1 2 Previous Next 13 Replies Latest reply on Feb 4, 2015 4:14 PM by rmetzger

    McAfee VirusScan Enterprise 8.8 Inadequate?

    billy735

      My ISP has a 250GB per month limit, after which additional charges apply.  My normal usage, until a few weeks ago, had been about 10 to 30GB per month.  I had been using SEP 12.1 for protection with good results for a long time.

       

      My employer gives employees a choice of SEP 12.1.5 or McAfee VirusScan Enterprise 8.8 for home use under the company contract.  The company had decided to save some money and go with McAfee as of later this year.  Because of that, I uninstalled the SEP and installed the McAfee product.  It installed with no problem and seemed to be working well.  I never noticed any sort of erratic behavior such as my mouse moving on it's own or anything like that.  None of my passwords have been changed and I haven't noticed any unauthorized access to any of my accounts or email.  I did notice that my web browsing seemed to get increasingly slower day by day.

       

      A few days later I got a notification from my ISP that I was approaching the 250GB limit.  I started checking my daily usage and it was registering 25 to 60 GB PER DAY.  I started troubleshooting my network and eliminated that as a source of the problem.  When I disconnected my router and plugged my computer directly into the modem, the usage INCREASED significantly and my browser slowed to a crawl.  I ran full McAfee scans as well as Malwarebyte scans and nothing turned up.

       

      On a hunch, I uninstalled McAfee and reinstalled SEP.  Problem resolved.  Usage back down to about 1GB per day.  I ran a full scan and SEP did not detect anything amiss.  I notice that multiple times during the day, a message pops up showing where SEP has blocked svchost.exe.  Other than that, I am at a loss as to what was going on when I had the McAfee product installed.

       

      My computer is new and is running Win 7, 64 bit.  I have never installed any kind of p2p program on this computer.  In guessing at the problem, the only thing I can figure is that there is a rogue p2p program on my computer that SEP is blocking but McAfee allowed to function.  However, if there is, I can't seem to find it.

       

      Maybe there is a setting in McAfee that I could have turned on that would have prevented the problem?  I don't know.

       

      I will worry that my computer has been compromised until I figure out what was going on.  Can anybody help?

       

      Also, I will need to switch to the McAfee product at some point prior to September (or purchase my own personal virus protection for home use).  Are there settings in McAfee that would have prevented the problems I had?  I'm reasonably certain that I had used the default settings for most everything when I installed McAfee.

        • 1. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
          Peter M

          Moved from Consumer to Business > VSE for better support.

          ---

          Peter

          Volunteer Moderator

          • 3. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
            Peter M

            You're welcome, good luck ;-)

            • 4. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
              creese36

              I'm curious to know also what's going on.

              • 5. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
                rmetzger

                Hi Billy735,

                billy735 wrote:

                 

                My employer gives employees a choice of SEP 12.1.5 or McAfee VirusScan Enterprise 8.8 for home use under the company contract.  The company had decided to save some money and go with McAfee as of later this year.  Because of that, I uninstalled the SEP and installed the McAfee product.  It installed with no problem and seemed to be working well.  I never noticed any sort of erratic behavior such as my mouse moving on it's own or anything like that.  None of my passwords have been changed and I haven't noticed any unauthorized access to any of my accounts or email.  I did notice that my web browsing seemed to get increasingly slower day by day.

                 

                My computer is new and is running Win 7, 64 bit.  I have never installed any kind of p2p program on this computer.  In guessing at the problem, the only thing I can figure is that there is a rogue p2p program on my computer that SEP is blocking but McAfee allowed to function.  However, if there is, I can't seem to find it.

                 

                Also, I will need to switch to the McAfee product at some point prior to September (or purchase my own personal virus protection for home use).  Are there settings in McAfee that would have prevented the problems I had?  I'm reasonably certain that I had used the default settings for most everything when I installed McAfee.

                I'm not sure of your (company's) license agreement or how your company is distributing to you, VSE v8.8, but the base install coming from your I.T. department is responsible for maintaining and supporting you. That is the usual license agreement. (Your mileage may vary.) If your IT department distributed a base configuration, they will know what Default Settings are configured and suggested or required for your installation. Your IT department is the official support channel and should be your primary contact for approval before proceeding.

                 

                Given that the system is so new, I am not immediately expecting an infection or p2p software as a problem. (Scan it with whatever tools just for safety sake.) More likely are OEM installed tools that can interfere with other tools.

                 

                I have been down this path for some of my customers in the past. SEP doesn't cleanly uninstall every time. It sometimes leaves drivers behind that interfere with subsequently installed AV software, including VSE. I found that I did not notice the problem until the new AV software (including VSE) started to misbehave. The trick is to uninstall VSE, then run the special tool that uninstalls SEP (Norton_Removal_Tool: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Too l.exe) This will clean out many Symantec products, so use with caution. Docs on this utility can be found Here: https://support.norton.com/sp/en/us/home/current/solutions/kb20080416102657EN_En dUserProfile_en_us?abproduct=home&abversion=1&entsrc=redirect_pubweb&pvid=f-home.

