Recently I had a question from one of our AD administrators in regards to VSE 8.8P2 and the 'On-Access Scan Statistics'. I don't have a good answer to this so I'm reaching out. When I (or anyone else) select the 'Statistics' option from the On-Access scanner the window displays entries under "Access Protection Statistics" - "File actions blocked: In the last hour and in the last day, there are blocks showing like 3 in the last hour and 328 in the last day. Since we can see there are actions occurring on a DC we of course are curious what's happening. When we check the OnAccessScanLog.txt there is nothing in the log to show what wasblocked. Am I missing something here. I have checked the ePO server and do not see any events in the threat event log. So where would we look to see what was being blocked?
I would try to explain how VSE works so you could have an idea about your question.
When any application access any file from storage(HDD or any attached media) McAfee filter driver comes in place and asks"Who wher and why Whome>" if the process which is accessing that file answers these Questios he is allowed to access that file, if not....Filter driver which is kernel level driver send this matter to mcshield to scan with current DAT and signatures,if mcshield finds that it is maliciod an action would be triggered acoording to set policy and it is logged in OAS log.text.
one thing more, Filter driver also compare any accessed file with Cache as well, if it is in cache it will be allowed without further inspection.
In your case I thing if there is no dection ther will be no log. Why dont you try a fake virus testing string and see whether it is blocked and logged as well? if you find resuilts then everything is working fine.
Save this string on a test file and see VSE log or any VSE activity.
Thanks for your input alexn, I tested the file you mentioned and VSE sure enough deleted it. I checked the OAS log and it showed the deletion in the log. So am I to judge that the other statistics are false, we show file actions blocks and registry action blocks but these are not logged in the OAS log so they are wrong?
Enable the Access protection rule Prevent registry editor and Task Manager from being disabled and I hope it will log if rule triggers. Others looks fine OR creat a user defind Registery blocking rule.
on 4/4/13 4:34:52 PM CDT
The OAS scan stat page lists the detections in seperate catagories, one is oas scanning stats and the other is access protetion stats, if what you are questioning is listed under the access protection stats then you would need to look at the access protection log to see the details. The log is viewable by right-clicking on Access Protectin in the VS Console and choosing Viwe Log.
Thank you for the response Darryl. What you mentioned is what I am referring to. I am questioning what is in the log as compared to the statistics. In the middle pane as you mentioned there are three columns all of which enumerate the number of "Blocks". 1.) File actions blocked. 2.) Registry actions blocked. 3.) Port actions blocked. I would not have any issue at all if the numbers were zero. The issue I was mentioning is that there are listed blocks, in most cases in the last hour category and of course following that would be in the last day. Now, even on my own workstation I can pull up the statistics from the VirusScan Console, and it will list a file action block within the last hour. If I do select the viewable log by right-clicking the On-Access Scanner, the log does not display any blocks. It will display columns with dates, time, Engine version, dat version, etc.. There are no blocks listed. The file normally will range from three to four days, but no blocks what-so-ever are logged. Do I need to bump up the log file size in the On Access policy to make it more granular?
Darryl was hinting at that you are opening the wrong type of log. The Access Protection has it own log and you should open virusscan console, right click Access Protection module there and select view log.
The On-Access Scanner log has nothing to do with Access Protection blockings, nor should there show anything AP has blocked.
Simply put: there are as many type of logs as modules there are in the VirusScan console.
In ePO you should create an event query to list events for type "access protection" (Filter section of a query builder wizard) to see any such event there.
Message was edited by: apoling on 23/04/13 12:08:32 CEST