2 Replies Latest reply on Jan 18, 2011 3:38 PM by wwarren

    Problems with On Demand Scan and encrypted files.

    pwilson316

      Hello,

       

      I am running ePO 4.5 with VirusScan Enterprise 8.7i Patch 4 and have set up an On Demand Scan Client Task.  It runs every night at 2AM.  I am seeing some issues with some systems where the scan runs for a very long time and causes performance issues.  When I look at the log file OnDemandScanLog.txt for the systems I often see an issue with encrypted files like this:

       

       

      1/18/2011 2:01:21 AM  Engine version                          = 5400.1158
      1/18/2011 2:01:21 AM  AntiVirus   DAT version                 = 6229.0
      1/18/2011 2:01:21 AM  Number of detection signatures in EXTRA.DAT = None
      1/18/2011 2:01:21 AM  Names of detection signatures in EXTRA.DAT  = None
      1/18/2011 2:01:02 AM Scan Started SYSTEM01\mcafee (managed) PMW - On Demand Scan
      1/18/2011 2:46:52 AM Not scanned (The file is encrypted)  c:\WINDOWS\$Reconfig$\undolog.dat

       

      And there is sits.  It is now 11:23AM local time and this scan has hung here for nearly 9 hours.  Any thoughts as to what might be going wrong.

       

      On other systems I have seen it hang on the Not scanned (The file in encrypted) message for many hours but it does continue eventually.

       

      Any wisdom would be appreciated.

       

      Thanks,

      Patrick

        • 1. Re: Problems with On Demand Scan and encrypted files.
          pwilson316

          Here is an example of another instance where the scan stalled on an encrypted file.

           

          1/18/2011 8:28:46 AM  Engine version                          = 5400.1158
          1/18/2011 8:28:46 AM  AntiVirus   DAT version                 = 6229.0
          1/18/2011 8:28:46 AM  Number of detection signatures in EXTRA.DAT = None
          1/18/2011 8:28:46 AM  Names of detection signatures in EXTRA.DAT  = None
          1/18/2011 8:28:37 AM Scan Started MPEKELNICKY-LPT\mcafee (managed) PMW - On Demand Scan
          1/18/2011 8:29:49 AM Deleted  mcafee ODS((managed) PMW - On Demand Scan) c:\users\mpekelnicky\appdata\roaming\microsoft\windows\cookies\mpekelnicky@atdm t.combing[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
          1/18/2011 8:29:49 AM Deleted  mcafee ODS((managed) PMW - On Demand Scan) c:\users\mpekelnicky\appdata\roaming\microsoft\windows\cookies\mpekelnicky@atdm t.combing[2].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
          1/18/2011 8:29:49 AM Deleted  mcafee ODS((managed) PMW - On Demand Scan) c:\users\mpekelnicky\appdata\roaming\microsoft\windows\cookies\mpekelnicky@atdm t[4].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
          1/18/2011 8:29:49 AM Deleted  mcafee ODS((managed) PMW - On Demand Scan) c:\users\mpekelnicky\appdata\roaming\microsoft\windows\cookies\mpekelnicky@atdm t[4].txt\00000000.ie Cookie-Atdmt (Potentially Unwanted Program)
          1/18/2011 10:46:10 AM Not scanned (The file is encrypted)  c:\Program Files (x86)\DevExpress 2009.2\DXperienceUniversal-9.2.4.exe
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Scan Summary
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Processes scanned    : 77
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Processes detected   : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Processes cleaned    : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Boot sectors scanned : 1
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Boot sectors detected: 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Boot sectors cleaned : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Files scanned        : 272694
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Files with detections: 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee File detections      : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Files cleaned        : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Files deleted        : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Files not scanned    : 280
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Scan Summary (Registry Scanning)
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Keys scanned         : 311822
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Keys detected        : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Keys cleaned         : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Keys deleted         : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Scan Summary (Cookie Scanning)
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Cookies scanned      : 2116
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Cookies detected     : 4
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Cookies cleaned      : 0
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Cookies deleted      : 4
          1/18/2011 12:19:08 PM Scan Summary MPEKELNICKY-LPT\mcafee Run time             : 3:50:31
          1/18/2011 12:19:08 PM Scan Complete MPEKELNICKY-LPT\mcafee (managed) PMW - On Demand Scan

          • 2. Re: Problems with On Demand Scan and encrypted files.
            wwarren

            You mentioned if the scan is left alone it eventually completes.

            Important to note then, is that the on-demand scanner does not have a "scan timeout" feature - it will purposefully run until that scan is complete.

             

            So the first impression from your posting is that you have a file or files that are terribly difficult to scan.

            If you want to identify those files, you could use Process Monitor to observe the scan. At a point where the scan appears to be stuck, see what the last file was as recorded by Process Monitor.

             

            Resolutions may be obvious once the file is identified. It may require excluding, or avoiding the scan of archives, or relocating the file and breaking up the scan task into multiple scan tasks so that the troublesome file(s) can be scanned separately.

            Another possible outcome is to submit the file in an escalation to McAfee Labs and Support, to see if there's something we can do on our end related to content that might enable faster scan times.