                 

                After a reboot, check that Symantec drivers have been properly removed:

                From an Administrative Console (Windows Vista+, Start > Search, enter CMD Ctrl-Shift-Enter, and grant any UAC requests)

                    > devmgmt.msc

                        > View > Show Hidden Devices

                            > Non-Plug and Play Drivers

                Now search for devices under Non-Plug and Play drivers that are related to Symantec. Usually they are named Sym?????. Check the 'Properties' of these devices and be Sure that they are Symantec drivers and not some other source. When 100% sure, you can uninstall these drivers. If you have multiple drivers to be uninstalled, you can avoid the intermediate reboot between each driver. (While your at it, look for other AV drivers that can be interfering as well. I found many systems that still have Trend Micro drivers still running even though it was 'Uninstalled' years ago.)

                 

                Once the 'Uninstall(s)' and cleanup tools/processes have completed, reboot the system. Then a clean install of VSE is more likely to succeed.

                 

                If all is 'well,' check that a manual update works to see if this process is working correctly. (During the install, the install process may ask you to update and scan. In your case, I would decline this at this moment and run these processes manually, later, so that you can see what is going on.) If the update goes smoothly, follow up with a full scan.

                 

                Once these processes are running smoothly, check whether you are still getting the unnecessary communications.

                 

                Hopefully this is helpful. Let us know how it's going.

                Ron Metzger

                • 6. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
                  creese36

                  Thanks Ron this good information to know Cornell

                  • 7. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
                    rmetzger

                    Hi Billy735,

                     

                    Any progress? Any issues or questions?

                     

                    Let us know if we can help further.

                    Ron Metzger

                    • 8. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
                      ansarias

                      Hello,

                       

                      Could you please share more details on P2P program details with its behavior so I can tell where to block in McAfee?

                       

                      Second thing with McAfee Antivirus software: There is function call Artemis detection under On Access Scanner properties where by default it is enabled which may be cause for consuming more network usages.

                       

                      Artemis : Global Threat Intelligence Technology

                      What is McAfee Global Threat Intelligence?

                      Global Threat Intelligence (GTI) is a cloud-based threat intelligence service that works with selected McAfee products. Upon detecting a potential threat, McAfee GTI-enabled products query the GTI cloud, the cloud renders a response in the form of a reputation score or categorization information, and the product takes policy-based action in your environment.

                       

                       

                      When VSE detects a suspicious file it sends a DNS request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Avert Labs. In leass than a second, if the fingerprint is identified as known malware, an appropriate response is sent to user to block or quarantine the file.

                      • 9. Re: McAfee VirusScan Enterprise 8.8 Inadequate?
                        rmetzger

                        ansarias wrote:

                         

                        Could you please share more details on P2P program details with its behavior so I can tell where to block in McAfee?

                        Hi Ansarias,

                        billy735 wrote:

                        My computer is new and is running Win 7, 64 bit. I have never installed any kind of p2p program on this computer.  In guessing at the problem, the only thing I can figure is that there is a rogue p2p program on my computer that SEP is blocking but McAfee allowed to function. However, if there is, I can't seem to find it.

                        Since this is a 'Guess' I would not expect a p2p program exists on a 'New' system. I could be wrong, but I would find that really suspect as an OEM supplied package.

                        ansarias wrote:

                         

                        Second thing with McAfee Antivirus software: There is function call Artemis detection under On Access Scanner properties where by default it is enabled which may be cause for consuming more network usages.

                         

                        When VSE detects a suspicious file it sends a DNS request containing a fingerprint of the suspicious file to a central database server hosted by McAfee Avert Labs. In leass than a second, if the fingerprint is identified as known malware, an appropriate response is sent to user to block or quarantine the file.

                        DNS requests are extremely small, even containing the fingerprint. It would take tens or hundreds of millions of these failed requests to generate the 250 GB (Download?) limits, or even the 25-60 GB/day that Billy735 seems to be experiencing.

                         

                        My suspicion is this:

                        1) VSE is attempting to update and may be failing, repeating it's process continuously. Each update may use 80 MB or more. That is just a guess without further info.

                        2) VSE has a mini-firewall which may be in conflict with other OEM supplied software/drivers. This could be causing the failed updates (again, just a guess).

                         

                        By getting to a known clean VSE install, we could analyze further if the problem still exists. A network trace of the data flow would be useful.

                         

                        Given that SEP does not contain the same mini-firewall, would mean that SEP simply does not experience the same interference.

                         

                        billy735 Can you confirm whether VSE has updated successfully?

                        Can you confirm whether any other errors are occurring, maybe in the Event Viewer?

                        Is any other AV/anti-malware or Firewall package installed on the system? (Perhaps a VPN software package?)

                        What are the default network settings that are in place, including any Proxy settings?

                         

                        Billy735, can you let us know if this is helpful or not?

                        Ron Metzger

                        1 2 Previous Next