9 Replies Latest reply on Sep 26, 2010 7:18 PM by bperez

    Malware detected but not deleted

      In the event viewer on my EPO 4.0 server it says that Malware was detected but no action was taken. I have all my settings set to clean and delete. Where do I set the malware setting to delete detected malware. I am running version 8.7i on the client systems.
      Thanks
        • 1. Re: Malware detected but not deleted

          I'm in the exact same boat.  I just ran the query "VSE: Threats Detected in the Last 7 Days" and I'm seeing 2254 items with an event category of "Malware", a threat type of "virus", and an action  of "none" taken.  Anyone have suggestions on how to determine why this is?

          • 2. Re: Malware detected but not deleted
            Attila Polinger

            Hello,

             

            please expand the report with the event code and event description. You might have two reasons: a scan timing out or a media/file that is write protected. If so, filter these event codes in reports.

             

            Attila

            • 3. Re: Malware detected but not deleted
              rackroyd

              As Atilla suggests - when it comes to malware the devil is in the detail.

              I would also suggest you find one of these machines and take a look at the local scanner logs.

               

              Otherwsise, any samples which truly are identified and not cleaned can be submitted to McAfee Labs for analysis.

              See the 'submit a sample' link on the McAfee Service Portal:

              https://mysupport.mcafee.com/eservice/Default.aspx

               

              Also, if you know what is being detected you can look it up on the McAfee Threat Center:

              http://www.mcafee.com/us/threat_center/default.asp

               

              Hth,

               

              Rob.

              • 4. Re: Malware detected but not deleted

                The majority of them have an Event ID of 1059, and an Event Description of "Scan Timed Out".  Here are a few of the latest events from a local OAS log:

                 

                2/25/2010    8:05:03 AM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    \??\C:\WINDOWS\system32\winlogon.exe    C:\WINDOWS\system32\wbem\wbemprox.dll   
                2/25/2010    8:05:03 AM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe    C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\catalog.xml   
                2/25/2010    8:05:03 AM    Not scanned  (scan timed out)     NT AUTHORITY\SYSTEM    \??\C:\WINDOWS\system32\winlogon.exe    C:\WINDOWS\Debug\UserMode\userenv.log

                 

                Any reason why this would be happening with such frequency? 

                • 5. Re: Malware detected but not deleted
                  Attila Polinger

                  I would suggest dealing with the two problem separately. Please first filter this event code from the original report so it does not contain noise.

                   

                  Then you could create a second report that only collects statistics for this event (in a grouped tabular format, for example, by filename).

                  Then gradually (starting with files causing the most events) examine the files and which are eligible (i.e harmless) exclude from scanning from default policy.

                  Alternatively use a high-risk low-risk policy for processes that need or need not be scanning these files.

                  For example: McScript_inUse.exe could be a low risk process, but svchost.exe is definitely a high risk process.

                   

                  Attila

                  • 6. Re: Malware detected but not deleted
                    rackroyd

                    Hi,

                     

                    Scan time out is to be expected sometimes on systems. Please take a look at McAfee support article:

                     

                    KB55869 - Understanding why scan timeouts occur

                    The support knowledge base can be accessed via the McAfee Service Portal link: https://mysupport.mcafee.com/eservice/

                     

                    Hth,

                     

                    Rob

                    • 7. Re: Malware detected but not deleted
                      Attila Polinger

                      Hi Rob,

                       

                      is that a "graceful" type of timeout the KB is speaking of; when McShield remains active but only stops processing the file or is it a timeout that produces this everytime in the event log:

                       

                      A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

                      The process will be terminated

                       

                      Attila

                      • 8. Re: Malware detected but not deleted
                        rackroyd

                        Yep.

                         

                        For example if a process is locked in memory because it's in use we may generate a time-out on a scan of the process executable on disk. That would be perfectly normal.

                        Large archive files and databases (which are generally just very large files !) will do the same.

                         

                        Time outs are normal, but it is worth checking the logs every now & then to see what is timing out, then you can adjust policies accordingly.

                        There is little point, for example, in repeatedly trying to scan an Sql or Oracle Database.

                         

                        Hth,

                         

                        Rob

                        • 9. Re: Malware detected but not deleted
                          bperez

                          In my case i exclude the events of that type (scan time out and Password Protected) being reporting to the epo server from the agent (server settings>event filtering ), since all my events regards to mcafee directory, this kind of events in my opinion are bad categorized as a Malware Type and always cause noise in reports.