3 Replies Latest reply on Jul 24, 2013 9:33 AM by rmetzger

    McAfee is not detecting if an USB is plugged

    kevin_27

      Hi Team,

       

                       We are managing an environment with around 2000 computers. We are using ePO 4.6 to manage the Mcafee Clients. Issue what we are facing is that when we plug an USB to any of the machine, we dont see or get a message that McAfee is scanning it. We also belive that the scanning is not happeningat all. Any thoughts?

        • 1. Re: McAfee is not detecting if an USB is plugged
          rmetzger

          Hi Kevin,

          kevin_27 wrote:

                            We are managing an environment with around 2000 computers. We are using ePO 4.6 to manage the Mcafee Clients. Issue what we are facing is that when we plug an USB to any of the machine, we dont see or get a message that McAfee is scanning it. We also belive that the scanning is not happeningat all. Any thoughts?

          'We also believe that the scanning is not happening at all.'

          Scanning will take place as long as you have 'Scanning on Read' ON. This is critical!

          When files are read from the USB drive, the files read are scanned at time of the read. This happens in the background and no 'message' is displayed. Scanning should happen on Autorun.inf launched files as well. Again, Scanning on Read is essential.

           

          'we dont see or get a message that McAfee is scanning it.' Yes. I prefer it this way. I don't want to interrupt anyone to say, 'Yes - I am slowing you down with a scan.' I don't need to report, 'things are normal' filling up my logs with information that is not helping with an outbreak.

           

          Imagine inserting the USB cable to a 3 TB backup drive. Scanning the entire drive or even a half filled drive would be extremely performance draining and time consuming. I regularly insert and soon thereafter remove a 128 GB flash drive. I could not 'properly' remove the drive until the entire scan completed. So, I could wait, then eject correctly, or I could remove the flash drive early and potentially corrupt it's file structure. Neither is beneficial to securing the system against transferring malware, from the flash drive to the system.

           

          Again the true protection is based on making Sure that 'Scanning on Read' is ON.

          You may also want to block 'Autorun' from happening, but that is debatable.

           

          A bigger question might be, 'What information may be Leaking via a USB attached drive?' With that in mind, consider McAfee's DLP program.

           

          So, check your settings to make sure that 'Scanning on Read' is On.

           

          Hope this helps.

          Ron Metzger

          • 2. Re: McAfee is not detecting if an USB is plugged
            kevin_27

            Hi Metzger,

             

                                      First of all thanks for your reply and for making me understand. I have a question here, if i turn this feature 'Scanning On Read' on wont the system experinece an performance degradation. Whether we insert an USB or not, the hardisk will scan the system for read operations as well. Ami i right or have i completely misunderstood?

            • 3. Re: McAfee is not detecting if an USB is plugged
              rmetzger

              Hi Kevin,

              kevin_27 wrote:

                                        First of all thanks for your reply and for making me understand. I have a question here, if i turn this feature 'Scanning On Read' on wont the system experinece an performance degradation. Whether we insert an USB or not, the hardisk will scan the system for read operations as well. Ami i right or have i completely misunderstood?

              Good question. The short answer: Yes.

               

              One must always balance performance and security. On 'average,' there are 4 to 8 reads to every write. So, yes there is going to be an impact.

               

              However, McAfee's VSE v8.8 may help mitigate some of the impact.

               

              Five years ago, one could argue that turning Off Scan on Read was OK, but since the introduction of Conficker and similar malware, the requirement must be to have Scan on Read ON. Stopping the spread of malware via USB attached drives also require Scan on Read. (Stuxnet was successful at infecting Internet isolated networks, via USB.) Unfortunately, this is the world we live in, in my humble opinion.

               

              I might suggest a good read: https://kc.mcafee.com/corporate/index?page=content&id=KB74059&pmv=print&viewloca le=en_US

               

              At the bottom of the document you will find links to the 'VirusScan Enterprise 8.8 Best Practices Guide.'

               

              Hopefully this is helpful.

              Ron Metzger

               

              Message was edited by: rmetzger on 7/24/13 10:22:26 AM EDT

               

              on 7/24/13 10:33:58 AM EDT