1 2 Previous Next 12 Replies Latest reply on Nov 17, 2014 4:07 AM by briangrimshaw

    GTI cloud problem?

    briangrimshaw

      Hello, we use VirusScan Enterprise on our laptops used for PLC programming, and often have a network without internet access. In this situation, the laptop runs very slow and it looks like VirusScan Enterprise is trying to contact its server to check that files are safe. It looks like the request goes to the network, times out and then access is allowed to the file. It repeats this process for every file. To give you an idea of what slow is, copying a PLC project goes from 2 minutes with internet access to more than an hour without. Is there anything we can do about this?

       

      Thanks,

      Brian

        • 1. Re: GTI cloud problem?
          Peacekeeper

          Best to move this to the enterprise forum you have more chance of an answer there.

          • 2. Re: GTI cloud problem?
            dmease729

            Sounds like Artemis/File Rep is being a little bit sensitive - what is the sensitivity level set to (on-access general policy)?  It may be worth submitting a few samples to McAfee in order to try and determine what is making VSE believe these files are suspicious.

             

            +agreed on moving this to the Enterprise forum :-)

            • 3. Re: GTI cloud problem?
              briangrimshaw

              Thanks for moving this and for the replies.

               

              Unfortunately, our IT department sets all the policies and we don't get access. I am just a user.

              I have talked to them about this problem and they are not interested. Most of the PCs in our company are desktops with a permanent network connection, so most people don't have an issue. There are about 10 of us who are affected and it is driving us crazy.

               

              The reason that the files are suspicious is because they are DLL files that we wrote for the PLC system (not PC based), so I can understand it getting confused.

               

              Brian

              • 4. Re: GTI cloud problem?
                dmease729

                I would suggest that "they are not interested" is the first problem that needs to be resolved, as I would assume they own the support relationship with McAfee...

                If I were in your position, I would provide a summary of the business impact of this issue (delays being a key one here), and escalate to management.  This is then a management decision (keep the delays, which essentially costs money, or get the IT department to do what should be their job*)

                 

                *Obviously I am not aware of the BU structure, support offerings, politics etc etc - there may be a genuine reason that the IT department cannot/will not help - either way, there is an issue, which you have tried to resolve through known paths without success - escalate.

                 

                UPDATE: quick alternative is to ask them to exclude these DLLS from OA scanning (are they contained in certain paths?  Will it be a low risk process accessing these files?)

                • 5. Re: GTI cloud problem?
                  briangrimshaw

                  I agree dmease729, and have tried that up to the highest level (CEO) and we still have the problem.

                   

                  I have done some tests and have found that if I don't have a network at all, all is well - this at least gives us a work around, but is far from ideal.

                  It seems that if a network connection exists, McAfee assumes its servers must be accessible - for every file!

                   

                  I don't seem to be able to exclude folders from the scan, so that's out, but I could ask if IT are prepared to do that.

                   

                  Thanks,

                  Brian

                  • 6. Re: GTI cloud problem?
                    rmetzger

                    Hi Brian,

                    briangrimshaw wrote:

                     

                    Unfortunately, our IT department sets all the policies and we don't get access. I am just a user.

                    What 'level' of access do you have? Are you able to make temporary changes to VSE? (Yes, they may get reset in 3 to 5 minutes, but that  may be enough to make a test.)

                     

                    Are you able to install any software: particularly McAfee Profiler? (see McAfee KnowledgeBase - FAQs for McAfee Profiler  hxxps://kb.mcafee.com/corporate/index?page=content&id=KB69683)

                    briangrimshaw wrote:

                     

                    It seems that if a network connection exists, McAfee assumes its servers must be accessible - for every file!

                    If GTI/Artemis is involved, can you turn it off temporarily to isolate GTI involvement? Run the test. GTI needs to read the entire file, from which it calculates a Hash of the file. Upon suspicious behavior, the hash is sent to the GTI servers via the DNS protocol. If your site has DNS proxy / Gateway servers, they may be interfering with this communication. McAfee does have a GTI Proxy server process that your IT department may want to think about.

                     

                    Also, are your settings including the Scanning of the Network? If you can temporarily turn that off, it may indicate the problem, or not.

                     

                    You didn't say which direction you were Copying the files: To the Server or From the Server? If you are compiling the .dll files and then copying them to the Server, the problem could be At the Server not your workstation. OR, are you copying files entirely within Your workstation (even with the network connection)?

                     

                    Again, Profiler may help indicate the issue. If you can run Profiler (stand alone) and post a log, we may be able to better analyze what is happening. With that info, you may be able to better negotiate with your IT Department armed with Facts. That may be enough to get the CEO to push a bit to make IT work For you.

