1 2 Previous Next 17 Replies Latest reply on Sep 7, 2009 6:47 AM by jmaxwell

    Newly deployed VS is removing program despite policy exclusion

      We are using a Deployment task scheduled to run once in the past to deploy VirusScan v8.7 to newly discovered AD machines.
      On these machines resides an already installed program called Remote Administrator (r_server.exe). After deployment the On-Access scanner almost immediately removes this program despite the fact that we added the r_server.exe file as an exclusion to the "On-Access Default Processes" policy.

      Can someone please tell me what i am doing wrong here and how to fix this as it is breaking up our deployment?

      Thx...
        • 1. RE: Newly deployed VS is removing program despite policy exclusion
          add it in the 'unwanted programs policy' instead

          this is the correct place

          regards

          Jamie
          • 2. RE: Newly deployed VS is removing program despite policy exclusion


            So i should ad it as an exclusion in this policy? To be absolutely sure: I DON'T want it to be deleted. R_Server.exe is a program we need and dont want to lose due to VirusScan detecting it as a virus. That's why we need it to be excluded somewhere.

            I excluded it in the on access scanner, but that's not enough, it get's deleted anyway.

            Is thare any way i could push the exclusion together with the initial deployment so the exclusion is in place right away?
            • 3. RE: Newly deployed VS is removing program despite policy exclusion
              It depends 'why' its getting deleted. Is it because it is detected as a 'potentially unwanted program' . If it is, you can add an exclusion too the PUP (potentially unwanted programs )policy, by exclusing the 'Threat Name' NOT the executable name


              Make sure the exlusions you are making actually make it to the clients if you are using EPO.

              Yes , you can up these exclusions in the inital package, but you have to use McAfee Installation Designer that u can download from McAfee s download site using you grant number. Its very easy to use, and you can base the policy on the machine you run the program on, or configure the settings as you go


              Jamie
              • 4. RE: Newly deployed VS is removing program despite policy exclusion
                Today i was at work again after vacation and a unplanned hospital visit :(

                I am testing why the r_server.exe file is getting deleted and how to prevent this. When installing the Virusscan a few moment later a message pops up telling me it has removed the .exe file.

                Here is a part of the OnAccesScanLog that containes the message (sorry in Dutch):

                 

                3-9-2009 17:00:17 Programmabestandsversie = 5301.4018
                3-9-2009 17:00:17 Versie AntiVirus-DAT = 5728.0
                3-9-2009 17:00:17 Aantal detectiedefinities in EXTRA.DAT = Geen
                3-9-2009 17:00:17 Namen van detectiedefinities in EXTRA.DAT = Geen
                3-9-2009 17:00:20 Verwijderd SVICT\test C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\r_server.exe RemAdm-RemoteAdmin (Hulpprogramma voor extern beheer)

                3-9-2009 17:00:45 Statistieken:
                3-9-2009 17:00:45 Gescande bestanden: 205
                3-9-2009 17:00:45 Gedetecteerde bestanden: 1
                3-9-2009 17:00:45 Opgeschoonde bestanden: 0
                3-9-2009 17:00:45 Verwijderde bestanden: 1



                Now how do i know, how to make sure this doesn't happen any more. What should i do using EPO?
                • 5. RE: Newly deployed VS is removing program despite policy exclusion
                  jmcleish
                  As jawuk said- in PUP exclusions add the threat name- RemAdm-RemoteAdmin and that should exclude it.
                  • 6. RE: Newly deployed VS is removing program despite policy exclusion
                    Ok. Thx for the info.
                    I have made the required changes and all seems to work. What i see now is that some of the pc's are still reporting "Unwanted program deleted"
                    It looks like the program is detected before the exclusion defined in the "Unwanted programs policies" are forced.
                    What can i do about this?

                    Below is the EPO log.

                     

                    Threat Event Log Information
                    Server ID: SRVEPO
                    Event Received Time (UTC): 9/3/09 4:34:43 PM
                    Event Generated Time (UTC): 9/3/09 4:31:22 PM
                    Agent GUID: 38EA2CA9-4DC9-407B-A01A-97CCE302B2A6
                    Detecting Prod ID (deprecated): VIRUSCAN8700
                    Detecting Product Name: VirusScan Enterprise
                    Detecting Product Version: 8.7
                    Detecting Product Host Name: 601PC30
                    Detecting Product IPv4 Address: 10.236.48.2
                    Detecting Product IP Address: 0:0:0:0:0:ffff:aec:3002
                    Detecting Product MAC Address:
                    DAT Version: 5728.0000
                    Engine Version: 5301.4018
                    Threat Source Host Name:
                    Threat Source IPv4 Address: 10.236.48.2
                    Threat Source IP Address: 0:0:0:0:0:ffff:aec:3002
                    Threat Source MAC Address:
                    Threat Source User Name:
                    Threat Source Process Name:
                    Threat Source URL:
                    Threat Target Host Name: 601PC30
                    Threat Target IPv4 Address: 10.236.48.2
                    Threat Target IP Address: 0:0:0:0:0:ffff:aec:3002
                    Threat Target MAC Address:
                    Threat Target User Name: NT AUTHORITY\SYSTEM
                    Threat Target Port Number:
                    Threat Target Network Protocol:
                    Threat Target Process Name:
                    Threat Target File Path: C:\WINDOWS\system32\r_server.exe
                    Event Category: Malware (av.pup)
                    Event ID: 21027
                    Threat Severity: Alert
                    Threat Name: RemAdm-RemoteAdmin
                    Threat Type: Remote Admin Tool
                    Action Taken: Deleted
                    Threat Handled: true
                    Analyzer Detection Method: OAS
                    Threat Event Descriptions
                    Event Description: Unwanted program deleted.
                    Host IPS Event Information
                    This is not an IPS event.

                    • 7. RE: Newly deployed VS is removing program despite policy exclusion
                      This is becoming to be a pain in the ***. Many more computers are reporting the same event back to EPO. Those computers are having the r_server.exe deleted as an unwated program as you can see in my previous post.

                      Anyone who can tell me why this is happening? I included the RemAdm-RemoteAdmin in the exclusions field of the Unwanted Programs Policies and still they get deleted.
                      For me it looks like if the program is deleted before the policy is pushed out to the client. If i made the right exclusion, that's the only explanation i can think of.
                      • 8. RE: Newly deployed VS is removing program despite policy exclusion
                        Iv looked into installation designer but was unable to find the option to include some exclusions into the package.
                        • 9. RE: Newly deployed VS is removing program despite policy exclusion
                          tonyb99
                          MID 8.7 product guide page 14 has the unwanted programs section for the installation designer, download from the documentation link in my prods that you got the MID 8.7 from in the first place
                          1 2 Previous Next