McAfee Again

I wrote before about how MOM 2005 has a problem with McAfee ScriptScan. Well it is a problem with 2007 as well. Certainly v8.

At a customer site we saw some servers peaking at 100% and multiple copies of Cscript.exe running. On some servers that were near their limit people started to complain of sluggish response.

We stopped ScriptScan from running (which is now a McAfee recommendation on servers – see below) but additionally we had to exclude the SCOM program files directory. I presume because all the scripts are stored in directories there and run from there. When both were done then servers went back to about 2% utilization. Much better.

Here is McAfee’s KB on it with the note at the end – important if you need your manager to approve the change.

https://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=KB40067&sliceId=SAL_Public&dialogID=2123018&stateId=0%200%202121540

“When installed to a server, McAfee recommends that ScriptScan be disabled. JScript and VBScript protection is intended for use with Microsoft Internet Explorer and Microsoft Outlook, which generally are not used on server platforms. Additionally, ScriptScan is not designed for high-throughput requirements of servers.

Despite having On-Access Scanner protection, there is some risk in disabling ScriptScan. The On-Access Scanner detects malicious script attacks when the script, or its activity, accesses the file system. However, not all scripts must interact with the file system to become a hindrance or modify system settings. ScriptScan would block those malicious scripts from executing.”

Advertisements
%d bloggers like this: