3 Replies Latest reply: Aug 27, 2014 10:06 AM by kmendoza RSS

    VSEL On-Demand scans - configuration, visibility and files involved - request for confirmation of understanding!

    dmease729

      Hi,

       

      Questions at end of this post.  Work I have carried out so far detailed below :-)

       

      I was hoping somebody could clarify my understanding of on-demand scans related to VirusScan Enterprise for Linux 1.7.  From a default install, if I browse to the VSEL GUI and look at scheduled tasks, there is only the 'LinuxShield Update' task listed, and nothing alluding to the fact that a scheduled on-demand scan exists.  However, looking at crontab yields:

       

      =====================================================
      [root@host etc]# cat /etc/crontab
      SHELL=/bin/bash
      PATH=/sbin:/bin:/usr/sbin:/usr/bin
      MAILTO=root
      HOME=/

      # run-parts
      01 * * * * root run-parts /etc/cron.hourly
      02 4 * * * root run-parts /etc/cron.daily
      22 4 * * 0 root run-parts /etc/cron.weekly
      42 4 1 * * root run-parts /etc/cron.monthly
      ### McAfeeVSEForLinux SCHEDULED TASK INFORMATION FOLLOWS.  DO NOT EDIT THIS SECTION. ###
      0 0 * * * root /opt/NAI/LinuxShield/bin/nails runsched 1
      ### END OF McAfeeVSEForLinux SCHEDULED TASK INFORMATION. ###
      [root@host etc]#
      =====================================================

       

      ...which looks to me like there is an on-demand scan scheduled every midnight.  Looking at the ods.cfg (/var/opt/NAI/LinuxShield/etc/ods.cfg), I gather that this is run with the exclusion of /proc + subdirs.


      =====================================================
      # Exclude /proc for on-demand by default. Can be removed on the UI if really required
      nailsd.profile.ODS.filter.proc.type: exclude-path
      nailsd.profile.ODS.filter.proc.path: /proc
      nailsd.profile.ODS.filter.proc.subdir: true
      nailsd.profile.ODS_default.filter.proc.type: exclude-path
      nailsd.profile.ODS_default.filter.proc.path: /proc
      nailsd.profile.ODS_default.filter.proc.subdir: true
      =====================================================


      If I go on to add another on-demand scan task ('Test OD scan'), to run every Wednesday @ 03:00, and exclude /hello_exclusion (subdirs not excluded), I get the below, and can confirm that this scan is listed in the VSEL GUI under 'scheduled tasks':

       

      =====================================================
      [root@host etc]# cat /etc/crontab
      SHELL=/bin/bash
      PATH=/sbin:/bin:/usr/sbin:/usr/bin
      MAILTO=root
      HOME=/

      # run-parts
      01 * * * * root run-parts /etc/cron.hourly
      02 4 * * * root run-parts /etc/cron.daily
      22 4 * * 0 root run-parts /etc/cron.weekly
      42 4 1 * * root run-parts /etc/cron.monthly
      ### McAfeeVSEForLinux SCHEDULED TASK INFORMATION FOLLOWS.  DO NOT EDIT THIS SECTION. ###
      0 0 * * * root /opt/NAI/LinuxShield/bin/nails runsched 1
      0 3 * * 3 root /opt/NAI/LinuxShield/bin/nails runsched 2
      ### END OF McAfeeVSEForLinux SCHEDULED TASK INFORMATION. ###
      [root@host etc]#
      =====================================================

       

      ...as expected, another entry added to crontab.  In the ods.cfg, I can see the relevant section for the exclusions:

       

      =====================================================
      nailsd.profile.ODS_2.filter.0.path: /proc
      nailsd.profile.ODS_2.filter.0.subdir: true
      nailsd.profile.ODS_2.filter.0.type: exclude-path
      nailsd.profile.ODS_2.filter.1.path: /hello_exclusion
      nailsd.profile.ODS_2.filter.1.subdir: false
      nailsd.profile.ODS_2.filter.1.type: exclude-path
      =====================================================

       

      After this, I changed the agent component from unmanaged to managed mode, so VSEL is now centrally managed.  A client OD task configured on ePO called 'Centrally Managed VSEL ODS'.  This client task had an exlusion configured of '/epotestODS'.  When this was pulled down by the managed server (confirmed in agent logs), the crontab did not change, however a file 1.tsk appeared in /opt/McAfee/cma/scratch/AgentDB/Task , and listing the contents of this proved that this was what I was looking for:

       

      =====================================================
      [Exclusions]
      ExcludedItem_0=3|7|/proc
      ExcludedItem_1=3|3|/epotestODS
      bAppendExclusions=0
      dwExclusionCount=2
      =====================================================

       


      Soooooo, to summarise:

      1) The default on-demand scan task for VSEL is configured to run at midnight, and is not listed in the VSEL Apache GUI under 'scheduled tasks' - could this be confirmed?
      2) Any custom OD scan tasks configured via the VSEL GUI are listed under the VSEL Apache GUI 'scheduled tasks' and the crontab file is updated as required - could this be confirmed?
      3) The default and the custom OD scan tasks configured via the VSEL GUI are scheduled via crontab - could this be confirmed?
      4) As far as I can see, the only way to disable the *default* OD scan task is to comment out the relevant line in the crontab file.  Could it be confirmed whether this is the only way to do this?
      5) Any OD scan tasks configured and managed via ePO do not appear in the VSEL GUI 'scheduled tasks', and are not scheduled via crontab.  I am guessing that the schedule is controlled via the agent scheduler component (I am guessing further that this actually needs to be the case as the task start time can be randomised and I dont believe you can do that via crontab) - could this be confirmed as correct?

       

      Any comment or feedback on this would be greatly appreciated as always!

       

      Message was edited by: dmease729 on 21/12/12 11:18:44 CST