2 Replies Latest reply on Jul 19, 2011 9:11 AM by johnferrell

    Correct syntax to exclude a Mount Point

      I'm running VSE 8.7i patch 4 an all of my servers each with identical On-Access Scan exclusion lists including:

      D:\   with subfolders=yes

      **\itv\ with subfolders=yes

       

      Recently, I started getting the following on several of the severs:

      Event Type:    Error

      Event Source:    McLogEvent

      Event Category:    None

      Event ID:    5051

      Date:        7/14/2011

      Time:        4:38:05 AM

      User:        NT AUTHORITY\SYSTEM

      Computer:    ICCPLANCETF2

      Description:

      A thread in process C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe took longer than 90000 ms to complete a request.

      The process will be terminated. Thread id : 7096 (0x1bb8)

      Thread address : 0x7C8285EC

      Thread message :

       

      Build VSCORE.14.1.0.567 / 5400.1158

      Object being scanned = \Device\HarddiskVolume3\itv\work\disc0001306.vvx

      by System:Remote

      17018(625)(0)

      17017(0)(1)

      7007(0)(0)

      5006(0)(0)

      5004(0)(0)

      5003(0)(0)

      5002(0)(1)

      15002(0)(0)

       

       

       

      Even though I don't have an exclusion for a mount point, I would have thought the second exclusion listed above would handle it.  It doesn't apparenlty.  In addition, the error sometimes points to simply \Device\HarddiskVolume3\ so I need to add an exclusion for the mount point specifically.  I searched for how to exclude Mount points and found the following: https://kc.mcafee.com/corporate/index?page=content&id=KB54457 with several examples but they don't seem to work.  I tried adding the following exclusion:  \Device\HarddiskVolume* with subfolders=yes.  This didn't help.  I still continue to get the errors in the event log.  What is the correct syntax?  I want to exclude scanning of any files access from ant mount point. 

       

      Another question regarding this error:  It says the object being scanned is by System:Remote.  what does that mean? 

       

      Other times, the object being scanned is

      Object being scanned = \Device\HarddiskVolume3\

      by C:\WINDOWS\Explorer.EXE

       

      or

      Object being scanned = \Device\HarddiskVolume3\

      by C:\WINDOWS\System32\snmp.exe


      Why would Explorer or SNMP, or other processes be causing McAfee to fire up OAS?   I've seen no other references to error 5051 that mentions anything other than McAfee accessing the files. 

        • 1. Re: Correct syntax to exclude a Mount Point
          joeleisenlipz

          Just glancing at your post, it looks like your syntax is correct. I have followed the same KB article for mount points used by Exchange and SQL servers, and I can confirm that did work.

           

          System:Remote implies that it's the kernel access the file for some process on another box (or rarely itself, but through a share).

          One thing that might help...

          I noticed the one filename you gave was VVX. That's not in the normal extension list, so I am assuming you have the OAS policies set to scan all files.

          1 of 1 people found this helpful
          • 2. Re: Correct syntax to exclude a Mount Point

            I wasn't sure which example you were referring to but I found my earlier statement that \Device\HarddiskVolume* and subfoders = yes didn't work to be untrue.  In further review, I found the setting had been removed, my guess by the EPO server.  After setting it once more, and making sure it was still set later, I've not had a reoccurrence of the problem on any servers. 

             

            As for your query about the file extension VVX, OAS is set to scan all files except those in the exclusion list.  I could exclude that one but there are several more, and some files with no extensions at all.  In addition, some of the errors were simply for \Device\HarddiskVolume3\ and no file as indicated in the original post.  So I need to exclude the disk or folder rather than the files within. 

             

            Thanks for your help.