate Content
Message 4 of 10

Re: Malware detected but not deleted

As Atilla suggests - when it comes to malware the devil is in the detail.

I would also suggest you find one of these machines and take a look at the local scanner logs.

Otherwsise, any samples which truly are identified and not cleaned can be submitted to McAfee Labs for analysis.

See the 'submit a sample' link on the McAfee Service Portal:

https://mysupport.mcafee.com/eservice/Default.aspx

Also, if you know what is being detected you can look it up on the McAfee Threat Center:

http://www.mcafee.com/us/threat_center/default.asp

Hth,

Rob.

Re: Malware detected but not deleted

The majority of them have an Event ID of 1059, and an Event Description of "Scan Timed Out".  Here are a few of the latest events from a local OAS log:

2/25/2010    8:05:03 AM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    \??\C:\WINDOWS\system32\winlogon.exe    C:\WINDOWS\system32\wbem\wbemprox.dll   
2/25/2010    8:05:03 AM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\catalog.xml   
2/25/2010    8:05:03 AM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    \??\C:\WINDOWS\system32\winlogon.exe    C:\WINDOWS\Debug\UserMode\userenv.log

Any reason why this would be happening with such frequency? 

apoling
Level 14
Report Inappropriate Content
Message 6 of 10

Re: Malware detected but not deleted

I would suggest dealing with the two problem separately. Please first filter this event code from the original report so it does not contain noise.

Then you could create a second report that only collects statistics for this event (in a grouped tabular format, for example, by filename).

Then gradually (starting with files causing the most events) examine the files and which are eligible (i.e harmless) exclude from scanning from default policy.

Alternatively use a high-risk low-risk policy for processes that need or need not be scanning these files.

For example: McScript_inUse.exe could be a low risk process, but svchost.exe is definitely a high risk process.

Attila

rackroyd
Level 16
Report Inappropriate Content
Message 7 of 10

Re: Malware detected but not deleted

Hi,

Scan time out is to be expected sometimes on systems. Please take a look at McAfee support article:

KB55869 - Understanding why scan timeouts occur

The support knowledge base can be accessed via the McAfee Service Portal link: https://mysupport.mcafee.com/eservice/

Hth,

Rob

apoling
Level 14
Report Inappropriate Content
Message 8 of 10

Re: Malware detected but not deleted

Hi Rob,

is that a "graceful" type of timeout the KB is speaking of; when McShield remains active but only stops processing the file or is it a timeout that produces this everytime in the event log:

A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

The process will be terminated

Attila

rackroyd
Level 16
Report Inappropriate Content
Message 9 of 10

Re: Malware detected but not deleted

Yep.

For example if a process is locked in memory because it's in use we may generate a time-out on a scan of the process executable on disk. That would be perfectly normal.

Large archive files and databases (which are generally just very large files !) will do the same.

Time outs are normal, but it is worth checking the logs every now & then to see what is timing out, then you can adjust policies accordingly.

There is little point, for example, in repeatedly trying to scan an Sql or Oracle Database.

Hth,

Rob

bperez
Level 10
Report Inappropriate Content
Message 10 of 10

Re: Malware detected but not deleted

In my case i exclude the events of that type (scan time out and Password Protected) being reporting to the epo server from the agent (server settings>event filtering ), since all my events regards to mcafee directory, this kind of events in my opinion are bad categorized as a Malware Type and always cause noise in reports.