add it in the 'unwanted programs policy' instead
this is the correct place
So i should ad it as an exclusion in this policy? To be absolutely sure: I DON'T want it to be deleted. R_Server.exe is a program we need and dont want to lose due to VirusScan detecting it as a virus. That's why we need it to be excluded somewhere.
I excluded it in the on access scanner, but that's not enough, it get's deleted anyway.
Is thare any way i could push the exclusion together with the initial deployment so the exclusion is in place right away?
It depends 'why' its getting deleted. Is it because it is detected as a 'potentially unwanted program' . If it is, you can add an exclusion too the PUP (potentially unwanted programs )policy, by exclusing the 'Threat Name' NOT the executable name
Make sure the exlusions you are making actually make it to the clients if you are using EPO.
Yes , you can up these exclusions in the inital package, but you have to use McAfee Installation Designer that u can download from McAfee s download site using you grant number. Its very easy to use, and you can base the policy on the machine you run the program on, or configure the settings as you go
Today i was at work again after vacation and a unplanned hospital visit :(
I am testing why the r_server.exe file is getting deleted and how to prevent this. When installing the Virusscan a few moment later a message pops up telling me it has removed the .exe file.
Here is a part of the OnAccesScanLog that containes the message (sorry in Dutch):
3-9-2009 17:00:17 Programmabestandsversie = 5301.4018
3-9-2009 17:00:17 Versie AntiVirus-DAT = 5728.0
3-9-2009 17:00:17 Aantal detectiedefinities in EXTRA.DAT = Geen
3-9-2009 17:00:17 Namen van detectiedefinities in EXTRA.DAT = Geen
3-9-2009 17:00:20 Verwijderd SVICT\test C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\r_server.exe RemAdm-RemoteAdmin (Hulpprogramma voor extern beheer)
3-9-2009 17:00:45 Statistieken:
3-9-2009 17:00:45 Gescande bestanden: 205
3-9-2009 17:00:45 Gedetecteerde bestanden: 1
3-9-2009 17:00:45 Opgeschoonde bestanden: 0
3-9-2009 17:00:45 Verwijderde bestanden: 1
Now how do i know, how to make sure this doesn't happen any more. What should i do using EPO?
As jawuk said- in PUP exclusions add the threat name- RemAdm-RemoteAdmin and that should exclude it.
Ok. Thx for the info.
I have made the required changes and all seems to work. What i see now is that some of the pc's are still reporting "Unwanted program deleted"
It looks like the program is detected before the exclusion defined in the "Unwanted programs policies" are forced.
What can i do about this?
Below is the EPO log.
Threat Event Log Information
Server ID: SRVEPO
Event Received Time (UTC): 9/3/09 4:34:43 PM
Event Generated Time (UTC): 9/3/09 4:31:22 PM
Agent GUID: 38EA2CA9-4DC9-407B-A01A-97CCE302B2A6
Detecting Prod ID (deprecated): VIRUSCAN8700
Detecting Product Name: VirusScan Enterprise
Detecting Product Version: 8.7
Detecting Product Host Name: 601PC30
Detecting Product IPv4 Address: 10.236.48.2
Detecting Product IP Address: 0:0:0:0:0:ffff:aec:3002
Detecting Product MAC Address:
DAT Version: 5728.0000
Engine Version: 5301.4018
Threat Source Host Name:
Threat Source IPv4 Address: 10.236.48.2
Threat Source IP Address: 0:0:0:0:0:ffff:aec:3002
Threat Source MAC Address:
Threat Source User Name:
Threat Source Process Name:
Threat Source URL:
Threat Target Host Name: 601PC30
Threat Target IPv4 Address: 10.236.48.2
Threat Target IP Address: 0:0:0:0:0:ffff:aec:3002
Threat Target MAC Address:
Threat Target User Name: NT AUTHORITY\SYSTEM
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path: C:\WINDOWS\system32\r_server.exe
Event Category: Malware (av.pup)
Event ID: 21027
Threat Severity: Alert
Threat Name: RemAdm-RemoteAdmin
Threat Type: Remote Admin Tool
Action Taken: Deleted
Threat Handled: true
Analyzer Detection Method: OAS
Threat Event Descriptions
Event Description: Unwanted program deleted.
Host IPS Event Information
This is not an IPS event.
This is becoming to be a pain in the ***. Many more computers are reporting the same event back to EPO. Those computers are having the r_server.exe deleted as an unwated program as you can see in my previous post.
Anyone who can tell me why this is happening? I included the RemAdm-RemoteAdmin in the exclusions field of the Unwanted Programs Policies and still they get deleted.
For me it looks like if the program is deleted before the policy is pushed out to the client. If i made the right exclusion, that's the only explanation i can think of.
Iv looked into installation designer but was unable to find the option to include some exclusions into the package.
MID 8.7 product guide page 14 has the unwanted programs section for the installation designer, download from the documentation link in my prods that you got the MID 8.7 from in the first place