Hi Kevin,
kevin_27 wrote:
We are managing an environment with around 2000 computers. We are using ePO 4.6 to manage the Mcafee Clients. Issue what we are facing is that when we plug an USB to any of the machine, we dont see or get a message that McAfee is scanning it. We also belive that the scanning is not happeningat all. Any thoughts?
'We also believe that the scanning is not happening at all.'
Scanning will take place as long as you have 'Scanning on Read' ON. This is critical!
When files are read from the USB drive, the files read are scanned at time of the read. This happens in the background and no 'message' is displayed. Scanning should happen on Autorun.inf launched files as well. Again, Scanning on Read is essential.
'we dont see or get a message that McAfee is scanning it.' Yes. I prefer it this way. I don't want to interrupt anyone to say, 'Yes - I am slowing you down with a scan.' I don't need to report, 'things are normal' filling up my logs with information that is not helping with an outbreak.
Imagine inserting the USB cable to a 3 TB backup drive. Scanning the entire drive or even a half filled drive would be extremely performance draining and time consuming. I regularly insert and soon thereafter remove a 128 GB flash drive. I could not 'properly' remove the drive until the entire scan completed. So, I could wait, then eject correctly, or I could remove the flash drive early and potentially corrupt it's file structure. Neither is beneficial to securing the system against transferring malware, from the flash drive to the system.
Again the true protection is based on making Sure that 'Scanning on Read' is ON.
You may also want to block 'Autorun' from happening, but that is debatable.
A bigger question might be, 'What information may be Leaking via a USB attached drive?' With that in mind, consider McAfee's DLP program.
So, check your settings to make sure that 'Scanning on Read' is On.
Hope this helps.
Ron Metzger
No comments:
Post a Comment