More and more companies that use SMS 2003 for software update management are starting to roll out the latest software update tool available: the Inventory Tool for Microsoft Updates (ITMU). As this happens, I am seeing a lot of misinformation floating around and being spread on the incompatibilities between McAfee Antivirus and ITMU. I want to set the record straight with a few simple points on the known issues between the two pieces of software.
With regards to McAfee and ITMU, there are potentially two issues you can run into:
- Wsusscan.cab archive file scanning – the wsusscan.cab is an archived archive file. The middle archive file has about 20,000 small data definition XML files that define over 6000 Microsoft updates. McAfee does a very thorough job of unpacking and scanning every file whenever the wsusscan.cab file is copied to or around on a client machine. This can cause considerable processing and disruption to the ITMU scan process as the cab is first copied from the distribution point, then to the VPCache folder and ultimately to the Windows Update Agent (WUA) cache for unpackaging and scanning by WUA. We have consulted with antivirus experts around the world who have advised two safe and secure methods of avoiding the processing. Option 1 is to exclude the wsusscan.cab file itself from scanning. I’m not sure if McAfee offers this as an option, but remember you would have to wildcard exclude it because it is copied to non-predictable directory paths in temp locations and VPCache directories. So just excluding a single full file path will not solve the issue. Remember that excluding wsusscan.cab from scanning is not a potential security risk, as the only process that would attempt to extract it is WUA, which will always check for the MS digital cert prior to processing and fail otherwise. Option 2 is to exclude scanning all archives. Contrary to urban legend, this does not pose a security risk and most A/V software has a configuration item for this. Having a virus or malware packaged in a cab is not an issue until someone or something attempts to unpack and then execute it. This action would always be caught by real time scanning, so the risk is very low of excluding archived files from A/V scans. You can read more about that here: http://support.microsoft.com/default.aspx?kbid=900638
- The second issue is that McAfee puts a file lock on the WUA client cache edb in the %Windir%\SoftwareDistribution folder on clients. This prevents WUA from accessing it and prevents scanning from happening. You can read more about that here: http://support.microsoft.com/?kbid=922358
As I mentioned earlier, there is a lot of misinformation floating around the various newsgroups and discussion aliases with regards to McAfee and ITMU compatibility. Please know that there are viable and secure workarounds available to get everything in working order when using these two products side-by-side. If you have any questions or concerns, please work with your MS or McAfee contacts to learn more.