1 2 Previous Next 13 Replies Latest reply on Jul 17, 2015 7:25 AM by rmetzger

    virusscan enterprise scan terminated when mcshield service enters stopped state

    george.perkins

      I am doing some long-running on demand scans of local and mapped drives. The mapped drives are located on a NAS device which does not have the benefit of a native antivirus solution, so no on-access scan possible. I need to do a continuous remote scan to pick up malware that leaks through the multiple layers of defense.

       

      The scans run for multiple hours and then terminate before completion. Coinicdentally the McShield service stops at the same time.

       

      1. How to prevent the on demand scan from terminating?

      2. How to set up and run a resumable, continuous remote scan of mapped drives?

       

      Symptoms:

       

      VirusScan Enterprise 8.8 patch 4

      Windows Server 2008 R2

       

      From the OnDemandScanLog.txt:

      7/15/2015 6:49:57 AM  Engine version                          = 5700.7163

      7/15/2015 6:49:57 AM  AntiVirus   DAT version                 = 7861.0

      7/15/2015 6:49:57 AM  Number of detection signatures in EXTRA.DAT = None

      7/15/2015 6:49:57 AM  Names of detection signatures in EXTRA.DAT  = None

      7/15/2015 6:49:57 AM Scan Started DOMAIN\username XXXNAS01

      7/15/2015 4:56:26 PM Deleted  username ODS[788](XXXNAS01) t:\pathCryptoInfected20150414\path\HELP_DECRYPT.TXT\HELP_DECRYPT.TXT Ransom-FOO!htm (Trojan)

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Scan Summary

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Processes scanned    : 77

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Processes detected   : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Processes cleaned    : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Boot sectors scanned : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Boot sectors detected: 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Boot sectors cleaned : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Files scanned        : 367286

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Files with detections: 245

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username File detections      : 245

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Files cleaned        : 1

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Files deleted        : 244

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Files not scanned    : 23

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Scan Summary (Registry Scanning)

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Keys scanned         : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Keys detected        : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Keys cleaned         : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Keys deleted         : 0

      7/15/2015 5:17:22 PM Scan Summary DOMAIN\username Run time             : 10:27:26

      7/15/2015 5:17:22 PM Scan Terminated DOMAIN\username XXXNAS01

       

      From the Windows Server 2008 R2 System Log:

      Log Name:      System

      Source:        Service Control Manager

      Date:          7/15/2015 5:17:21 PM

      Event ID:      7036

      Task Category: None

      Level:         Information

      Keywords:      Classic

      User:          N/A

      Computer:      server01.domain.com

      Description:

      The McAfee McShield service entered the stopped state.

      Log Name:      System

      Source:        Service Control Manager

      Date:          7/15/2015 5:17:30 PM

      Event ID:      7036

      Task Category: None

      Level:         Information

      Keywords:      Classic

      User:          N/A

      Computer:      server01.domain.com

      Description:

      The McAfee McShield service entered the running state.

       

      Message was edited by: George Perkins (removed proprietary information)

        • 1. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
          mmcgary

          You are probably running a DAT update around that time which restarts the mcshield service after downloading which will terminate an on demand scan. I would suggest starting the scan after the DAT update or breaking up the long single scan into shorter multiple scans.

          • 2. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
            george.perkins

            Thanks. Confirming, yes the AutoUpdate is scheduled for everyday at 5:00pm and completed successfully at 5:17pm, which corresponds to the restart of the McShield service.

             

            I need regular updates of the malware signature, so really must do this. 24 hours is a minimum; better would be more frequent.

             

            The scan of mapped drives to a NAS (many TB of data) is going to take longer than 24 hours. In fact, if set up for unattended low-priority operation would take several weeks potentially.

             

            So I need a method to resume the long-running scan. I could schedule the scan to start every day at 5:30pm and anticipate it will be terminated between 5:00pm-5:25pm the following day when the AutoUpdate completes. But when it is scheduled to start again the following 5:30pm, want it to start where it left off.

