4 Replies Latest reply on May 23, 2016 10:19 AM by londonsec

    MOVE disables and re-enables every ASCI?

    londonsec

      We're constantly seeing the MOVE status being registered in the event logs as "Protection Disabled" and then a few minutes later "Protection enabled". 

      It appears to be inline with the ASCI cycle so my question is this:

      Does the MOVE product get disabled during the ASCI cycle when the system communicates back to ePO for policies? 

      I can understand if it has to register with a new OSS but why does it happen every hour or on every communication cycle?

       

      Just curious to understand this a bit further as this was also how one of the virtual systems got hit with Crypto.  Either the timing was terrible or there was a directed attack which disabled MOVE.  I'd really like to think it was a timing issue and not the later.

       

      Thanks,

      Dennis

        • 1. Re: MOVE disables and re-enables every ASCI?
          rajinp

          This should not happen.

          Just try to understand what is happening. Is there any policies which gets applied or something else.

           

          Also see what is the status of OSS whether OSS service is getting restarted by any chance.

          • 2. Re: MOVE disables and re-enables every ASCI?
            londonsec

            We've been working this issue with McAfee support and it appears to happen if the OSS shows it has reached capacity and the MOVE system doesn't utilize the 2nd configured OSS.  The status changes to disabled and will stay that way for up to 10 minutes.  I would think a notification would be in order that OSS capacity is full (guess we'll create one ourselves) and that scanning is disabled.

             

            Not sure why they hit capacity since we've configured each to take 285 with a cap of 300.  We have 4 OSS servers which are assigned via tags and policies with only 780 virtual systems.  According to my math we should never have an OSS hitting the max of 300 when we have a total capacity for 1200 connections and only 780 systems.  We're going to try an add an additional OSS plus an SVA.  Not sure why we'd want/need an SVA if systems are assigned but that's what we're being told to do.

            • 3. Re: MOVE disables and re-enables every ASCI?
              rajinp

              You are right. The primary secondary concept is not for load balancing. You need to use SVA manager to do the same.

               

              As you said, you should not see the capacity full at 285, if the load configured is High.

              • 4. Re: MOVE disables and re-enables every ASCI?
                londonsec

                We've decided to switch from MOVE to full VSE with HIPS.  Tired of constantly having to deal with inadequate protection which doesn't equal the physical device security.  To many issues with virtual systems getting hit with crypto/ransom style malware which VSE + HIPS protects against.