|
I
don't mean scanning the files in the root repetitively. In
particular, FileMon was showing me that scan.exe was READing D:\ (as opposed to
OPEN, CLOSE, QUERY INFORMATION, or SET INFORMATION - all of which are other
request types that FileMon can log).
Actually, it might have been D: instead of D:\ ... I'm not sure
now. My conclusion was that it was re-reading the contents
of the directory over and over. As you suggest, using the /exclude
parameter to excerpt the root of the drive may have helped.
The
scan.exe file is dated October 2004, and my script was certainly working before
and after that date, so it is also possible that a hotfix applied in late
December or early January changed the behaviour of some API that scan.exe uses;
I really don't know how much a DAT file can control the scanning behaviour, but
the DATs are the only part of the McAfee client that
changed!
Andrew
8)
Andrew,
When you say "reading the root of the
drive" do you mean the boot sector, or the files contained in the root of C:
or the drive that was defined in the command line? And also just to
clarify, "reading" in this case meaning "scanning", correct?
Seems like
being able to turn that off, or at least remove files from the root might make
a big performance difference when you have high
volume.
Thanks,
Matt
Colbeck, Andrew wrote:
FWIW, I recently ran into a weirdness with McAfee; I use the daily dat
download (engine plus dats), and have so for some months. What I do is
for reporting completeness, I do a nightly scan of my spam folder to
find out how many viruses were caught as spam.
January didn't work, and I didn't notice for most of the month. What
was happening was that the script was taking forever, and not completing
for the script ran again the next night.
I copied my spam folder to my local machine and ran the script again,
with much the same result. I ran SystInternals.com's FileMon and found
that McAfee's scan.exe was reading the current folder and the root of
the drive bazillions of times. With a small-ish corpus, these
extraneous reads made no difference to the scan time. With a large
number of files in a directory with a very large number of files, the
scan wasn't worth running.
So just at the end of last week, I modified the script to use F-Prot
instead of McAfee, and that has been working fine.
Andrew 8)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Bill Landry
Sent: Monday, February 07, 2005 7:04 AM
To: [email protected]
Subject: Re: [Declude.Virus] McAfee and POP3 service crash
Although I cannot explain the cause of the issues you've seen, I would
suggest that you upgrade your scan engine:
http://www.mcafeesecurity.com/us/downloads/default.asp?wt.mc_n=us_update
s&wt.mc_t=ext_li_con&cid=10373.
Download and run the SuperDat, file which contains the latest dat and
engine updates (version 4400\4426).
Bill
----- Original Message -----
From: "Matt" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Monday, February 07, 2005 6:27 AM
Subject: [Declude.Virus] McAfee and POP3 service crash
I've never seen this before, but beginning on Saturday morning, I
started getting appearances of "Application Error" in my Event Log
about
McAfee:
Faulting application Scan.exe, version 4.3.2.0, faulting module
mcscan32.dll, version 4.3.2.0, fault address 0x0001cfd0.
Then this morning the POP3 service started also giving errors in
addition to McAfee:
Faulting application POP3d32.exe, version 12.11.9.8, faulting module
POP3d32.exe, version 12.11.9.8, fault address 0x00010bcb.
The POP3 service had in fact crashed and it needed to be restarted (I
rebooted just to be safe). I believe that this is the first time that
I have ever seen the POP3 service crash. Although I don't believe
that POP3 has anything direct relationship to McAfee on my server
since that app is only used as a command line scanner, I'm quite
suspicious of this causing the issue.
Has anyone else seen either one of these errors on their systems?
Thanks,
Matt
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/ <http://www.mailpure.com/software/>
=====================================================
---
[This E-mail was scanned for viruses by Declude Virus
(http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
--
=====================================================
MailPure custom filters for Declude JunkMail Pro.
http://www.mailpure.com/software/
=====================================================
|
