Versions:
EPO 5.3
Agent 5.0.1.516
MOVE AV [multi-platform] 3.6.1.141
VirusScan Enterprise 8.8.0.1445
I recently deployed MOVE AV to a limited amount of VMware VDI machines and we're running into an issue. A user is attempting to install a piece of software and the files used by the installation keep getting locked up in scans and the installation fails.
In Windows Logs, Application, I see this:
"Deferred scan is in progress for file 'V:\Users\bi0400\AppData\Local\Temp\OWP2EB1.tmp\sharepointdesigner.ww\spdww.cab'. (A thread in \Device\Mup\nasvs1\users$\BI0400\My Documents\downloads from c\en_sharepoint_designer_2013_with_sp1_x86_3948134.exe process took 45 seconds for scanning. Hence, access denied.)"
In EPO, I see this in the event log of the machine:
| Server ID: | SERVER |
|---|
| Event Received Time: | 9/17/15 2:13:28 PM |
|---|
| Event Generated Time: | 9/17/15 2:09:23 PM |
|---|
| Agent GUID: | 38183660-5CD0-11E5-1271-000000000000 |
|---|
| Detecting Prod ID (deprecated): | MOVEVOFF2600 |
|---|
| Detecting Product Name: | MOVE AV Client |
|---|
| Detecting Product Version: | 3.6.1 |
|---|
| Detecting Product Host Name: | VDESKTOP |
|---|
| Detecting Product IPv4 Address: | 10.25.12.227 |
|---|
| Detecting Product IP Address: | 10.25.12.227 |
|---|
| Detecting Product MAC Address: | |
|---|
| DAT Version: | |
|---|
| Engine Version: | |
|---|
| Threat Source Host Name: | |
|---|
| Threat Source IPv4 Address: | 10.25.12.227 |
|---|
| Threat Source IP Address: | 10.25.12.227 |
|---|
| Threat Source MAC Address: | |
|---|
| Threat Source User Name: | |
|---|
| Threat Source Process Name: | |
|---|
| Threat Source URL: | |
|---|
| Threat Target Host Name: | IT-2 |
|---|
| Threat Target IPv4 Address: | 10.25.12.227 |
|---|
| Threat Target IP Address: | 10.25.12.227 |
|---|
| Threat Target MAC Address: | |
|---|
| Threat Target User Name: | DOMAIN\USER |
|---|
| Threat Target Port Number: | |
|---|
| Threat Target Network Protocol: | |
|---|
| Threat Target Process Name: | \Device\Mup\server\users$\USER\My Documents\downloads from c\en_sharepoint_designer_2013_with_sp1_x86_3948134.exe |
|---|
| Threat Target File Path: | V:\Users\USER\AppData\Local\Temp\OWP2EB1.tmp\sharepointdesigner.ww\spdww.cab |
|---|
| Event Category: | Scan started |
|---|
| Event ID: | 34283 |
|---|
| Threat Severity: | Warning |
|---|
| Threat Name: | Deferred Scan Started |
|---|
| Threat Type: | None |
|---|
| Action Taken: | denied |
|---|
| Threat Handled: | False |
|---|
| Analyzer Detection Method: | OAS |
|---|
*Domain and usernames sanitized
Most settings and policies are default. I'm concerned about going into production with this, and having applications delayed or disrupted by scans timing out and denying access to the file. I would appreciate any advice with this issue. Please let me know if any more details are needed.
You Deserve an Award