                     

                    As a Network/Security Administrator, I often have users who claim VSE is the cause of one thing or another. Rarely does this prove (scientifically) true. With facts, testing, etc. I make changes, but not on here say alone.

                     

                    Post a Profiler Log, or at least a review of the info and any other tests you can run, so we can help more. Facts are your friend.

                     

                    Ron Metzger

                    • 7. Re: GTI cloud problem?
                      briangrimshaw

                      Hello Ron,

                       

                      Thank you for your reply.

                       

                      What 'level' of access do you have? Local administrator

                       

                      Are you able to make temporary changes to VSE? No

                       

                      Are you able to install any software: particularly McAfee Profiler? Yes. I have run profiler and it shows that the with and without internet access are the same. What it doesn't show is the difference in time it takes.

                       

                      can you turn it off temporarily to isolate GTI involvement? I don't think so, but can't find the process in task manager. Do you know what it is called?

                       

                      If your site has DNS proxy / Gateway servers... The problem occurs when we just have a peer to peer network with no servers, DNS, proxies etc. just a couple of PCs and some PLCs. On the normal office network, we have a proxy server for internet access and that works.

                       

                      Also, are your settings including the Scanning of the Network? No

                       

                      This is just copying files locally.

                       

                      This is what appears to happen when the network doesn't have internet access (or DNS, proxy etc.):

                      Try to access "suspicious" file

                      McShield.exe shows CPU time in task manager

                      There is a small ping like spike in network activity

                      10 seconds elapses

                      The "suspicious" file can be accessed

                       

                      This repeats for every "suspicious" file.

                       

                      Our projects have around a hundred DLLs like this, so 1000 seconds waiting every time we want to copy a project or archive it.

                      Worse than that is that the applications that use the DLLs hang and crash in that scenario.

                       

                      Thanks,

                      Brian

                      • 8. Re: GTI cloud problem?

                        Can you nslookup 4z9p5tjmcbnblehp4557z1d136.avqs.mcafee.com from one of the machines and report the result?

                         

                        i Imagine that your network is not correctly handling the DNS queries your machines are making. If it does not reject immediately you'll experience the problem you are seeing.

                        • 9. Re: GTI cloud problem?
                          rmetzger

                          Hi Brian,

                          briangrimshaw wrote:

                           

                          What 'level' of access do you have? Local administrator

                           

                          Are you able to make temporary changes to VSE? No

                          So, IT has password protected the VSE Console?

                          If not, you may be able to make the changes needed.

                           

                          can you turn it off temporarily to isolate GTI involvement? I don't think so, but can't find the process in task manager. Do you know what it is called?

                           

                          If your site has DNS proxy / Gateway servers... The problem occurs when we just have a peer to peer network with no servers, DNS, proxies etc. just a couple of PCs and some PLCs. On the normal office network, we have a proxy server for internet access and that works.

                          OK, you won't see it in Task Manager. GTI / Artemis is a process within VSE. Change the settings within VSE.

                          If your peer to peer network is actually air-gapped to the Internet, GTI will never work (not without GTI Proxy at least). So, if this peer to peer network is truly isolated from the Internet, Disable GTI:

                           

                          VSE Console > Right-Click On-Access Scanner > Properties

                              Left side, General Settings > Top tab, General

                                  Heuristic network check for suspicious files > Sensitivity level

                                      Change to Disabled.

                           

                          By the way, how do you get VSE updates (signatures, etc.)? Sounds like these peer to peer networked systems are running VSE in Stand-alone mode and no ePO server. Correct?

                           

                          Safeboot is correct in trying to test DNS configuration.

                           

                          Here is a Knowledge Base Article which speaks to performance problems caused by lost communications to the Internet and GTI queries (KB75933):

                          McAfee KnowledgeBase - Performance issues when opening PDFs if clients have lost access to the Internet when GTI technol…

                          hxxps://kc.mcafee.com/corporate/index?page=content&id=KB75933&actp=null&viewloca le=en_US&showDraft=false&platinum_status=false&locale=en_US

                          Though it talks about .PDFs it seems reasonably similar to your situation. I would try to disable Heuristics before making any changes to the DNSQueryTimeouts value. (Not sure what other issues that may create in your environment.)

                           

                          If you run into a password request trying to disable heuristics, talk to your IT people and explain that GTI is not useful to a system without Internet access.

                           

                          Hopefully this helps. Let us know if this works.

                          Ron Metzger

                          1 2 Previous Next