Loading...

Knowledge Center


LDAP queries increase when scanning Information Rights Management-protected files after updating to the 5800 Scan Engine
Technical Articles ID:   KB87172
Last Modified:  11/11/2016
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.x
McAfee Anti-Malware Scan Engine 5.8.00 (5800)

Problem

Lightweight Directory Access Protocol (LDAP) queries increase when scanning Information Rights Management (IRM) protected files after updating to the 5800 Scan Engine.

Cause

The function of querying Active Directory is an artifact of the Alert Manager product. The Alert Manager product has reached End of Life (EOL); however, there is still code within VSE that retains some of Alert Manager's functionality.

In an Active Directory environment, the Alert Manager Server would be located using an LDAP query. When the Active Directory Object for the Alert Manager server was found, the Alert would be sent to that server.

When the 5800 Scan Engine sees the IRM-protected file, it sends an alert through MFEANN.exe, which works in conjunction with Alert Manager. Previous Scan Engine versions found nothing.

This is an expected behavior that results from detection enhancements implemented with the 5800 Scan Engine.

Solution

{VSE88P9.EN_US}

Workaround

{GENRD.EN_US}
  1. In the VSE Console, disable Access Protection.
  2. Press Windows+R, type regedit, and click OK.
  3. Navigate to:

    64-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\Alert Client\VSE]
    32-bit: [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SystemCore\VSCore\Alert Client\VSE]

  4. Select the No Active Dir value.

    If the No Active Dir key is not present, create a new DWORD value name (called No Active Dir) by right-clicking New, DWORD(32-bit) value.
     
  5. Double-click the No Active Dir value and change the value to 1.
  6. In the VSE Console, enable Access Protection.

Workaround

In an ePolicy Orchestrator (ePO) managed environment, disable the Active Directory Lookup settings in the Alert Manager Policy.
  1. Log on to the ePO console.
  2. Click Menu, Policy Catalog.
  3. From the Product drop-down menu, select VirusScan Enterprise 8.8.
  4. From the Category drop-down menu, select Alert Policies.
  5. Click your policy.
  6. At the top, select either Workstation or Server from the drop-down list.
  7. Select Do not use Active Directory Lookup and click Save.

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.