Windows Security Tutorials - Herong's Tutorial Examples - Version 3.00, by Dr. Herong Yang
VirusScan Enterprise 8.5.0i Log Files
This section provides a tutorial example on how to find log files generated by VirusScan Enterprise 8.5.0i, and how to read log file records.
With 3 background services running, McAfee VirusScan Enterprise 8.5.0i is constantly doing its job to protecting the local Windows system. To see if there are any virus related issues, you need to look McAfee's log files.
Go to the folder, C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection. You should see 4 log files:
1. AccessProtectionLog.txt - Recording events captured by the Access Protection Scanner feature. Example of log records:
... <date time> Blocked by Access Protection rule - NT AUTHORITY\SYSTEM - C:\WINDOWS\system32\services.exe - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe - Common Standard Protection: Prevent termination of McAfee processes - Action blocked : Terminate ... <date time> Would be blocked by Access Protection rule (rule is currently not enforced) - herong - C:\WINDOWS\Explorer.EXE - C:\temp\dotnetshow30_300k.exe - Common Standard Protection: Prevent common programs from running files from the Temp folder - Action blocked : Execute
The first example record tells us that McAfee does not allow anyone to terminate the McAfee process: VsTskMgr.exe. The second example record is more interesting. It tells us that McAfee has a setting to block programs to be executed in any temporary folders. But this setting is not turned on. I need to find out how turn on this setting.
2. BufferOverflowProtectionLog.txt - Recording events captured by the Buffer Overflow Scanner feature. This log file is empty on my system. I have no example records to show you.
3. EmailOnDeliveryLog.txt - Recording events captured by email on-access scanner. This log file seems to be in binary format. But I can still take some example records out of it:
<date time> On-Delivery E-mail Scan Started <date time> Engine version =5300.2777 <date time> AntiVirus DAT version =5424.0000 <date time> Number of detection signatures in EXTRA.DAT =None <date time> Names of detection signatures in EXTRA.DAT =None ... Number of attachments scanned: 28 Number of attachments detected: 0 Number of attachments cleaned: 0 Number of attachments deleted: 0 Number of attachments moved: 0 Number of messages deleted: 0 ...
4. OnAccessScanLog.txt - Recording events captured by mcshield on-access scanner. Example of log records:
... <date time> Engine version =5300.2777 <date time> AntiVirus DAT version =5388.0000 <date time> Number of detection signatures in EXTRA.DAT =None <date time> Names of detection signatures in EXTRA.DAT =None ... <date time> Statistics: <date time> Files scanned: 25161 <date time> Files detected: 0 <date time> Files cleaned: 0 <date time> Files deleted: 0 ...
Last update: 2006.
Table of Contents