Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
3058 Views 4 Replies Latest reply: Nov 28, 2012 2:33 AM by Nagaraj M RSS
Nagaraj M Newcomer 4 posts since
Aug 14, 2012
Currently Being Moderated

Nov 22, 2012 4:12 AM

On Access Scan Exclusions v/s On Demand Scan

Hi All,

 

   I got bit confusion in Virus Scan Exclusions and scanning.

 

  I have configured the OAS exclusions for particular service(we assume for Hyper V services). As per the exclusion OAS will not scan those files. In ODS task, I havn't configure the any exclusions for Hyper V.

 

My Question is :  We have configured the weekly scan on every friday on all servers, whether ODS scan all files of Hyper V????? If yes, then what is the use of configuring in the OAS scan???  and what happens in hyper-v files is there a detection?

 

I have contacted the Support, didn't get meaning full answer...

 

Appreciate your faster response.

 

Regards,

Nagaraj

  • JoeyMc Apprentice 68 posts since
    Dec 17, 2010
    Currently Being Moderated
    1. Nov 25, 2012 11:08 AM (in response to Nagaraj M)
    Re: On Access Scan Exclusions v/s On Demand Scan

    As far as i know you need to create exclusions for the ODS policy also. It would be nice if it used the OAS policy or at least had that as one-click checkbox option(i understand why some would want completely separate policy).

    With Hyper-V you may also want to configure a Low-risk policy for the Hyper-V services. You would then also have to add the exclusions to the low risk policy(yes this would be a third place to reenter your exclusions). When using a low-risk policy VSE basically says anything this process touches treat as low-risk.

     

     

    Also I use "McAfee Profilier" to see what VSE is scanning to help create better policies.

     

    Message was edited by: JoeyMc on 11/25/12 12:08:28 PM EST
  • rmetzger Champion 567 posts since
    Jan 4, 2005
    Currently Being Moderated
    3. Nov 27, 2012 10:37 AM (in response to Nagaraj M)
    Re: On Access Scan Exclusions v/s On Demand Scan

    Hi Nagaraj

     

    Nagaraj M wrote:

     

    Hi Joey,

     

      Thank you for your reply.

     

    I found one KB article, as per this KB ODS will not touch the files/folders where OAS exclusions configured. Is my understanding is correct?

     

    https://kc.mcafee.com/corporate/index?page=content&id=KB67132

     

    Regards

    Nagaraj

    Joey is right in his reply to you.

     

    The article you refer to has little to do with exclusions. The point of this article is to explain that ODS and OAS work cooperatively to avoid deadlocks and race conditions in one causing scans in the other. This is done by 'trusting' each other and avoiding duplicate scans.

     

    The reason exclusions for OAS and ODS being kept separate is to allow tuning for performance and security needed for a given environment, defined by security administrators.

     

    OAS is real-time scanning that could impede performance drastically in some environments. Tuning for performance would reduce security in OAS and the ODS would catch the holes in the OAS policies, albeit at a later time.

     

    For instance, if I am a developer of software and during the creation of that work, I constantly open up .jar files by the thousands per second. Clearly this may be severe performance issue within the OAS if I have OAS scanning .jar files. This is needless scanning if these files never change. So, within the OAS policy I might Exclude scanning .jar files. However, it might be prudent to scan these .jar files later as a double-check that they have not been infected. So, the ODS scan would be done and Not exclude .jar files. ODS would be scheduled to run, say weekly, to catch these and other files that might not have been caught by the real-time OAS system.

     

    Two different policies for different scanning requirements, done at different times. Now add to that, High Risk/Low Risk processes policies and it is clear that tuning in ones environment can be done with great control. However, this is not meant for the typical home user. VSE is really meant for the Enterprise users and administrators.

     

    Since your environment is related to Hyper-V VMs, you might want to consider MOVE as the right product to handle VMs in a better way. It sounds as if you want VSE to scan the VM in an Offline status. Not really it's strong suit. MOVE has options for this, as well as while the VM is in use (online). MOVE will handle any infections in an intelligent way within the VM. VSE is not tuned to VMs the way MOVE is tuned.

     

    The same thing is true in other configurations, such as an Exchange server. The right tool is needed to handle the idiosyncrasies of that configuration. VSE is the basic engine and not well tuned for other configurations that are best handled with additional tools to handle those specific configurations. VMs are a challenging configuration. MOVE is the product line to handle VMs.

     

    Hopefully this is helpful.

    Ron Metzger

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points