Last Modified: 09/19/2013
McAfee VirusScan Enterprise 8.8, 8.7i
Microsoft Windows UNC paths, mapped drives, and shares
EMC Celera filers with CAVA Agent
Network Drive Scanning (enabled)
When scanning a remote file with VirusScan Enterprise, the real-time or On-Access Scanner (mcshield.exe) impersonates the access token of the original requestor for the file object. The access token is required so it can read necessary information about the remote file object to facilitate scanning the file object.
McAfee Engineering has confirmed this behavior stems from a function of the Scan Engine, the DAT content is simply leveraging it, which in turn leads to the symptom. This engine function does not inherit the access token already acquired by McShield's scan thread, nor does it request one. Consequently, the Engine function fails to access the remote file object and the McShield scan thread will eventually time out.
As a temporary yet fully supported interim measure, implement the workaround below.
Modify the McShield service to run as a specific account rather than the local System account. For example, for EMC CAVA environments where the CAVA Agent is the process responsible for accessing the remote file object, set McShield to use those same credentials.
NOTE: To undo the following changes, follow the same steps but on the Log On tab, select Local System account.
- Disable Access Protection.
- Open the VirusScan Console.
- Right-click Access Protection and select disable.
- Open a command prompt window as an Administrator, and then type the following command and press ENTER:
- Right-click on McAfee McShield and select Properties.
- Click the Log On tab and select This account.
- Provide the credential information for an account that has access to both local and remote files, and then click OK.
- Restart the McAfee McShield service or restart your computer.
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment
- The account running cava.exe usually has the Act as part of the operating system permission.
- To edit the Security Settings on a Group Policy object. see http://technet.microsoft.com/en-us/library/cc736516(v=ws.10).aspx#BKMK_Domain.