5 Replies Latest reply on Apr 8, 2015 3:40 PM by Scott Sadlocha

    Any Way to See Access Protection Events With MOVE AV

    Scott Sadlocha

      Hello Everyone,

      I have a question with regard to MOVE AV, related to block type events. We are using MOVE Multi-Platform 3.5, and I recently deployed it to about 350 servers. Most of these servers previously had VSE 8.8 on them, which I removed prior to installing the MOVE client. My questions mainly center on those type of block events I would previously see when using VSE, specifically those related to Access Protection rules.

       

      Occasionally, I would get a call from server guys stating that something they were trying to do (patch, install, task, etc.) was getting blocked. I would then look at System Information for the device and investigate under Threat Events, where I would, in many cases, find blocks. I would then create exclusions if needed, force a policy update, and have the server admin test.

       

      With MOVE, I don't see these types of blocks at all. I have had a few instances of Server Admins telling me something is being blocked, and I then check Threat Events and find nothing indicating a block. I have checked on the device itself, as well as the Threat Events for the Offload Scan Server assigned to the device, and the SVA Manager in use for all of them. I even ran a query of "Today's Detections per Product" and found nothing.

       

      So my questions relate to AP type blocks in MOVE. Do these even happen? Does the AV scanning happen differently? I expected these types of blocks still, since the OSS servers are still using VSE, but I see nothing. Is it just files transferring over to the OSS, and none of the process or task type blocks that are in client VSE? Any information would be appreciated.