1 2 Previous Next 14 Replies Latest reply on Jul 8, 2009 10:31 AM by richjone

    VirusScan Enterprise 8.5 and Applying Computer Settings

      Hi All,

      I have a PC that takes about 60 seconds longer to start with VirusScan Enterprise 8.5 on-access scanner running at startup than if it isn't enabled. I recognise and accept overhead, but this is excessive.

      I have a HP d530 PC running Windows XP Professional with SP3 in a Windows Server 2003 Enterprise Active Directory domain.

      I have VirusScan Enterprise 8.5 with Patch 7 + AntiSpyware Enterprise 8.5
      scan engine: 5300.2777
      DAT: 5521.0000
      DAT Created On: 9 February 2009

      No extra or superDATs. Mostly default configuration, currently configured to scan on reads and writes, but exclude C: when reading.

      With on-access scan not enabled on startup, boot up is 40 seconds. When I enable it, it is in the 1 minute 35-40 seconds range, consistently. The delay is at the "Applying Computer Settings" stage. We don't really use Group Policy, and there's nothing "new" (eg new assigned applications) to come down to the PC.

      There is an auto-update task configured to run at 12:30pm, which should wait 15 minutes before retrying. Hence it can't be that.

      I originally looked at VirusScan Enterprise 8.7i with AntiSpyware Enterprise 8.7, but that is even slower and shows the crypt32 errors in the event log. A few searches on the Internet and I realised I should steer clear of 8.7 for now.

      There are no problems reported in any of the event logs.

      We don't use ePolicy Orchestrator. (whether we should or shouldn't is, of course, an entirely separate matter!) Could the client be looking for a server it's never going to find? Can't see why the on-access scanner would be part of that bit of the system.

      All ideas gratefully recieved!

      Kind regards,

      Anwar
        • 1. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
          squonk_109
          Hi Anwar, one thing you might want to look at is how many files are in the quarantine directory.

          With cookie detections there were some laptops that had 5000 cookie detections. Event though my quarantine policy was 10 days not the defauly 28 days.

          We manually removed all the cookies detections and rebooted. This cut down on login time considerable.

          I contacted Mcafee and advised them. They advised that VS 8.5 Patch 8 will allow you not to quaratine cookies. In the mean time I have turnned off cookie detection. I will catch them with scans.

          Since you don't use Epolicy you will have to adjust the quarantine setting / cookie detection manually. I suggest you first open
          the Mcafee console and go into quarantine manager and deleted all the cookies, reboot and see if it helps.

          FYI VS 8.7 doesn't quaratine cookies but I am also waiting for patch 1.

          Now if I can figure out how to get CPU usuage down during updates I will be happier.

          Hope this helps.

          Thanks
          • 2. RE: VirusScan Enterprise 8.5 and Applying Computer Settings



            I think that you are far better of to not scan on reads at all.
            And then you really should consider in excluding scanning on writes on selected directed directories aswell:
            C:\Windows\prefetch
            C:\Windows\Installer
            C:\Windows\SoftwareDistribution
            C:\Windows\System32\CatRoot
            C:\Windows\System32\CatRoot2\
            *.LOG

            Reg, Henno.
            • 3. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
              Hi,

              Thanks to Carlo and Henno for your replies.

              I'll remember the cookies one. It's already caused us problems in the past; we have roaming profiles and user's cookies roam with them. Over time, you can build up a huge amount. Every time you log on, you pull down all your cookies; hundreds (perhaps thousands) of tiny files. Each of these would get scanned, taking login times to multiple minutes!

              Henno, I hear what you're saying about excluding reads entirely. The problem is users bring in USB sticks (and, to a lesser extent, CD-Rs), and they are at high risk of being infected. Hence we need to ensure these get scanned on both reads and writes.

              I tried changing various things; we use Novell Client as well. Enabling and disabling this didn't make any difference. We still use VirusScan Enterprise 7.1 extensively (I know I know, it stopped being supported a while ago, but it's working, is using the latest engine and DATs perfectly fine) but that has nowhere near the delay; hence I think I can eliminate both the 5300 scan engine and DATs as possible causes.

              Kind regards,

              Anwar
              • 4. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
                If you disable reads, then it would be impossible to infect a system, since it involves a write on the system.
                Scanning on reads has been disabled at our school for higher education for years (5500 systems, 26000 students and 3000 employees), we never had an infection from this setting.
                It just kill's performance.

                reg, Henno.
                • 5. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
                  andyross
                  But, what if the infection is already on a removable device (CD, DVD, USB drive)? Since the computer may not be the one doing the writing, it will not catch the infected file if you only read from the device.
                  • 6. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
                    Hi There,

                    Not sure if you are still having this problem but we were experiencing the same, 2 - 3 minutes to boot the PC up (hanging on applying computer settings). Disabling OAS worked fine (booted straight away).

                    After a bit of hunting around i came across KB60534 from McAfee. It basically says to change the 'Network Location Awareness' from manual to automatic. McAfee uses this service when windows boots up but has to wait for it to start hence the wait. Changing it to automatic starts the service immediately.

                    Although it says it is for v8.7 it works a treat for v8.5.

                    Also, just works for XP machines.

                    Hope this helps,

                    Bakes
                    • 7. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
                      SergeM


                      Hi,

                      I'm very curious and interested about this cookie thing.
                      Could you explain which setting lets VSE put coockies in quaratine and under which conditions ?

                      Thanks
                      Serge
                      • 8. RE: VirusScan Enterprise 8.5 and Applying Computer Settings
                        squonk_109
                        Hi SergeM.

                        Under onaccess scanning general properties for VS 8.5 there is a place to enable cookie scanning.

                        I turned that off and let on demand scans clean up cookies.

                        For VS 8.7 they did not quarantine cookies.

                        Virus scan 8.5 patch 8 was supposed to fix this and the readme say it does

                        1. VirusScan Enterprise with the AntiSpyware Module
                        can now be set so that it no longer places cookie
                        detections in the quarantine folder. They instead
                        are deleted permanently as part of the clean
                        action.

                        NOTE:
                        By setting the DWORD "DisableCookieBackups"
                        registry entry to 1, cookie detection quarantines
                        no longer occur.

                        HKLM\SOFTWARE\McAfee\VSCore

                        But how or can you do this in Epolicy is the question.
                        • 9. I don't have that setting
                          SergeM


                          :eek: I don't have (see) that setting! :confused:

                          I just checked on a laptop I'm using with VSE 8.5i v:8.5.0.781 ...

                          How can that be ? I never saw anything related to OAS scanning cookies...

                          Serge
                          1 2 Previous Next