5 Replies Latest reply on Aug 19, 2011 12:42 PM by Guest88

    Questions regarding scan-mechanism / network-scan / verbose logging

    Parachute

      Hello community,

       

      how does the network-scan exactly work in a network-environment?

      I assumed f.e., that if a client writes an infected file to a network share, the server (with vse 8.8 installed) does not catch the virus, because the write-process is initiated by the client ...

      so network-scan should be enabled.

       

      I also assumed, that the read/write scan enabled on the server just catches the malware wich is read/written by the server itself.

      My tests

       

      If I'm wrong - when should I use the enabled network-scan?

      May the VSE 8.8 on the server recognize malware, which is written bei a client to a share on the server with "only" read/write scan enabled by the server?

       

       

      May anyone also tell me, if there is now a way, to activate verbose-logging in VSE8.8 or is it still not implemented?

       

       

      Regards

      Daniel

        • 1. Re: Questions regarding scan-mechanism / network-scan / verbose logging
          Guest88

          Hi Daniel

           

          VSE checks every read/write (based on policy) file access on local drives and not matter originator - local process or remote user.

          If you enable network scan in VSE, scan engine will scan also files accessed by network from your computer - for example then you try to launch program from mapped drive or open excel document from share.

          About verbose logging - I dont know way to make logs richer.

           

           

          Alex

          • 2. Re: Questions regarding scan-mechanism / network-scan / verbose logging
            Parachute

            Hello Alex,

             

            thank you for your reply.

            What happens, if a computer without Antimalware "puts" a file on a network-share. Does the VSE on the Server (with the share) recognize this write-attempt?

             

            BTW: In VSE 8.7 there was a verbose-logging option (reg-hack) which worked very well for diagnostic purposes.

             

            Regards

            Daniel

            • 3. Re: Questions regarding scan-mechanism / network-scan / verbose logging
              Guest88

              Yes, all disk I/O activities controlled by VSE filter driver. So files scanned anyway. If you use Low/High risk processes in policy, you can specify processes to exclude from scan, but only local processes.

               

              Can you please specify link to KB about  verbose logging.

               

               

              Alex

              • 4. Re: Questions regarding scan-mechanism / network-scan / verbose logging
                Parachute

                Hi Alex,

                 

                may you give me some examples, where network scan enabled is necessary?

                 

                 

                Concerning your question - I can't give you the KB article but my personal 2 cents for verbose logging - it's amazing:

                (Does not work for 8.8!!! )

                 

                Step 1

                Disable Access Protection.

                 

                Step 2

                “Enable On Access Scan debug” … like this

                1.jpg

                 

                [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore]

                New, Key

                Name: VerboseLogging

                 

                New DWORD Value

                Name: bLogToFile

                Value: 1 (where: 0 = Off,  1=On)

                (Info: Log active / inactive)

                 

                New DWORD Value

                Name: bLimitSize

                Value: 1 (where: 0 = Off,  1=On)

                (Info: Limit Log-Size yes / no)

                 

                New DWORD Value

                Name: dwMaxLogSizeMB

                Value: 100 (for 100 MB)

                 

                New DWORD Value

                Name: LogFileFormat

                Value: 0 (where: 0 = ANSI, 1 = UTF8, 2 = UTF16)

                (Info : NOTE: VirusScan Enterprise logs are all UTF8)

                 

                New String Value

                Name: szLogFileName

                Wert: C:\Test\loggingOAS.txt (for example)

                Important: Folder must be there before!!!, C:\test is to exclude from scanning

                 

                 

                Step 3

                Restart the McShield service

                The changes now take effect.

                 

                Step 4

                Collecting output.

                 

                 

                Step 5

                Enable Access Protection.

                 

                 

                Stopping debugging the On-Access Scan component

                Step 1

                  Disable Access Protection. (see Step 1 above).

                Step 2

                  Disable debugging for the VSE OAS component

                  Navigate to the following registry key:

                  [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\VSCore\VerboseLogging]

                  bLogToFile auf 0 setzen

                Step 3 - Enable Access Protection. (see Step 5 above).

                • 5. Re: Questions regarding scan-mechanism / network-scan / verbose logging
                  Guest88

                  Hello Daniel

                   

                  All files executed by login script.

                  In many environments, login script runfiles located in Netlogin share. By Microsoft all content of SYSVOL folder mustbe excluded from all type of scans. If malware infect file located in Netlogon,workstations will execute malicious file by login script and a least infectmemory.

                  Another example - working with folders located on NAS. Basically all storagemust be configured to work with AV solution (NetApp with VirusScan for Storage,Celerra with CAVA and VSE). But real life sometimes different.

                   

                  Thank you for explanation about verbose loging.

                   

                  Message was edited by: Guest88 on 8/19/11 12:42:22 PM CDT