1 2 Previous Next 15 Replies Latest reply on Sep 8, 2010 11:14 AM by rmetzger

    Scan Processes on Enable

    Tristan

      I've just been reading the email from McAfee President & CEO Dave Dewalt about the 5958 false positive issue.

       

      <Quote>

      McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.

      </Quote>

       

      Luckily we left the 'Scan Processes on Enable' in EPO to the default setting of OFF and therefore weren't affected.

       

      Reading through other posts on the forums point to this option could potentialy be causing other issues such as high CPU usage during DAT updates etc..

       

      Ignoring everything that been going the past few days.....

       

      Should we enable this option, is it just a 'Maximum protection' setting and it's safe to have it disabled?

        • 1. Re: Scan Processes on Enable
          twenden

          We have it turned off in our environment also. Have had no issues with it turned off. In fact, I am glad we did that since we managed to avoid the headaches from yesterday.

           

          In our environment, we usually take the defaults as we have been burned before by making changes.

          • 2. Re: Scan Processes on Enable
            akl71

            We have also turned off this option (and no problems)

            • 3. Re: Scan Processes on Enable

              I had this setting disabled and we still had a hiccup yesterday.  When the weekly scheduled system scans started, all machines (XPsp3, 8.7i) threw the DCOM access error and went into a 30 second shutdown error.  All machines reported the false positive.  When the machiens rebooted, they were fine.  If I were to initiate a scan on demand, the system would error and shutdown again.  So while it didn't wreak the havoc on my company as it did on others, the statement that having that setting off, is not true.  There were still issues.

              • 4. Re: Scan Processes on Enable
                rmetzger

                Tristan wrote:

                 

                I've just been reading the email from McAfee President & CEO Dave Dewalt about the 5958 false positive issue.

                 

                <Quote>

                McAfee is aware that a number of customers have incurred a false positive error due to this release. Corporations who kept a feature called “Scan Processes on Enable” in McAfee VirusScan Enterprise disabled, as it is by default, were not affected.

                </Quote>

                 

                Luckily we left the 'Scan Processes on Enable' in EPO to the default setting of OFF and therefore weren't affected.

                 

                Reading through other posts on the forums point to this option could potentialy be causing other issues such as high CPU usage during DAT updates etc..

                 

                Ignoring everything that been going the past few days.....

                 

                Should we enable this option, is it just a 'Maximum protection' setting and it's safe to have it disabled?

                 

                Hi Tristan,

                from VSE_8.7i_Patch 3.pdf:


                2. Issue:

                       With the improved functionality of the on-access scanner memory scan, lower and middle ranged systems may see a

                performance impact at startup and after a successful AutoUpdate of the engine or DATs. Currently the Process on enable option is enabled by default on the shipping version of VirusScan Enterprise 8.7i. McAfee recommends that in a managed environment, disable this option prior to deployment of the Patch, until the impact of memory scanning can be determined for your environment. It is not possible to maintain both the more comprehensive scanning that comes with Patch 1 and later, and the former level of scanning. Therefore, only the more comprehensive scan is used.



                NOTE FOR CURRENT AND NEW USERS:


                  • The Patch installation does not modify current settings to disable the Process on enable option.
                  • The VirusScan 8.7i NAP and extension that are included with the Patch do change the McAfee Default policy, but do notmodify the My Default policy, or any custom policy settings that were made prior to the check-in of the new NAP/extension.
                  • The VirusScan Enterprise 8.7i Repost with Patch now installs with the Process on enable option disabled, unless the

                Maximum Security option is selected during the installation.

                 

                • As I read this, from a default fresh installed system with Patch 1 or greater (reposted), ScanProcessesOnEnable is off.
                • On a system that is upgraded to Patch 1 or higher from the original version, ScanProcessesOnEnable is left alone, with whatever setting that was there originally.
                • ePO Default policies are not changed from previous settings, when checking in the new patch (v1 or greater).
                • If the Maximum Security option is selected during installation (not the default), ScanProcessesOnEnable is turned ON regardless of the patch version.

                from https://kc.mcafee.com/corporate/index?page=content&id=kb60651 :


                NOTE: After applying  Patch 1 or later, McAfee recommends that you disable the option  to scan processes on enable unless you require the Maximum Protection configuration for Access Protection in your environment. This  setting is intended for environments where security is more important  than performance. Process scanning is resource intensive and can  negatively affect system performance.

