9 Replies Latest reply on Apr 28, 2016 9:37 AM by McDuff

    VirusScan On Demand Scan Not Completing and Not Scanning Anything

    McDuff

      Greetings

       

      I've noticed that on a few of our systems, on demand scans are running, yet not actually scanning any files, and the scan continues until either the PC is rebooted or the scan times out.

       

      For example, we have a process and memory rootkit scanner, which, on a typical PC should take about 20 seconds to complete.

       

       

      On these particular PCs, at the end of hours of scanning, the scan summary shows no processes scanned.

       

      Here's what I see on a PC with the problem, you can see that no processes are reported as scanned, and the scan ran for 3 hours and 14 min.

         

      (managed) Memory and Process Scan (8.8)
      Scan Summary
      Processes scanned    : 0
      Processes detected   : 0
      Processes cleaned    : 0
      Boot sectors scanned : 0
      Boot sectors detected: 0
      Boot sectors cleaned : 0
      Files scanned        : 0
      Files with detections: 0
      File detections      : 0
      Files cleaned        : 0
      Files deleted        : 0
      Files not scanned    : 0
      Scan Summary (Registry Scanning)
      Keys scanned         : 0
      Keys detected        : 0
      Keys cleaned         : 0
      Keys deleted         : 0
      Run time             : 3:14:13

       

      Here's what I see on a PC without the problem, you can see 82 processes were scanned and it took 20 seconds.

         

      Scan Summary
      Processes scanned    : 82
      Processes detected   : 0
      Processes cleaned    : 0
      Boot sectors scanned : 0
      Boot sectors detected: 0
      Boot sectors cleaned : 0
      Files scanned        : 0
      Files with detections: 0
      File detections      : 0
      Files cleaned        : 0
      Files deleted        : 0
      Files not scanned    : 0
      Scan Summary (Registry Scanning)
      Keys scanned         : 0
      Keys detected        : 0
      Keys cleaned         : 0
      Keys deleted         : 0
      Run time             : 0:00:20

       

      On these problem PCs, the same thing is happening to a full scan of the entire drive.  Scan runs for hours, nothing is reported as scanned.

       

      Has anyone seen this before, and if so, what did you do to fix this.  We are at Virusscan 8.8 patch 6 and McAfee Agent 4.8 patch 3.

        • 1. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
          rmetzger

          Hi McDuff,

           

          So, what happens if you try (as a test) deselect Scan Memory for rootkits?

           

          Post the results. Thanks,

          Ron Metzger

          • 2. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
            McDuff

            Interesting, after creating another scan task with the scan memory for rootkits removed, the scan ran fine.  The other scheduled scan (with the scan memory for rootkits) that ran later that evening continued to fail.  So I take it you've run into this before?

            • 3. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
              rmetzger

              McDuff wrote:

               

              Interesting, after creating another scan task with the scan memory for rootkits removed, the scan ran fine.  The other scheduled scan (with the scan memory for rootkits) that ran later that evening continued to fail.  So I take it you've run into this before?

              Hi McDuff,

               

              So, No I have not personally experienced this, but have read in previous posts about this happening.

               

              Further, I often try to diagnose problems by the 'Divide and Conquer' technique which essentially divides the problem in two. This reduces what needs to be examined by half, either way.

               

              In this case we can conclude that 'Memory Scan for Rootkits' is the cause of the hang. Other aspects of scanning are not part of the problem, so let's concentrate the testing and remediation on scanning for Rootkits.

               

              Now the questions may be:

              1) Is a Rootkit actually present?

                  A) If a rootkit is present, how do we do a cleaning?

                  B) if a rootkit is not present, how do we stop the hang?

               

              1A) Two tools are available from Intel Security/McAfee to help scan and potentially clean Rootkits

                  a) Rootkit Remover: http://www.mcafee.com/us/downloads/free-tools/rootkitremover.aspx

                      Download and follow the use instructions

                      Does this hang as well?

                          Hang: Contact Technical Support

                          Complete: Try the VSE Scan with 'Scan Memory for rootkits' again and post results.

                  b) Stinger (for ePO): http://www.mcafee.com/us/downloads/free-tools/stinger.aspx

                      Download the appropriate version (Stand-alone vs. deploy from ePO, And 32-bit vs. 64-bit)

                      Does this hang as well?

                          Hang: Contact Technical Support

                          Complete: Try the VSE Scan with 'Scan Memory for rootkits' again and post results.

              With either tool, if the scan completed, did it record a rootkit presence and can you post these results?

               

              1B) After running a rootkit scan, without a rootkit detected, a hang still occurs:

                      Contact Technical Support.

               

              Hopefully, this helps, and please post back with any results, questions, comments, or suggestions.

              Ron Metzger

              • 4. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
                McDuff

                Thanks for that, Ron.  Will try those.

                 

                Another test that I just ran was to create a brand new on demand scan with both the scan memory for rootkits and processes, and it worked.  I wonder if somehow this client task is corrupted just one some PCs?  I'm going to try editing my existing client task and see what happens.

                • 5. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
                  rmetzger

                  McDuff wrote:

                   

                  Another test that I just ran was to create a brand new on demand scan with both the scan memory for rootkits and processes, and it worked.  I wonder if somehow this client task is corrupted just one some PCs?  I'm going to try editing my existing client task and see what happens.

                  Interesting! For all those reading, you successfully tried this against a system that previously hung?

                   

                  If so, compare the scan configuration for ALL differences and post the differences here. Really interesting!

                   

                  Thanks,

                  Ron Metzger

                  • 6. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
                    McDuff

                    Yes that's correct, all testing was done on the same PC.

                     

                    I compared the settings between the two tasks, and the only difference was the deferral settings and system utilization:

                     

                    New test task (which worked):

                    Old task which did not work"

                     

                    I wonder if the "defer scan during presentations" could be the culprit?  These particular PCs are kiosk type systems with specialized software running all of the time in full screen mode.  I wonder how VirusScan determines wither a "presentation" is running?  I see this article, which talks about VS 8.7 defining a presentation as anything full screen mode McAfee KnowledgeBase - Software supported when enabling the Defer Scan During Presentations option

                    • 7. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
                      rmetzger

                      Well, your suspicion suggests an experiment.

                       

                      Start with changing the Defer settings, starting with Presentation mode, and see if you can take the original hang and remove the hang. Do this for each setting in difference until you stop the hang. Bring back each setting until you isolate the individual setting or combination of settings that cause the hang.

                       

                      At first glance, I thought the possible culprit was System Utilization: Below Normal / Low.

                       

                      Anyway, it could be a combination of settings that cause this behavior.

                       

                      At any rate, document what you find and I would present this to Tech Support for further analysis and possible future solutions.

                       

                      Let us know how you make out.

                      Thanks,

                      Ron Metzger

                      • 8. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
                        McDuff

                        So it does appear to be defer settings.  Last night I created two scans, one changing the system utilization (#1), one removing the defer settings (#2), and the #1 scan ran for hours before it terminated, and the #2 one ran very quickly and was successful.

                         

                        I'll run one more test tonight, enabling all of the defer settings except for the "defer scan during presentations".

                         

                        Thanks very much for your help.

                        • 9. Re: VirusScan On Demand Scan Not Completing and Not Scanning Anything
                          McDuff

                          Confirmed, the "defer scan during presentations" option was preventing the scan from running when an application was running in full screen mode.