5 Replies Latest reply on Apr 7, 2011 1:27 AM by mauser

    Confirming exclusions

      Hi guys,

       

      I am setting file and folder exclusions through policies in ePO 4.5 for VirusScan Enterprise 8.7.0. For start, I set several exclusions in My Default policy which is assigned to all computers in My Organisation.

      When I check which policies are applied to my PC, this policy is listed. But when I open McAfee client on my PC and check exclusions under On-Access Scanner > All Processes > Exclusions - nothing is listed there and it says Exclude disks, files and folders (0).

      I ran Check New Policies and Enforce Policies, but it did not help.

       

      Does this mean that the policy settings are not applying and where else I can check if a policy has applied to a specific agent? Is there a way I can test if specified files or folders are not being scanned on a specific PC?

       

      Thanks

       

      Zoran

       

      P.S. sorry for crossposting, I've already posted this message in the business community as I wasn't aware of this one.

        • 1. Re: Confirming exclusions
          Attila Polinger

          Hi Zoran,

           

          From what immediately comes to mind please make sure that:

           

          - the client is visible in ePO tree with current ASCI time.

          - server.log in ePO server does not contain trivial errors with regards to this client (search for the client name in it, what do you see)

          - agent_computername.log on client does not contain visible errors (using deeper log level while retrying might be necessary to exclude this issue, refer to KB58966) during policy enforcement.

           

          Regards:

          Attila

          1 of 1 people found this helpful
          • 2. Re: Confirming exclusions
            pierce

            the way i test is with the dummy virus file you can create. Create a text document on the machine you wish to test the policy on and add in just the text in caps of 'ZQZXJVBVT' mcafee will treat this as a virus signature called 'test' and flag it as such.

             

            So if it picks up on your desktop you did it right, then go to the excluded folder and try again. if it picks up your exclusion is not configured/setup properly (two stars at the beginning right?) and if it ignores it your good to go.

             

            thanks,

            Pierce

            1 of 1 people found this helpful
            • 3. Re: Confirming exclusions

              Hi Attila and thanks for your help.

               

              The client is visible in ePO. I go to System Tree > the client's OU folder > click on the Systems tab > find the client and put a check mark in its check box > click on Actions > Directory Management > View Effective Policy (bu user) then I choose the product "VirusScan Enterprise 8.7.0 and it shows the policy with configured exclusions next to the category On-Access Default Processes Policies.

               

              I am not sure what are you reffering to with "ASCI time", but there is yesterday's date and time under the column "Last Communication".

               

              I checked a server.log on the server and searched for words "error" and "fail", but did not find anything. Then I searched for my PC name and found one line:

               

              20110407090111               I               #4008    NAIMSRV            Received[Event] from %computername%:{6E81BEFE-A23A-49A3-84B4-A03CB6CE119A}

               

              I searched the agent_computername.log for "error" and found these 2 errors being logged every 30 minutes, which is the configured client/server communication interval.

               

              2011-04-06 09:43:09    E    #2392    Sched    Failed to add the task: error code= 0x80000016

              2011-04-06 09:43:09    E    #2392    Sched    Failed to update the task 40 of EPOAGENT3000 at enforcement (Error: 0x80000016)

               

              Also found these, which look okay:

               

              2011-04-06 09:43:09    i    #2392    Manage    Enforcing Policies for EPOAGENT3000META

              2011-04-06 09:43:09    i    #2392    Manage    Enforcing Policies for EPOAGENT3000

              2011-04-06 09:43:09    i    #2392    Manage    Enforcing Policies for McAfee Agent

              2011-04-06 09:43:09    I    #2392    Agent    CePOAgent::EnforcePolicy priority=-2

              2011-04-06 09:43:09    I    #2392    Agent    Enforcing policies

              2011-04-06 09:43:09    I    #2392    LstnSvr    Enforcing Policies

              2011-04-06 09:43:09    I    #2392    Logging    Enforcing policies

              2011-04-06 09:43:09    I    #2392    Manage    Enforcing policies

              2011-04-06 09:43:09    I    #2392    UsrSpCt    Enforcing policies

               

               

              I then checked agent_computername_error.log and found these being logged every 30 minutes:

               

              2011-04-06 15:44:01    E    #2392    Sched    <<--CSchedule::ModifyTask hr=0x8000001b : Task is not found

              2011-04-06 15:44:01    E    #2392    Sched    Failed to add the task: error code= 0x80000016

              2011-04-06 15:44:01    E    #2392    Sched    <<--CSchedule::AddTask hr=0x80000016 : Platform is not matched

              2011-04-06 15:44:01    E    #2392    Sched    <<--CSchedule::UpdateOneTask hr=0x80000016 : Platform is not matched

              2011-04-06 15:44:01    E    #2392    Sched    Failed to update the task 40 of EPOAGENT3000 at enforcement (Error: 0x80000016)

               

               

              I think it's time to log a call with McAfee support guys...

               

              Thanks

               

              Zoran

               

              Message was edited by: mauser on 06/04/11 18:49:26 CDT

               

              Message was edited by: mauser on 06/04/11 18:56:40 CDT
              • 4. Re: Confirming exclusions

                Hi Pierce,

                 

                Thank you for your help. I found Eicar test file, but your option is more elegant.

                 

                Thanks

                 

                Zoran

                • 5. Re: Confirming exclusions

                  Hi guys,

                   

                  I opened a call with McAfee guys and the issue was resolved in several minutes. The engineer walked me through download and installation of the latest patch:

                   

                  Name: VirusScan Enterprise 8.7

                  Version: 8.7.0.195

                   

                  Name: VirusScan Enterprise Reports

                  Version: 1.1.0.154

                   

                  and that was it. It works now.

                   

                  Thanks everyone.

                   

                  Zoran