Endpoint Protection

 View Only

  • 1.  How do i know which files are processed by auto-protect in SEP?

    Posted May 16, 2010 10:54 PM

    Is there a way to know what file are processed by auto-protect?

    for instance, when i launch SPSS (from http://www.spss.com/), how do i know what files are being scan by auto-protect during the launch process?

    Tried "L SC" in debug log setting but that is not what i am looking for.

    Thanks in advance.


  • 2.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 17, 2010 01:05 AM
    Can I ask why you need to know? Are you having some other problem with auto protect and that is why you are asking? I am not sure you are able to get a log of the files when you click on a certain .exe however ALL the files will be scanned when the program is launched. So any DLLs or anything the program relies on will be scanned. I don't know exactly why you are asking, so that makes it a little bit harder to help. If it is something like excluding a certain file or executable because auto-protect is causing problems with the program we can definitely help you with that. Just let us know.


    Cheers
    Grant


  • 3.  RE: How do i know which files are processed by auto-protect in SEP?

    Broadcom Employee
    Posted May 17, 2010 01:07 AM

    the setting seems to be right, there could be some issue.
    As the link ssays so

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007121814372348



    also you can check by opening SEP client GUI console.

    Status--> click on Options of "Antivirus and Antispyware--> view "filesystem auto protection statistics"



  • 4.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 17, 2010 01:36 AM
    All files should be scanned, aslo depends on how you set up AV in the policy, if you are sure it is safe not to scan that executible, add it to the exception. 


  • 5.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 17, 2010 12:34 PM
    You should be able to set the option, if you want to exclude some extensions.


  • 6.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 17, 2010 11:57 PM
    I worked in one of the largest university in my country.
    Our computer labs are currently using Trend Micro Office Scan 10.
    Recently when we run SPSS 18, it took about 5 minutes 30 seconds for spss to start on a Pentium 4 HT PC with 512 MB ram and 80GB hard disk.
    With the help of TrendMicro ESO service, they were able to determine the cause of delay was due to the extensive scan on JAR files used by SPSS 18's start up process.
    It seems Trend Micro is decompressing each of JAR files and scan when user launch SPSS 18.

    The current workaround that Trend Micro ESO is suggesting is to put JAR file in the exclusion list in the real-protection configuration.
    It let SPSS run very fast (becuase officescan isn't scanning the jar files). It used to take 5 mins to launch SPSS now it only takes about 20 second or less.
    But this configuration does open a big security hole for the entire university.

    As we are close to the time to renew our anti-virus contract with Trend Micro, I am evaluating alternatives.
    We might keep Trend Micro if we can't find anything better.

    The reason I am looking into real-time protection scan log is because when I installed SEP 11 on the same hardware, same software.
    I have being told by several tech/rep from symantec, and our sales rep, that JAR file is being scan by SEP.
    But it is hard to convince me when I looked at my timer, the SPSS 18 launch time is same as if a machine did not install any anti-virus program. 
    I wonder how SEP were able to scan JAR files yet, keep the launch time so short? If I can't find proof, I would have a difficult time answering if SPSS problem is asked by my boss, since SPSS problem is being around and all over the campus for a while.

    I looked at Avira, Kaspersky and Symantec.
    Avira were able to show me real time protection scan log if i choose to.
    However, I wish to have a more detailed log files, now it only tells me it's being processed and if the file is good or bad.

    2010/5/17,16:27:35 小紅傘個人免費體驗版 - 僅供非商業使用已掃描下列的檔案:
      C:\Program Files\SPSSInc\PASWStatistics18\JRE\lib\rt.jar
          Requesting PID = 936
          Engine Scan Time = 55 ms
          [使用者] 405-4-02\USER <----- which computer
          [資訊] 此檔案將不會採取任何動作。<-------it shows what Avira is doing in this case, Avira isn't doing anything
    2010/5/17,16:27:35 小紅傘個人免費體驗版 - 僅供非商業使用已掃描下列的檔案:
      C:\Program Files\SPSSInc\PASWStatistics18\JRE\lib\charsets.jar
          Requesting PID = 936
          Engine Scan Time = 33 ms
          [使用者] 405-4-02\USER      <----- which computer
          [資訊] 此檔案將不會採取任何動作。<-------it shows what Avira is doing in this case, Avira isn't doing anything

    Kaspersky is able to shows me real time scan log if i want to see, and if the file is scanned already, kaspersky would tell me the file isn't changed, thus the performance degration associated with the detail logging isn't that big of a issue.

    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/META-INF/SUN_MICR.SF    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/META-INF/SUN_MICR.RSA    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/META-INF/mailcap.default    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/META-INF/mimetypes.default    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/javax/activation/SecuritySupport12.class    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/javax/activation/SecuritySupport12$1.class    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/javax/activation/SecuritySupport12$2.class    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/javax/activation/SecuritySupport12$3.class    正常    已掃瞄    405-4-01\USER    localhost
    2010/5/12 上午 11:57:34    C:\Program Files\SPSSInc\PASWStatistics18\activation.jar/javax/activation/SecuritySupport12$4.class    正常    已掃瞄    405-4-01\USER    localhost

    I wish to find symantec's real-time protection log files to help my evaluation process.

    thanks in advance,
    Shigeru


  • 7.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 18, 2010 02:49 AM
    Microsoft's PSTools is a great way to validate what is being touched if at all.


  • 8.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 18, 2010 02:53 AM
    I looked at statistic, it only shows last scanned file and the location of the files, it's not what i wanted.
    If I launch SPSS, all i can do is looking at a line of changed filenames, I won't be able to know if JAR file is scanned in detail.



  • 9.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 18, 2010 02:59 AM

    is it free~~?


  • 10.  RE: How do i know which files are processed by auto-protect in SEP?

    Posted May 18, 2010 04:55 AM

    i don't want to exclude the extension, i want to see if it actually did something to make sure the files are safe~