Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Massive Recalls from applications (FSA)

Created: 10 Sep 2013 | 17 comments

Environment:

EV10 SP3 (Windows Cluster active-passive)
SQL 2008 R2
Windows 2008 R2
46 File Servers
LUN EMC Symmetrix VMAX as storage device

We found several applicatiosn doing massive recalls
(antivirus, backup, explorer.exe and preview pane disabled from registry on each File Server)

There is two applications discovered so far

Details:

 McAfee Endpoint Encryption For Files And Folders 3.2.6

We have 90 users with encryption tool installed on client workstation. If one of this users access to file server share resource where we have archived items, all the archived items on that location start retrieving. This issue is generation bulk recall into our file servers and that is a very critical situation in several ways 

1- Because of our archiving policy, set to “accessed time”
2- Our File Servers growing up on site faster
3- We can’t implement ILM because we have too many recalls everyday (between 4.000 and 60.000) 

After research and work on this situation, we know McAfee software runs locally over the workstation that’s why we couldn’t excluded from EV registry (excludedexes) 

This is an example on the dtrace that confirm my theory 

========================================================================================================================================================================

64           13:18:31.587       [3628]  (EvPlaceholderService) <3708> EV:M     [EvRequestArchivedFile] Queueing placeholder request for file: E:\Groups\Cartocor\SGI Corrugado\Planificado\Información Técnica\ELEMENTOS DE SELLO\Retenes\Lz.xls

65           13:18:31.587       [3628]  (EvPlaceholderService) <3708> EV:L       {RequestArchivedFile::RequestArchivedFile} (Entry)

66           13:18:31.587       [3628]  (EvPlaceholderService) <3708> EV:M     WorkItem::GetExeName: Trying to get the .exe name for pid: 4

========================================================================================================================================================================
But even that, we so this behavior over other file servers and we are not 100% sure this is the only software is doing massive recall, for sure McAfee is one, but we need to find out if there is something else.

This is other calls:

(McAfee antivurs), ========================================================================================================================================================================

Attempting to respond to FSA driver with downloaded file: \\?\E:\Corporativo\Balance\2011\04 - Diciembre 11\Z- Resumen 12.11\Bce-Notas - 12.11\BP\EFE\EFE Consolidado\EFE Arcor Consolidado 31.12.11.xlsx

4444    16:54:24.883   [3572] (EvPlaceholderService)           <3684>            EV:L            {RequestArchivedFile::RespondToFSADriver} (Exit) Status: [Success]

4445    16:54:24.883   [3572] (EvPlaceholderService)           <3684>            EV:L   {RequestArchivedFile::Process} (Exit) Status: [Success]

4446    16:54:24.883   [3572] (EvPlaceholderService)           <3684>            EV:L   {CQueue::DeQueue} (Entry)

4447    16:54:24.883   [3572] (EvPlaceholderService)           <3640>            EV:M            WorkItem::GetExeNameUsingPHHelper: exit - PID:11028, exe name:mcshield.exe

4448    16:54:24.883   [3572] (EvPlaceholderService)           <3640>            EV:M  WorkItem::GetExeName: The .exe name for for pid: 11028 is mcshield.exe

========================================================================================================================================================================

I believe is Altiris, but not sure

========================================================================================================================================================================

Pass-Through cache initialization of the file \\?\\Users\Lgallardo\Archivos_en_D\GutierrezOO\GeneraciónVarios\GeneraciónCTCC_Operativa.xls is not allowed. Pass-Through is disable on file server.

803      16:54:23.947   [3572] (EvPlaceholderService)           <3640>            EV:M  [EvRequestArchivedFile] Queueing placeholder request for file: E:\Groups\Golosinas\Administracion Golosinas\Gestión 2010\Cierre de Costos 2010\2010-10\Met 40 - PPP\2010-10 Asiento Resumen Esencias Met40.xls

804      16:54:23.947   [3572] (EvPlaceholderService)           <3680>            EV:L            {PassThroughRecallLimiter::RespondToFSADriver} (Exit) Status: [Success]

805      16:54:23.947   [3572] (EvPlaceholderService)           <3640>            EV:L            {RequestArchivedFile::RequestArchivedFile} (Entry)

806      16:54:23.947   [3572] (EvPlaceholderService)           <3680>            EV:L            {PassThroughRecallLimiter::Process} (Exit) Status: [Success]

807      16:54:23.947   [3572] (EvPlaceholderService)           <3680>            EV:L   {CQueue::DeQueue} (Entry)

808      16:54:23.947   [3572] (EvPlaceholderService)           <3640>            EV:M  WorkItem::GetExeName: Trying to get the .exe name for pid: 10268

809      16:54:23.947   [3572] (EvPlaceholderService)           <3640>            EV:M            WorkItem::GetExeNameUsingPHHelper: entry - PID:10268

810      16:54:23.963   [3572] (EvPlaceholderService)           <3640>            EV:M            WorkItem::GetExeNameUsingPHHelper: exit - PID:10268, exe name:AeXAuditPls.exe

811      16:54:23.963   [3572] (EvPlaceholderService)           <3640>            EV:M  WorkItem::GetExeName: The .exe name for for pid: 10268 is AeXAuditPls.exe

========================================================================================================================================================================

 

There is a release note from McAfee with a workaround for this issue, but basically, we need to turn off line this tool, so, is not a good solution for us.

