0 Replies Latest reply on Aug 1, 2016 8:59 AM by brentil

    NES10 and Presentation Mode debugging help

    brentil

      Could someone help me test reproducing an issue?  I have a support case open for this right now but they've been unable to reproduce the problem so far.

       

      On Windows 10 1511 computers running NES 10.1 when Quick Scan jobs set to either "Scan only when the system is idle" or Scan Anytime with "Do not scan when the system is in presentation mode" is enabled the machine starts the job but then pauses it till a user logs into the machine.  So the Quick Scan job I have set starts at 9pm but pauses until I log into my machine at 8am which at that point the job starts running.  If it's set to "Scan only when the system is idle" it'll run/pause/run/pause/run/pause as I use my machine.  If it's set to "Scan Anytime" it'll go full bore and thrash my machine as it scans right after I login.

       

      If you can help me test try doing the following.

       

      • ePO -> System Tree -> group to test in -> Assigned Policies -> Endpoint Security Threat Prevention -> On-Demand Scan -> go down to Scheduled Scan Options (Windows only)
        • Check "Scan anytime"
        • In the new set of options that appear below Scan anytime only select "Do not scan when the system is in presentation mode"
        • Save
      • While on the same group to test in go to the Assigned Client Tasks tab
        • New Client Task Assignment -> Endpoint Security Threat Prevention -> Policy Based On-Demand Scan -> On-Demand Scan - Quick Scan
        • Enable the task and let it run for a time you know the machine will be logged in but locked
      • On the test Windows 10 1511 machine do a Check New Policies from the McAfee Agent Monitor
      • Stay logged in to the test machine and Lock it.  Do not sign off, it must stay logged in but locked.
      • Wait at least 10 minutes after the task should have run and login
        • If you have the issue you'll see the NES10 scanner service spike up, an easy way to see this is leave the Task Manager open on the Performance -> CPU tab and it'll show you the visual CPU history before logging in of no activity and then it'll spike after login
      • Open NES10 and go to Event Log -> View Logs Folder -> and open the OnDemandScan_Activity.log
        • Or you can navigate to the file C:\ProgramData\McAfee\Endpoint Security\Logs\OnDemandScan_Activity.log
      • In the logs you'll see something like this where the scan started, auto paused, and then started when the account logged back in
        • 7/25/2016 8:59:42 PMmfetp(4124.15684) <SYSTEM> odsbl.ODS.Activity:     Scan started    MACHINENAME$    Quick Scan
          7/25/2016 8:59:42 PMmfetp(4124.6852) <SYSTEM> odsbl.ODS.Activity:     Scan auto paused MACHINENAME$    Quick Scan
          7/26/2016 8:24:35 AMmfetp(4124.5700) <SYSTEM> odsbl.ODS.Activity:     Scan resumed    MACHINENAME$    Quick Scan