I'm in the exact same boat. I just ran the query "VSE: Threats Detected in the Last 7 Days" and I'm seeing 2254 items with an event category of "Malware", a threat type of "virus", and an action of "none" taken. Anyone have suggestions on how to determine why this is?
please expand the report with the event code and event description. You might have two reasons: a scan timing out or a media/file that is write protected. If so, filter these event codes in reports.
As Atilla suggests - when it comes to malware the devil is in the detail.
I would also suggest you find one of these machines and take a look at the local scanner logs.
Otherwsise, any samples which truly are identified and not cleaned can be submitted to McAfee Labs for analysis.
See the 'submit a sample' link on the McAfee Service Portal:
Also, if you know what is being detected you can look it up on the McAfee Threat Center:
The majority of them have an Event ID of 1059, and an Event Description of "Scan Timed Out". Here are a few of the latest events from a local OAS log:
2/25/2010 8:05:03 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\wbem\wbemprox.dll
2/25/2010 8:05:03 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM C:\Program Files\Network Associates\Common Framework\McScript_InUse.exe C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\catalog.xml
2/25/2010 8:05:03 AM Not scanned (scan timed out) NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Debug\UserMode\userenv.log
Any reason why this would be happening with such frequency?
I would suggest dealing with the two problem separately. Please first filter this event code from the original report so it does not contain noise.
Then you could create a second report that only collects statistics for this event (in a grouped tabular format, for example, by filename).
Then gradually (starting with files causing the most events) examine the files and which are eligible (i.e harmless) exclude from scanning from default policy.
Alternatively use a high-risk low-risk policy for processes that need or need not be scanning these files.
For example: McScript_inUse.exe could be a low risk process, but svchost.exe is definitely a high risk process.
Scan time out is to be expected sometimes on systems. Please take a look at McAfee support article:
KB55869 - Understanding why scan timeouts occur
The support knowledge base can be accessed via the McAfee Service Portal link: https://mysupport.mcafee.com/eservice/
is that a "graceful" type of timeout the KB is speaking of; when McShield remains active but only stops processing the file or is it a timeout that produces this everytime in the event log:
A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.
The process will be terminated
For example if a process is locked in memory because it's in use we may generate a time-out on a scan of the process executable on disk. That would be perfectly normal.
Large archive files and databases (which are generally just very large files !) will do the same.
Time outs are normal, but it is worth checking the logs every now & then to see what is timing out, then you can adjust policies accordingly.
There is little point, for example, in repeatedly trying to scan an Sql or Oracle Database.
In my case i exclude the events of that type (scan time out and Password Protected) being reporting to the epo server from the agent (server settings>event filtering ), since all my events regards to mcafee directory, this kind of events in my opinion are bad categorized as a Malware Type and always cause noise in reports.