Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1753 Views 2 Replies Latest reply: Aug 5, 2013 8:55 AM by dmease729 RSS
dmease729 Champion 267 posts since
Jul 22, 2011
Currently Being Moderated

Dec 21, 2012 11:18 AM

VSEL On-Demand scans - configuration, visibility and files involved - request for confirmation of understanding!

Hi,

 

Questions at end of this post.  Work I have carried out so far detailed below :-)

 

I was hoping somebody could clarify my understanding of on-demand scans related to VirusScan Enterprise for Linux 1.7.  From a default install, if I browse to the VSEL GUI and look at scheduled tasks, there is only the 'LinuxShield Update' task listed, and nothing alluding to the fact that a scheduled on-demand scan exists.  However, looking at crontab yields:

 

=====================================================
[root@host etc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
### McAfeeVSEForLinux SCHEDULED TASK INFORMATION FOLLOWS.  DO NOT EDIT THIS SECTION. ###
0 0 * * * root /opt/NAI/LinuxShield/bin/nails runsched 1
### END OF McAfeeVSEForLinux SCHEDULED TASK INFORMATION. ###
[root@host etc]#
=====================================================

 

...which looks to me like there is an on-demand scan scheduled every midnight.  Looking at the ods.cfg (/var/opt/NAI/LinuxShield/etc/ods.cfg), I gather that this is run with the exclusion of /proc + subdirs.


=====================================================
# Exclude /proc for on-demand by default. Can be removed on the UI if really required
nailsd.profile.ODS.filter.proc.type: exclude-path
nailsd.profile.ODS.filter.proc.path: /proc
nailsd.profile.ODS.filter.proc.subdir: true
nailsd.profile.ODS_default.filter.proc.type: exclude-path
nailsd.profile.ODS_default.filter.proc.path: /proc
nailsd.profile.ODS_default.filter.proc.subdir: true
=====================================================


If I go on to add another on-demand scan task ('Test OD scan'), to run every Wednesday @ 03:00, and exclude /hello_exclusion (subdirs not excluded), I get the below, and can confirm that this scan is listed in the VSEL GUI under 'scheduled tasks':

 

=====================================================
[root@host etc]# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# run-parts
01 * * * * root run-parts /etc/cron.hourly
02 4 * * * root run-parts /etc/cron.daily
22 4 * * 0 root run-parts /etc/cron.weekly
42 4 1 * * root run-parts /etc/cron.monthly
### McAfeeVSEForLinux SCHEDULED TASK INFORMATION FOLLOWS.  DO NOT EDIT THIS SECTION. ###
0 0 * * * root /opt/NAI/LinuxShield/bin/nails runsched 1
0 3 * * 3 root /opt/NAI/LinuxShield/bin/nails runsched 2
### END OF McAfeeVSEForLinux SCHEDULED TASK INFORMATION. ###
[root@host etc]#
=====================================================

 

...as expected, another entry added to crontab.  In the ods.cfg, I can see the relevant section for the exclusions:

 

=====================================================
nailsd.profile.ODS_2.filter.0.path: /proc
nailsd.profile.ODS_2.filter.0.subdir: true
nailsd.profile.ODS_2.filter.0.type: exclude-path
nailsd.profile.ODS_2.filter.1.path: /hello_exclusion
nailsd.profile.ODS_2.filter.1.subdir: false
nailsd.profile.ODS_2.filter.1.type: exclude-path
=====================================================

 

After this, I changed the agent component from unmanaged to managed mode, so VSEL is now centrally managed.  A client OD task configured on ePO called 'Centrally Managed VSEL ODS'.  This client task had an exlusion configured of '/epotestODS'.  When this was pulled down by the managed server (confirmed in agent logs), the crontab did not change, however a file 1.tsk appeared in /opt/McAfee/cma/scratch/AgentDB/Task , and listing the contents of this proved that this was what I was looking for:

 

=====================================================
[Exclusions]
ExcludedItem_0=3|7|/proc
ExcludedItem_1=3|3|/epotestODS
bAppendExclusions=0
dwExclusionCount=2
=====================================================

 


Soooooo, to summarise:

1) The default on-demand scan task for VSEL is configured to run at midnight, and is not listed in the VSEL Apache GUI under 'scheduled tasks' - could this be confirmed?
2) Any custom OD scan tasks configured via the VSEL GUI are listed under the VSEL Apache GUI 'scheduled tasks' and the crontab file is updated as required - could this be confirmed?
3) The default and the custom OD scan tasks configured via the VSEL GUI are scheduled via crontab - could this be confirmed?
4) As far as I can see, the only way to disable the *default* OD scan task is to comment out the relevant line in the crontab file.  Could it be confirmed whether this is the only way to do this?
5) Any OD scan tasks configured and managed via ePO do not appear in the VSEL GUI 'scheduled tasks', and are not scheduled via crontab.  I am guessing that the schedule is controlled via the agent scheduler component (I am guessing further that this actually needs to be the case as the task start time can be randomised and I dont believe you can do that via crontab) - could this be confirmed as correct?

 

Any comment or feedback on this would be greatly appreciated as always!

 

Message was edited by: dmease729 on 21/12/12 11:18:44 CST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points