Hey all, I am new to the community and was just wondering if someone could answer a question that I can't seem to find any discussions about in the forums. These questions are concerning when an OAS scan from ePO 5.3 is performed during web browsing file downloads and detects a potentially malicious file (event generated time) and reports to ePO at a later time (event received time).
"Event Generated Time": Time that the event was detected which may be different then the actual download time-frame. "Event Received Rime": Time that the event was received by the ePO server. ... As for "Mac machines create an issue with this?" I haven't heard of one.
@tao But from my understanding of OAS, it scans when something is written to the physical disk so wouldn't it make sense that it mark that time as the event generated time? Otherwise what's the point, i'll never be able to accurately investigate a user's proxy traffic and associate it with the McAfee timestamp. Thanks for your quick reply btw!
The amount of time taken to scan the file depends primarily on the following factors:
- File complexity
- File size
- File location
- File type - File extensions
- Processing power
- Network speed
McAfee anti-virus products have an intentional cutoff time when the scan of a particular file must stop; the scan time-out feature is intended to prevent a denial of service. If the file is still being scanned after XX seconds (default is 45), the scanner will time out. The length of time before this time-out occurs varies by product; VSE OAS can be configured under "On-Access General Policies <> General <> Maximum scan time"
So, from my understanding - OAS is scanning the downloads; yet the scan is performed one at a time until complete or a time-out occurs. That doesn't mean that the internet stops all downloads/rendering of the webpages until OAS is done with the first file/exe, the second, third and ... It renders the page and eventually OAS does scan those files/exe.