4 Replies Latest reply on Mar 22, 2011 4:24 AM by Attila Polinger

    McAfee Caused Exchange Mail Store Unmount?

      Hi all,

       

      Hope someone can help me here. I already setup ePO server for my PC and setup all policy for local user. I also already set On Demand Scan policy for Virus Scan and setting the exclusion folder/drive for that policy. However, unfortunately McAfeee Policy not running according to the policy. McAfee keep scanning exclusion folder and Supposely, McAfee should avoid scanning the exclusion folders and this has caused office server down. Please refer below for Event Properties description:

       

      "The file \Device\HarddiskVolume11\EXTL2\MDBDATA\E01.log\E01.log\image4.jpeg contains the Exploit-QtPICT Trojan. Undetermined clean error,OAS denied access and contiued. Detected using Scan engine version 8400.1158 DAT version 6288.0000"

       

      Hopefully someone can explaint and guide m ont his.Any suggestions on what to do/where to go?

        • 1. Re: McAfee Caused Exchange Mail Store Unmount?
          akill

          Did configure the VSE Exchange Exclusions???

          • 2. Re: McAfee Caused Exchange Mail Store Unmount?
            Attila Polinger

            Hello,

             

            I reckon it must be the different path that causes Virusscan to not match exclusion against the file path it receives from the operating system. Your exclusion could be someting like \Exchsrv\(something)\*.* and this is not matching against \Device\Harddisk\etc.

             

            Try using a more general relative exclusion like **\folder1\folder2\file or exclude based on filename pattern or type (*.log ,for example) so it does not contain any absolute path. I recommend you review KB54812 in this respect, and also exclusions master article https://kc.mcafee.com/corporate/index?page=content&id=KB66909&actp=search&viewlo cale=en_US&searchid=1300724040418

             

            For Exchange exclusions please review: https://kc.mcafee.com/corporate/index?page=content&id=KB51471&actp=search&viewlo cale=en_US&searchid=1300724040418

             

            Attila

            • 3. Re: McAfee Caused Exchange Mail Store Unmount?

              Hi Attilia,

               

              I actually put the exclusion for my L: drive and \Device\Harddisk\etc actually one of my folder within L drive. What is surprising VSE still scanning within my L drive. I already checked log file %VSEDEFLOGDIR%  however couldn't any prove that state scanning was perform. However on the Virus Scan show event scanning files within L drive.

               

              Very very strange..Please advice me on this.

              • 4. Re: McAfee Caused Exchange Mail Store Unmount?
                Attila Polinger

                Hi Patu,

                 

                There is VirusScan Profiler 1.1 to see which files are most scanned. It enables making statistics on top X file scanned. However I'm not sure how big a value you can enter in the filtering field to see deep enough, and thus you may not see whether that particular file is being scanned or not that you are interested in. Nevertheless you can download it from McAfee portal it may come handy later on.

                 

                A quick and dirty way of making VirusScan log all files that it scan is by making this registry change:

                 

                 

                VSE8.5/8.7 - HKLM\SOFTWARE\McAfee\VSCore\VerboseLogging

                 

                 

                Create values

                bLogToFile : REG_DWORD : 0 = off, 1 =on

                szLogFileName : REG_SZ : filename

                bLimitSize : REG_DWORD : 0 = no size limit, 1 = file size is limited

                dwMaxLogSizeMB : REG_DWORD : max file size in megabytes

                LogFileFormat : REG_DWORD : 0 = ANSI, 1=UTF8, 2=UTF16.

                 

                 

                Stop/Restart McShield service to make changes.

                 

                 

                When you experience the issue, open OnAccessScanLog.txt file and see if the files that you wanted to exclude were being scanned actually (with their actualy path that may or may not matches path used in your exclusion).

                 

                 

                Revert the registry changes back to where they were previously once you are ready with testing.

                 

                 

                Attila

                 

                Message was edited by: apoling on 22/03/11 10:24:07 CET