I am running VirusScan Enterprise 8.8 on Windows 2012 Server, and I see in the windows event log that scan64.exe is starting and stopping every 4 minutes (give or take 5 seconds). The process is called by
VsTskMgr.exe, and even continues when I disabled "On Acess Scanner" and "Access Protection" from the viruscan console. There are no schedule on demand scans and nothing appears in the mcafee logs. This happens every ~4 mins all day and night long.
Has anyone else seen this behavior? what is causing it?
I tried running mcafee profiler, but it crashes everytime i try to start capturing data, so can't tell what it is scanning.
Message was edited by: eeflyingtom on 10/26/13 12:47:12 AM CDT
As you mentioned if you stop AV services also you can see the scan running. Let us know the patch version on VSE 8.8 running on windows 2012 server.
Install the latest security patch & Install the VSE 8.8 Patch 3, let us know the status.
I'm running patch 3 and all the latest updates.
On x64 the Scan64 process is used to obtain DAT property information for the McAfee Agent.
You must have property collection being carried out pretty frequently. Lessen the frequency and you'll see the behavior change accordingly.
Where is the option for that?
It'll be in the policy catalog for the McAfee Agent. Property collection and Policy Enforcement is functionality owned by this product.
Sorry I don't have an ePO server handy to tell you the exact screens to click.
The agent is in unmanaged mode - could this still be the problem?
I did not install the VirusScan package originally so I don't know which was installed, but it appears to be an x86 version installed on a 64-bit system - all the VirusScan files are installed in Program Files (x86).
That's actually the right set of files .
We actually install our files under the Program files (x86) folder structure, and leverage a subfolder \x64 for the 64-bit binaries. It's a complicated story, but that's where we are today.
For an unmanaged system, I'm not sure then what the trigger is for that Scan64 instance launching.
You could use Process Monitor to capture what is being launched (i.e. the actual command being issued when the process is created), and who is launching it.
OK, good to know. Looks like the scan64.exe is being called by VsTskMgr.exe with the command "C:\Program Files (x86)\McAfee\VirusScan Enterprise\x64\scan64.exe" /getengineversion64"
Okay. That's the command used when property collection occurs, so, you might want to have someone double-check on that node being ePO managed or not - it sure sounds like it is managed.
Actually, maybe not... I'm thinking we'd see that command coming from naprdmgr.exe if it were managed.
So, I'm not sure what it is off hand but something is causing us to get that info... you might have a case there to explore further.
Message was edited by: wwarren on 11/11/13 12:48:28 PM CST