                So, according to these documents, ScanProcessesOnEnable (the Process On Enable option) should be disabled as your default setting unless Maximum Protection is of paramount importance.

                 

                Hope this clarifies the setting.

                 

                Ron Metzger

                 

                 

                Message was edited by: rmetzger (visual formatting) on 4/22/10 11:00:59 AM GMT-05:00

                 

                 

                Message was edited by: rmetzger on 4/22/10 11:02:15 AM GMT-05:00
                • 5. Re: Scan Processes on Enable
                  rmetzger

                  mikegrills wrote:

                   

                  I had this setting disabled and we still had a hiccup yesterday.  When the weekly scheduled system scans started, all machines (XPsp3, 8.7i) threw the DCOM access error and went into a 30 second shutdown error.  All machines reported the false positive.  When the machiens rebooted, they were fine.  If I were to initiate a scan on demand, the system would error and shutdown again.  So while it didn't wreak the havoc on my company as it did on others, the statement that having that setting off, is not true.  There were still issues.

                  Interesting Mike,

                   

                  Could you tell us whether SvcHost.exe has been 'damaged' on these systems?

                   

                  Could you run the SuperDAT remediation Tool listed here: http://vil.nai.com/vil/5958_false.htm .

                   

                  This might fix the On Demand Scan issues. Let us know if it helps.

                   

                  Ron Metzger

                  • 6. Re: Scan Processes on Enable

                    Is the Scan Process on Enable a feature of 8.7i

                    I do not seem to find it in version 8.5i

                     

                    Thanks.

                    • 7. Re: Scan Processes on Enable

                      Ron,

                       

                      The svchost.exe was not damaged at all as access was denied.

                      Partial Entry from EPO4.5

                       

                      Threat Target File Path:C:\WINDOWS\system32\svchost.exe
                      Event Category:Malware detected
                      Event ID:1292
                      Threat Severity:Critical
                      Threat Name:W32/Wecorl.a
                      Threat Type:Virus
                      Action Taken:None
                      Threat Handled:false
                      Analyzer Detection Method:(managed) Weekly Workstation  Scan
                      Threat Event Descriptions
                      Event Description:file infected. Undetermined clean error, OAS  denied access and continued

                       

                       

                      I was able to roll back DATs and disabled tasks until the newer DAT was released.  I have newest DAT and I don't seem to have an issue with scanning with my test computer.   If I find that on the next scan for the workstations on the network,  I will use the remediation tool.

                      • 8. Re: Scan Processes on Enable
                        rmetzger

                        mikegrills wrote:

                         

                        Ron,

                         

                        The svchost.exe was not damaged at all as access was denied.

                        Partial Entry from EPO4.5

                         

                        Threat Target File Path:C:\WINDOWS\system32\svchost.exe
                        Event Category:Malware detected
                        Event ID:1292
                        Threat Severity:Critical
                        Threat Name:W32/Wecorl.a
                        Threat Type:Virus
                        Action Taken:None
                        Threat Handled:false
                        Analyzer Detection Method:(managed) Weekly Workstation  Scan
                        Threat Event Descriptions
                        Event Description:file infected. Undetermined clean error, OAS  denied access and continued

                         

                         

                        I was able to roll back DATs and disabled tasks until the newer DAT was released.  I have newest DAT and I don't seem to have an issue with scanning with my test computer.   If I find that on the next scan for the workstations on the network,  I will use the remediation tool.

                        Kind of makes sense. If the 5958 DAT was in place, it stopped Svchost.exe from being allowed to execute, though since you had 'Scan Process On Enable' = Off, the file was left alone. So, SvcHost.exe was rendered mute and any process that needed it would not run. However, it was left untouched as a binary file is concerned (and not quarantined). Updating to a later DAT via the ExtraDAT or 5959 (or later) would have released the false detection and allowed SvcHost.exe to execute as normal.

                         

                        The remediation tool would retrieve the proper version of SvcHost.exe and copied it back to %SystemRoot%\System32 where it belongs. Since SvcHost.exe is already the correct version, the tool probably is not needed.

                         

                        Thanks for the reply.

                        Ron Metzger

                        • 9. Re: Scan Processes on Enable
                          akl71

                          Tac schrieb:

                           

                          Is the Scan Process on Enable a feature of 8.7i

                          I do not seem to find it in version 8.5i

                           

                          Thanks.

                           

                          Yes it is a feature of 8.7

                          1 2 Previous Next