4 Replies Latest reply on Aug 18, 2009 10:36 AM by RozO

    Infection not detected by on-access scan, why?

      We are having an issue with the W32 Sality virus. It is spreading through to a number of file servers which have open file shares and also to local workstations who also have open file shares. My question is basically about how things work.

      It appears this virus infects existing exe files. McAfee on-access scan does not detect it until you run the on-demand scan. Now I understand that the on-access only scans things that are being accessed either when writing to disk or reading from disk but shouldn't the on-acess scan detect when a file is being infected?

      Thanks
        • 1. RE: Infection not detected by on-access scan, why?
          Are you sure you have "Scan ALL FILES" set in your "On Access Scan" settings. Many use "Default" settings. Likewise for "When writing to disc", "When reading from disc" and "Opened for backup".

          See the link below regarding the items that accompany the virus on just his particular variant.:

          W32/Sality.x
          http://vil.nai.com/vil/content/v_140477.htm

          Hope this helps.

          Grif
          • 2. RE: Infection not detected by on-access scan, why?
            Thank you Grif for taking a look at my issue. Yes, our policies are set to scan all files. The only thing I can think of is that the infections are occurring through the network so McAfee doesn't see the actual changes to the file. Like for example, I could connect to \\computername\share$ and see the files and modify them but should McAfee see this happening and stop it?
            • 3. RE: Infection not detected by on-access scan, why?
              There are settings to scan "Network Files" as well.. Do you have it set as such?

              But still, in situations that have occurred here with network aware viruses, McAfee detects the virus immediately when it is "placed" on the newly infected computer from somewhere else on the network. The Network files scan shouldn't be necessary. I'm not sure why it's not working for you.

              Which version of McAfee are you running? If you're using the corporate Enterprise version, are all patches in place? All scan engines and definitions are current?

              Hope this helps.

              Grif
              • 4. RE: Infection not detected by on-access scan, why?
                Hello Grif, I'm not using the Network Files Scan but will take a look at that. We are using VS8.5i, patch 8 and DATS are current. We have found it on a number of workstations just sitting there, not causing issues until someone launches it or moves it and then McAfee jumps into action.