Since 8.7i sp1 McAfee has changed the default under General Settings for On-Access Scanner to not enable scanning for 'Processes on enable'.
If I understand correctly, this scans processes loaded in memory.
As a replacement they recommend scheduling multiple daily memory scans and setting Access Protection to 'Prevent McAfee services from being stopped'. Also, they have recommended going back to full Read/Write scanning on all files.
This is a performance related change and up until now I have avoided changing it but am now noticing significant performance lost when enabled.
So, what do I lose with it turned off?
Any files already on the disk or being added to disk are already scanned so one would think that they are cleaned before reading into memory BUT there are times when memory can be loaded without going to disk first - while there are many version, the fake AV viruses come to mind. They end up writing a file at some point but may have already spawned a process that is damaging a system. Scheduled scans would of course be after the system has already been partly infected.
This is where the 'Prevent McAfee services from being stopped' comes to the rescue. If something gets loaded into memory from a running process that tries to kill McAfee it (hopefully) fails and will eventually be caught by the still running scanner or scheduled memory scan.
For the most part I can see this as acceptable but we aren't a big shop with a full featured application management engine or for that matter a big IT staff that would allow us to manage all software installations.
The end result is we have to depend on users to do some of their own installs and patching. Keeping a running list of what to allow in the Access Protection rules would be iffy at best, who knows when the next Java patch will hit or how it installs? Running Access Protection rules that are a little above the default prevents many installs and has saved us from many infections over the years.
This means we would like the end users to be able to disable McAfee when installs are required. Under 8.7i this was quite simple - click the tray icon - quick settings - On-Access Sca.... But under 8.8i this no longer stops Access Protection. Now they have to open the console and remember what the services are that need to be stopped. If I follow the McAfee best practice KB and prevent stopping McAfee then they have to add a couple more steps to shut that off.
Ok, it's not rocket science but good luck getting users to remember more than a couple steps...
Per McAfee best practices:
"No user, administrator, developer, or security professional should ever need to disable VirusScan
Enterprise protection on their system."
Really? McAfee will never interfere with an install ever again?
So what is everybody else doing with this?
Am I not understanding something about how this operates? Missing a feature that would make it better?