Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2950 Views 6 Replies Latest reply: Apr 23, 2013 5:07 AM by Attila Polinger RSS
syd Newcomer 13 posts since
Sep 27, 2011
Currently Being Moderated

Apr 4, 2013 1:16 PM

VSE 8.8 On-Access Scan logging/statistics

Recently I had a question from one of our AD administrators in regards to VSE 8.8P2 and the 'On-Access Scan Statistics'. I don't have a good answer to this so I'm reaching out. When I (or anyone else) select the 'Statistics' option from the On-Access scanner the window displays entries under "Access Protection Statistics" - "File actions blocked: In the last hour and in the last day, there are blocks showing like 3 in the last hour and 328 in the last day. Since we can see there are actions occurring on a DC we of course are curious what's happening. When we check the ´╗┐OnAccessScanLog.txt there is nothing in the log to show what wasblocked. Am I missing something here. I have checked the ePO server and do not see any events in the threat event log. So where would we look to see what was being blocked?

 

Thanks,

 

Syd

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    1. Apr 4, 2013 2:04 PM (in response to syd)
    Re: VSE 8.8 On-Access Scan logging/statistics

    Hi,

     

    I would try to explain  how VSE works so you could have an idea about your question.

     

    When any application access any file from storage(HDD or any attached media) McAfee filter driver comes in place and asks"Who wher and why Whome>" if the process which is accessing that file answers these Questios he is allowed to access that file, if not....Filter driver which is kernel level driver send this matter to mcshield to scan with current DAT and signatures,if mcshield finds that it is maliciod an action would be triggered acoording to set policy and it is logged in OAS log.text.

    one thing more, Filter driver also compare any accessed file with Cache as well, if it is in cache it will be allowed without further inspection.

     

    In your case I thing if there is no dection ther will be no log. Why dont you try a fake virus testing string and see whether it is blocked and logged as well? if you find resuilts then everything is working fine.

     

    http://www.eicar.org/86-0-Intended-use.html

     

    Save this string on a test file and see VSE log or any VSE activity.

     

    Regds,

     

    Alxn


    Post Timings: 6.00 AM to 3.00PM PDT
  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    3. Apr 4, 2013 4:34 PM (in response to syd)
    Re: VSE 8.8 On-Access Scan logging/statistics

    Enable the Access protection rule   Prevent registry editor and Task Manager from being disabled  and I hope it will log if rule triggers. Others looks fine  OR creat a user defind Registery blocking rule.

     

    on 4/4/13 4:34:52 PM CDT

    Post Timings: 6.00 AM to 3.00PM PDT
  • dwarren1 Newcomer 3 posts since
    Apr 5, 2013
    Currently Being Moderated
    4. Apr 5, 2013 9:03 AM (in response to alexn)
    Re: VSE 8.8 On-Access Scan logging/statistics

    Syd,

     

    The OAS scan stat page lists the detections in seperate catagories, one is oas scanning stats and the other is access protetion stats, if what you are questioning is listed under the access protection stats then you would need to look at the access protection log to see the details.  The log is viewable by right-clicking on Access Protectin in the VS Console and choosing Viwe Log.

     

    Darryl

  • Attila Polinger Veteran 1,161 posts since
    Dec 8, 2009
    Currently Being Moderated
    6. Apr 23, 2013 5:08 AM (in response to syd)
    Re: VSE 8.8 On-Access Scan logging/statistics

    Hi Syd,

     

    Darryl was hinting at that you are opening the wrong type of log. The Access Protection has it own log and you should open virusscan console, right click Access Protection module there and select view log.

     

    The On-Access Scanner log has nothing to do with Access Protection blockings, nor should there show anything AP has blocked.

     

    Simply put: there are as many type of logs as modules there are in the VirusScan console.

     

    In ePO you should create an event query to list events for type "access protection" (Filter section of a query builder wizard) to see any such event there.

     

    Attila

     

    Message was edited by: apoling on 23/04/13 12:08:32 CEST

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points