Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

McAfee issues with EV10?

Created: 26 Feb 2013 • Updated: 30 Apr 2013 | 6 comments
Sarah.Seftel's picture
This issue has been solved. See solution.

 

Hi, 
My customer send me these logs coming from McAfee, he claims EV is trying to terminate the McAfee processes.
Anyone ever encountered an issue like that?
I thought of including the whole enterprise vault folder from AV scanning, but I want to check first if anyone had this issue before.
 
Response Name: Threat Severity All
Event Type Name: Threat
Event Description: Access Protection rule violation detected and blocked
Number of events: 1
Product: VirusScan Enterprise 8.8
DAT: , Eng.:
 
>Source:
Host Name: _
Process Name: C:\Program Files (x86)\Enterprise Vault\StorageServer.exe
URL:
IPV4 addresses: IP Add
 
>Target Details:
File Name: C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
Host: ServerName, IP Add, Domain\adminev
Port: 0
Process Name:
 
>Threat Details:
Name: Common Standard Protection:Prevent termination of McAfee processes
Handled: true
Event ID: 1092
Action Taken: deny terminate
Category: 'File' class or access
Severity: Notice
Type: access protection
Event Time: Detected: 02/25/13 17:09:05 UTC, Received: 02/25/13 17:11:39 UTC

Comments 6 CommentsJump to latest comment

TonySterling's picture

I have not heard of EV trying to terminate any AV process.

It sounds to me like the virus exclusions aren't set correctly like you said.  You should verify all the recommended exclusions are in place.

Sarah.Seftel's picture

I checked it myself... all AV exclusions are set.

and also the ones that were added to the TN about EV10. The TN doesn'y say to exclude the ahole EV program files folder... only Enterprise Vault Indexing Engine Data Folder & Enterprise Vault Indexing Metadata location, and this was done already...

Yet - this still happens.

So - I will exclude the whole EV program files and check it tomorrow...

AndrewB's picture

i have customers using mcafee on their EV servers and have not heard of this behavior either.

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

Advisor's picture

You might want to check McAfee support for any version specific issues. If there is any latest update installed which could have caused this behaviour.

cruisen's picture

Hi Sarah,

We are having lots of trouble with a customer that is using Mc Afee, DVS files get deletet and we need to restore the files again, please check with support if there are other cases known, apparently there are.

I recomend you to run a verify operation in EVSVR to check that everything is working fine. You should not have this.

SavesetId: 201301158277063~201112151215580000~Z~C11C63E2F3C767075A21806AFC6819A1, Archived Date: 2013-01-15 19:11:00Z
2013-02-18 23:20:37 ArchiveEntryId: 1629AF94F9DFB9246BCAA5125320DA25C1110000evserver1
2013-02-18 23:20:37 Error: Unspecified error (0x80004005)
2013-02-18 23:20:37 Event Output: Unable to complete retrieval request

Best regards, 

cruisen

Solution: Apply the below exclusions to your Enterprise Vault servers

Microsoft Message Queues

Default Typical Location - %system32\MSMQ

Risk - Scanning this location can cause MSMQ message corruption and severe performance issue which could interrupt

archiving tasks, cause data loss and create database inconsistencies.

Conditions - This applies to all Enterprise Vault servers.

Vault Stores

Default Typical Location - <root>Enterprise Vault Stores

Risk - Scanning this location can cause saveset corruption which could interrupt archiving tasks, cause data loss and create

database inconsistencies as well as performance issues.

Conditions - This applies to all Enterprise Vault servers.

Index Locations

Default Typical Index Locations - user configurable

Risk - Scanning these location(s) can cause corruption of indexes and search performance issues. These Indexes contain

metadata and do not directly represent end user data. Recreating indexes due to corruption and the associated potential

downtime this could cause makes this medium to high risk.

Conditions - This applies to all Enterprise Vault servers running an Indexing Service.

Shopping

Default Typical Location - <root>Program Files\Enterprise Vault\Shopping

Risk - Scanning this location can cause corruption of shopping baskets. Baskets are pointers to archived files and therefore

they do not directly represent end user data. For this reason the risk of scanning shopping baskets is low.

Conditions - This applies to all Enterprise Vault servers running a shopping service.

Enterprise Vault Server Cache Location

Default Typical Location - user configurable. Right-click on the Enterprise Vault server in the Vault Administration Console

and click Properties. Then click on the Cache tab.

Risk - Scanning this location can cause performance issues which could impact Vault Cache synchronization

TonySterling's picture

Actually I heard back from Sarah, the customer excluded the following from being scanned:

StorageServer.exe
TaskController.exe

This stopped the errors.

SOLUTION