4 Replies Latest reply on Jan 30, 2017 7:13 AM by tao

    ePO OAS help needed asap!


      Hey all, I am new to the community and was just wondering if someone could answer a question that I can't seem to find any discussions about in the forums.  These questions are concerning when an OAS scan from ePO 5.3 is performed during web browsing file downloads and detects a potentially malicious file (event generated time) and reports to ePO at a later time (event received time).

      • In the case of a simple javascript file being downloaded to the default browser cache and being detected as malicious but not deleted, is the "event generated time" in the logs the exact time the file was downloaded or perhaps when ePO decided it could not delete the file and gave up?
      • If it is the exact time of download, why does the detected timestamp never line up with web traffic in my proxy logs?
      • Do Mac machines create an issue with this?
        • 1. Re: ePO OAS help needed asap!

          Moved from Community Support to ePolicy Orchestrator (ePO) >Discussions

          For better exposure and assistance.

          If needed to be moved to (Mac) products, please apprise.

          1 of 1 people found this helpful
          • 2. Re: ePO OAS help needed asap!

            "Event Generated Time": Time that the event was detected which may be different then the actual download time-frame. "Event Received Rime": Time that the event was received by the ePO server.  ... As for  "Mac machines create an issue with this?" I haven't  heard of one.

            • 3. Re: ePO OAS help needed asap!

              @tao But from my understanding of OAS, it scans when something is written to the physical disk so wouldn't it make sense that it mark that time as the event generated time?  Otherwise what's the point, i'll never be able to accurately investigate a user's proxy traffic and associate it with the McAfee timestamp.  Thanks for your quick reply btw!

              • 4. Re: ePO OAS help needed asap!

                The amount of time taken to scan the file depends primarily on the following factors:


                - File complexity

                - File size

                - File location

                - File type - File extensions

                - Processing power

                - Network speed


                McAfee anti-virus products have an intentional cutoff time when the scan of a particular file must stop; the scan time-out feature is intended to prevent a denial of service.  If the file is still being scanned after XX seconds (default is 45), the scanner will time out. The length of time before this time-out occurs varies by product; VSE OAS can be configured under "On-Access General Policies <> General <> Maximum scan time"


                So, from my understanding - OAS is scanning the downloads; yet the scan is performed one at a time until complete or a time-out occurs. That doesn't mean that the internet stops all downloads/rendering of the webpages until OAS is done with the first file/exe, the second, third and ... It renders the page and eventually OAS does scan those files/exe.