1 Reply Latest reply: Jan 28, 2014 4:21 PM by Scott Sadlocha RSS

    On-Access Scan Statistics On Client Don't Match ePO

    Scott Sadlocha

      Hey Everyone,

      I am still relatively new to the McAfee environment, so if my question is obvious or answered elsewhere, I apologize. I did a few searches and didn't find something that answered, so I am putting it out there.


      My question has to do with the On-Access Scan Statistics window found on the client, and how the numbers there don't match those found for the same device in the ePO console. Below is a screenshot of the OAS Scan Stats window on a server I recently rolled out VSE to. Please note the numbers listed in the Access Protection section of the window--that is there I am finding the discrepancies.


      OAS Stats - Client.jpg

      Below is what I see in the ePO console System Information screen for the same device. The query I have in place for this widget is "Threat Event Descriptions in the Last 24 Hours" and it lists all events by Event Generated time within the last day, breaking it out by the Number of Threat Events per Event Description. In the screenshot below, the first category (Blue, 930 events) is "Access Protection rule violation detected and NOT blocked", the second (Red, 315 events) is "Port blocking rule violation detected and NOT blocked" and the last category (Green, 16 events) is "Access Protection rule violation detected and blocked". As you can see, the numbers aren't even close. I even switched the query below to 2 days, to account for the fact that both screenshots weren't taken at the exact same time, and they still don't even come close. The client stat window is showing a far higher number of blocks, and this is alarming.

      AP Stats - ePO.JPG

      The only thing I can think of is that the client stat window doesn't seperate into "Block" and "Would Block" so it is including all under one category, but this isn't logical. I have tried numerous other queries in place of the one I have in the widget, both canned and custom, thinking that perhaps something was wrong with the query, but all of them come up with similar results. I have tried pretty much every Event based query I could find. Basically, what I am seeing is 16 blocks in the ePO console, yet over 1300 on the device. If anyone can provide any further information, I would greatly appreciate it.