             

            How to do this?

            • 3. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
              exbrit

              Discussion moved to VSE where it belongs.

              ---

              Peter

              Moderator

              • 4. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
                mmcgary

                Unfortunately there is no easy way to do that at this time. You can either setup daily scans for different directories on your NAS or I guess last resort would be to postpone DAT updates until scans are completed.

                 

                You may want to submit a Product Enhancement Request for an ODS to have the ability to resume after an update which is probably a good idea.

                McAfee KnowledgeBase - How to submit a Product Enhancement Request (PER)

                • 5. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
                  george.perkins

                  Sigh. Symantec has had a resumable scan feature for years.

                   

                  I have created the enhancement request, but that does not meet my immediate needs.

                   

                  The only solution I can imagine right now is to map drives with UNC paths several levels deep into the NAS shares. A laborious process and subject to breakage when folders grow in size, get renamed or deleted, or no longer are small enough to complete the scan in 23 hours. Then I would also need to change the drive map each day, start another scan, etc. I suppose this could be scripted, the script would need to evaluate the approximate size of the share, pick an arbitrary depth for mapping a drive, start the scan, wait 24 hours, evaluate the next share path, repeat, etc.    I don't have time or authorization to do that kind of development effort.

                   

                  I'm just hoping mmcgary that you are missing something (??) and that there is really a way to do this! Should I open a support incident?

                  • 6. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
                    mmcgary

                    George give me a little bit to confirm the actual expected behavior of an ODS that is running during a DAT update. Believe it or not this does not come up very often and we don't have any documentation that I can find. I'll create a KB if I can confirm no documentation exists.

                    • 7. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
                      wwarren

                      The ODS always resumes from where it left off.

                      It does not resume from being terminated; when terminated it will not run again until the next appointed time to run based on its schedule.

                       

                      The ODS requires McShield. McShield is the scanner; the ODS is merely handing off file objects for McShield to scan.

                      If McShield dies, then so too will the ODS. This is avoidable but not in any easy fashion; for the ODS to load its own instance of the Engine + DATs, McShield must be stopped at the time the ODS runs. This would be a good PER, to give customers the option of having the ODS not be dependent on McShield (i.e. for it to load its own instance of the Engine + DATs). We opted to have ODS rely on McShield's instance of Engine + DATs in order to reduce memory usage.

                       

                      McShield should not be terminating when a DAT update occurs. It can, but if that happens it's because McShield was in a bad state and the DAT update detected it as such, so it restarts McShield to force it to reinitialize. The downside of that corrective behavior, is that any ODS that was running will terminate.

                      • 8. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
                        george.perkins

                        wwarren, if I understand this correctly:

                        • The MANUAL ODS scan that is running when McShield service restarts will terminate and if subsequently MANUALLY started it will simply begin again at the beginning, retracing footsteps already taken.
                        • The SCHEDULED ODS scan that is running when McShield service restarts will terminate and when SCHEDULED again to start it will RESUME where it left off, continuing to scan the remaining paths not already previously scanned

                        Please confirm above.

                         

                        What happens to the SCHEDULED ODS scan when it eventually gets to the end of the file system that it has been entirely scanned? Will it start over from the beginning? Ideally that would be its behavior and I can simply schedule my ODS to scan all mapped drives and this will continue to run on and on without intervention, eventually (over a period of days or weeks) scanning the entirety of a many TB NAS device and continuously re-scanning over a similar duration forever, providing malware sanitation (not preventing infection in real time, but allowing for malware signature DAT publishing delays and providing a "safety net" for other broken layers of protection).

                         

                        P.S. I updated the enhancement request.

                        • 9. Re: virusscan enterprise scan terminated when mcshield service enters stopped state
                          george.perkins

                          P.S. Indeed, I looked and confirmed the McShield service does not restart for every DAT update. For whatever reason only on the last 3 days this did occur. Whether it is because I am running a long-running ODS, or just bad luck coincidence, I cannot say.

                          1 2 Previous Next