7 Replies Latest reply on Dec 2, 2011 11:40 AM by sholshu

    On Access Scanning: Hidden system files/folders scanned?

      Hi everyone,

       

      This is my first post to the McAfee Community. I've learned a lot here and it's been helpful having a place to go to when I get stumped.

       

      We're running VSE 8.7 Patch 5 and ePO 4.6. Current DAT: 6545

       

      Recently, a few of our users were hit with a malware program that spread via USB devices. The malware would set the executable's file attributes to hidden and system. When on access scanning is enabled, the file doesn't get detected when these attributes are present on the executable. Once these attributes are removed, on access scanning immediately detects the file as malware. Does McAfee only scan for hidden files but not hidden with a system file attribute?

       

      Thanks,

      Sean

        • 1. Re: On Access Scanning: Hidden system files/folders scanned?
          bakerrl

          VSE will scan all files regardless if they are set to hidden, system, or both.  Someone correct me if I am wrong.  That would be a huge security risk if VSE did not scan files set to hidden and system.

           

          First is your VSE policy set to scan all files and not set to default files?

           

          Second are you scanning on both writes and reads?  If you are only scanning on reads then the file will not get detected when it is getting written to the usb device.

           

          How are you detecting the file?  Are you trying to open it?  Are you doing a right-click scan?

           

          VSE does not autmoatically scan usb devices upon insertion to the machine.  It will only scan a file when it is written to or read from the USB device based on weather you are scanning on writes, scanning on reads, or both.

           

          Message was edited by: bakerrl on 11/30/11 3:41:36 PM EST
          • 2. Re: On Access Scanning: Hidden system files/folders scanned?

            Make sure you don't have protected operating system files excluded anywhere.

            • 3. Re: On Access Scanning: Hidden system files/folders scanned?

              Thanks to bakerrl and ccroff for the responses.

               

              Our VSE policy is set to scan all files and scanning occurs on reads and writes. I have the virus loaded on a USB thumb drive. When I navigate to the location of the malware and run an on demand scan or right-click the malware program and scan for threats, the malware is immediately found. The malware possesses both the hidden and system attributes on its files. On access scanning does not detect the malware unless I remove the hidden and system attributes. As soon as those are removed, on access scanning immediately detects and removes the malware.

               

              What accounts for the difference in detection behavior between on demand scanning and on access scanning?

               

              Thanks,

              Sean

              • 4. Re: On Access Scanning: Hidden system files/folders scanned?
                bakerrl

                In On-Access scanning the file must be touched by the user or another process.  That means the user or process must attempt to open the file to read or the user or process must be attempting to write the file to memory or disk.

                 

                On-Demand or right-click scanning is telling VSE to scan the file for malware.  It is a manual or scheduled operation.

                 

                VSE is working as expected.  The hidden or system attributes have nothing to do with it.

                 

                McShield and Scan32 use the same engine and dat so there is no difference there.

                 

                As I said before if the file is already on the the USB device, VSE (On-Access) will not "automatically" scan it unless you actually try to open it to read.  If you try to open the file by double-clicking on VSE should detect it.

                 

                What happens when you double-click on the file with the system and hidden attributes set?  Is it detected?  Of course do this on a machine not connected to your network.  i.e. stand-alone.

                • 5. Re: On Access Scanning: Hidden system files/folders scanned?

                  I understand the concept of the USB drive not being scanned upon being plugged in. The method I'm using to trigger the malware to be detected is to have an infected test PC and plugging in a blank USB drive (which infects the drive). I then access the USB thumb drive in Windows Explorer. The thumb drive appears to be blank, but actually contains malware files that are hidden from view. The on access scanner is silent (and I understand that is normal - no read or writes are occurring here). If I right-click on the USB drive and scan for threats, the malware is detected. When I unhide the hidden system files on the USB thumb drive, on access scanning immediately detects the malware. My question is why does unhiding the system files trigger this response in the on access scanner?

                   

                  Thanks,

                  Sean

                  • 6. Re: On Access Scanning: Hidden system files/folders scanned?
                    bakerrl

                    When you Unhide the system files it touches the file and OAS picks it up.  It is working as expected.

                     

                    My question is if your are inserting a Blank USB Drive into a machine that is infected with malware then VSE should be detecting the malware BEFORE it even gets to the USB Drive.  That file should never get written.

                    • 7. Re: On Access Scanning: Hidden system files/folders scanned?

                      bakerrl wrote:

                       

                      When you Unhide the system files it touches the file and OAS picks it up.  It is working as expected.

                       

                      Excellent, thank you. That's what I was hoping to hear.

                       

                             

                      My question is if your are inserting a Blank USB Drive into a machine that is infected with malware then VSE should be detecting the malware BEFORE it even gets to the USB Drive.  That file should never get written.


                      That is correct, VSE will intercept the write to the USB drive. I disabled OAS while the test PC was infected (so that I could infect the thumb drive), then enabled OAS after the drive was infected. So, under normal circumstances, VSE would've stopped the malware process running in the background and thus no writes to a USB drive would occur.

                       

                      I appreciate everyone's help here.

                       

                      Sean