2 Replies Latest reply on Apr 9, 2015 7:14 AM by nov1ce

    Lots of Scan Timed Out events

    nov1ce

      Hello,

       

      MOVE AV Client 3.5.1.117 and McAfee Agent 5.0.0.2620. I see quite a lot of "Scan Timed Out" events on multiple servers (2012 and 2012 R2). Here are some files that cause time outs:

       

      C:\Windows\Installer\ffa90.msp

      C:\Windows\Installer\f488f3b.msp

      C:\Windows\Installer\f488f0f.msp

       

      C:\Windows\Installer\ffb48.msi

      C:\Windows\Installer\ffaf3.msi

       

      C:\9e0f8fea913f8e21ed2bb7308b851a\1033_enu_lp\x64\setup\sppowerpivot.msi

       

      They all seem to be legit and related to Windows Updates. Is it OK to exclude C:\Windows\Installer\*.msp and C:\Windows\Installer\*.msi from scanning? I'm not sure how to deal with the last one though since the directory name is random.

       

      Thanks.

        • 1. Re: Lots of Scan Timed Out events
          Paul_N

          Hi Nov1ce,

           

          We've encountered a lot of similar issues in our environment with MOVE Agentless in our VMware Horizon View environment.

           

          Even really odd scans of VMware Tools, VMware Horizon View Agent, PCoIP Logs etc.. (this was certainly the case with MOVE 2.6; I don't dare remove the exclusions on the migrated 3.5 policy we are running now!) that the product really should be aware of out of the box.

           

          Essentially the question you need to ask yourself is "is it causing a problem?"

           

          I've seen several occasions where a scan time-out has indeed caused programs to not function correctly and implementing a scanning exemption has solved the problem.

           

          C:\Windows\Installer is a cache location (used for future repairs and during the initial installation of any MSI file) and therefore should be ok to implement an exemption on that path (that is on the assumption that MOVE removes any malicious MSI installers initially when downloaded before they are executed).

           

          Regarding the last one - again, if this is causing an issue (and the specific file sppowerpivot.msi is having an issue installing), you can use a single file exemption these days (just put an exemption in for sppowerpivot.msi) or if part of the path is consistent, use a wildcard character for the part of the path which isn't.

           

          e.g. C:\*\x64\setup\

           

          In summary, the initial setup of MOVE for a given environment can be a bit of a "whack-a-mole" affair to initially tune the scanning policies, however, you will eventually come to a point where the scanning timeouts will rarely feature in the logs and the few events which remains will be for random files (e.g. a cached Internet Explorer file) that you could never make a reliable exemption for them.

           

          Hope that helps!

           


          • 2. Re: Lots of Scan Timed Out events
            nov1ce

            Hi Paul,

             

            Thank you for your reply!

            Paul_N wrote:

             

            Essentially the question you need to ask yourself is "is it causing a problem?"

             

             

            That's a good question. I think it's not causing any issues apart from polluting the logs and unnecessarily consuming resources. At least in the ePO it says Action Taken: allowed access.

             

            However, in our case all virtual servers are managed with SCCM. It took me some time to make SCCM and MOVE clients become friends, but I've seen a case when the service pack for MSSQL failed to install. Could be a coincidence though (it was pushed by the SCCM client) -- the following file was scanned by MOVE client and timed out:

             

            C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\KB2979597\ServicePack\x64\setup\sql_tools.msp

             

            After I added an exception for C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Update Cache\* it fixed the problem.