7 Replies Latest reply on Dec 18, 2014 11:37 AM by RemRem29

    7653 DAT - Scanning Powershell.exe

    cdobol

      Hello All - We had an issue in our VDI environment with MOVE AV Scanning...   We started to get a large number of timeouts with C:\Windows\System32\windowspowershell\v1.0\powershell.exe starting when we updated to the 7653 DAT.   This additional scanning brought our VDI environment to a crawl.   Adding exclusions for powershell.exe appears to have helped.

       

      Did anyone notice different with scanning behavior for powershell.exe with 7653?  I opened a SR with McAfee, but nothing was disclosed to me.

        • 1. Re: 7653 DAT - Scanning Powershell.exe
          Peter M

          Moved this to MOVE Antivirus for faster response - Moderator

          • 2. Re: 7653 DAT - Scanning Powershell.exe
            RemRem29

            Hi - Can add that we have several customer reporting the same issue, after DAT 7653 we are seeing a lot of Event Id 34440 scan Cancelled on Powershell.exe - have opened a Case with McAfee and is awaiting their feedback.

            • 3. Re: 7653 DAT - Scanning Powershell.exe
              cdobol

              Hello - We had the exact same thing here and I am waiting for further details from McAfee.   To band-aid this issue we put in an exclusion of **\powershell.exe which seems to have helped.  Without that exclusion our entire VDI infrastructure came to a crawl.  I asssume there was something new in the DAT that for whatever reason MOVE or VSEL couldn't handle.  I was able to reproduce the issue with debug on and all powershell.exe scan requests timed out after a few minutes.  When you have enough queued powershell.exe requests it caused the SVA to spike at 100% CPU and then slows down everything.

               

              17634: 2014-12-16 13:51:26,257 INFO [2bbe2700] MOVE - Scan Timed Out filename: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              34304: 2014-12-16 13:53:16,174 INFO [eba8700] MOVE - Scan Timed Out filename: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              35416: 2014-12-16 13:53:45,499 INFO [8b9c700] MOVE - Scan Timed Out filename: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              57573: 2014-12-16 13:54:39,105 INFO [cc323700] MOVE - Scan Timed Out filename: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              61103: 2014-12-16 13:55:11,154 INFO [17bba700] MOVE - Scan Timed Out filename: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              61663: 2014-12-16 13:55:26,676 INFO [133b1700] MOVE - Scan Timed Out filename: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              63305: 2014-12-16 13:55:53,943 INFO [ccb24700] MOVE - Scan Timed Out filename: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              70381: 2014-12-16 13:56:21,553 INFO [123af700] MOVE - Scan Timed Out filename: C:\Windows\System32\WINDOWSPOWERSHELL\v1.0\POWERSHELL.EXE VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              73668: 2014-12-16 13:57:11,502 INFO [da33f700] MOVE - Scan Timed Out filename: C:\Windows\System32\WINDOWSPOWERSHELL\v1.0\POWERSHELL.EXE VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              84688: 2014-12-16 13:58:10,825 INFO [eb361700] MOVE - Scan Timed Out filename: C:\Windows\System32\WINDOWSPOWERSHELL\v1.0\POWERSHELL.EXE VMID: 423f55f3-facb-defb-d59e-4872e6cdfe7c

              • 4. Re: 7653 DAT - Scanning Powershell.exe
                Troja

                I see the same behavior with mcshield on a system with VSE 8.8 installed.

                 

                Log Name:  Application
                Source:    McLogEvent
                Date:      17.12.2014 16:02:18
                Event ID:  257

                Task Category: None

                Level:     Information
                Keywords:  Classic
                User:      SYSTEM
                Computer:  server.mydomain.local

                 

                Description:

                The scan of C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe has taken too long to complete and is being canceled.  Scan engine version used is 5700.7163 DAT version 7654.0000.

                • 5. Re: 7653 DAT - Scanning Powershell.exe
                  neilb82

                  All,

                   

                  McAfee has an extra DAT to solve this issue only for agentless deployments,

                   

                  They suggest excluding powershell.exe as an alternative,

                   

                  Thanks,

                  • 6. Re: 7653 DAT - Scanning Powershell.exe
                    gjunges

                    Hi Everyone, I saw the same behavior with powershell and with C:\Windows\System32\dllhost.exe on windows 2012. I will open one ticket on Platinum to ask for an answer.

                    • 7. Re: 7653 DAT - Scanning Powershell.exe
                      RemRem29

                      FYI - Have been informed by McAfee that in the DAT release (7656) that would come later today it should include a fix for this issue.- So cross fingers :-)