 

325.11

Offline files incorrectly recalled
Enhancement Type: Resolved issue
Enhancement Description:
Files listed for “Offline availability” were incorrectly recalled when EEFF was installed. The issue was triggered by "Symantec Enterprise Vault" but could have been triggered by any similar product. This issue is now resolved using the feature listed in 325.1.
Files affected:
• N/A (EEFF client files cannot be updated on a file‐by‐file basis)
 
How is the enhancement implemented:
• Upgrade the EEFF client (over‐install existing client) and add registry value to ignore local drives and network drives.
 
Affected Operating Systems:
• All client operating systems
 

- We found also that MAC is doing unexpected recalls.

If Mac OS user goes over File Server, depending on the visualization type configured on MacOS.
We need a list with software and other applications that run massive recalls

Any idea?

 

Operating Systems:

Comments 17 CommentsJump to latest comment

GabeV's picture

Hello Peter,

Have you tried excluding the executables (mcshield.exe, AeXAuditPls.exe) adding the apps to ExcludedExes in the File Server where the placeholder service is running?

http://www.symantec.com/docs/TECH51039

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

Rob.Wilcox's picture

So you're trying to build a 'complete list' of stuff to exclude?

peterameghino's picture

Hi Rob, Im sure I cant a full list, but maybe known stuff.

 

Thank you

Advisor's picture

I dont think there is any list of such processes which we can offer, but certaintly the massive recall happens only from Antivirus and Backup applications. If you have the exclusions in place for Antivirus then placeholder should not allow any recalls for these exe's.

On user workstation, can you not configure antivirus application in a way that it will stop scanning network drives?

I believe once you stop these workstation AV's from scanning the File Server drives, you will be in better situation to investigate this matter further.

GabeV's picture

If you enable pass-through in the File server configuration in the VAC you can, at least, prevent restored files in the file server while you are determining what processes you need to add.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

peterameghino's picture

Hi Advisor, Antivirus and Backup application is excluded from each File Server (45).

Im not sure if Im able to configure antivirus on workstation to stop scanning network drives since this will open security bridge with Security Team. Antivirus should scan as usuall to keep our clients safe of threats.

peterameghino's picture

GabeV, pass-t is enabled but still recalling archives.

Remember that pass-t has different behaivor with shorcuts, so, enabling pass-t can decrease recalls but not fix this problem.

Article URL http://www.symantec.com/docs/TECH69799

Excel files recall all the time. Take a look on the article

peterameghino's picture

For example, this is for Mac with pass-t configured

2013-09-10_115834.jpg

 

 

 

Rob.Wilcox's picture

Is there a preview pane type of thing open on the Mac? Maybe that has the same/similar undesirable effect that the preview pane has on Windows?

peterameghino's picture

Rob, dont know for sure if there is a preview like windows. I dont have access to those machines right now. But I would like to know if Symantec knows about Mac preview or something similar like you said.

According with this:

http://www.symantec.com/business/support/index?page=content&id=TECH128505

GoupsLogic is the only option I have regarding Mac situation, but should be a workaround like Microsoft preview pane, maybe some option to disable, I dont know, thats why I create this post. 1 for Mac issue, 2 for Encription situation, 3 known recall aplication list (not a complete, but something at least)

Thank you guys!

peterameghino's picture

Rob, main issue is McAfee Endpoint Encryption For Files And Folders 3.2.6 (massive recall)

Also asked if there is a workaround for MacOs issue?, something that we can configure like Windows Explorer display.

For Microsoft issue you can do this:

http://www.symantec.com/business/support/index?page=content&id=TECH200724

I would like to know if we can do something regarding Mac.

Also I need a list of known massice recall application (I dont expect full list, but some application other than backup, antivirus, explorer.exe)

Tks

Rob.Wilcox's picture

Backup and Antivirus are you two most likely culprits..  and they'll be specific to your environment.  You don't need to exclude *every* backup product, just the one that you use on your file servers. Same for A/V.

 

I don't know about the Mac side of things.

 

Does the passthrough recall stuff fix it for Macs too?

SHI-CRO's picture

If you have mac users accessing file shares with placeholders, you'll need something like this:

http://www.grouplogic.com/enterprise-file-sharing/mac-file-archiving-system/