Environment:
EV10 SP3 (Windows Cluster active-passive)
SQL 2008 R2
Windows 2008 R2
46 File Servers
LUN EMC Symmetrix VMAX as storage device
We found several applicatiosn doing massive recalls
(antivirus, backup, explorer.exe and preview pane disabled from registry on each File Server)
There is two applications discovered so far
Details:
McAfee Endpoint Encryption For Files And Folders 3.2.6
We have 90 users with encryption tool installed on client workstation. If one of this users access to file server share resource where we have archived items, all the archived items on that location start retrieving. This issue is generation bulk recall into our file servers and that is a very critical situation in several ways
1- Because of our archiving policy, set to “accessed time”
2- Our File Servers growing up on site faster
3- We can’t implement ILM because we have too many recalls everyday (between 4.000 and 60.000)
After research and work on this situation, we know McAfee software runs locally over the workstation that’s why we couldn’t excluded from EV registry (excludedexes)
This is an example on the dtrace that confirm my theory
========================================================================================================================================================================
64 13:18:31.587 [3628] (EvPlaceholderService) <3708> EV:M [EvRequestArchivedFile] Queueing placeholder request for file: E:\Groups\Cartocor\SGI Corrugado\Planificado\Información Técnica\ELEMENTOS DE SELLO\Retenes\Lz.xls
65 13:18:31.587 [3628] (EvPlaceholderService) <3708> EV:L {RequestArchivedFile::RequestArchivedFile} (Entry)
66 13:18:31.587 [3628] (EvPlaceholderService) <3708> EV:M WorkItem::GetExeName: Trying to get the .exe name for pid: 4
========================================================================================================================================================================
But even that, we so this behavior over other file servers and we are not 100% sure this is the only software is doing massive recall, for sure McAfee is one, but we need to find out if there is something else.
This is other calls:
(McAfee antivurs), ========================================================================================================================================================================
Attempting to respond to FSA driver with downloaded file: \\?\E:\Corporativo\Balance\2011\04 - Diciembre 11\Z- Resumen 12.11\Bce-Notas - 12.11\BP\EFE\EFE Consolidado\EFE Arcor Consolidado 31.12.11.xlsx
4444 16:54:24.883 [3572] (EvPlaceholderService) <3684> EV:L {RequestArchivedFile::RespondToFSADriver} (Exit) Status: [Success]
4445 16:54:24.883 [3572] (EvPlaceholderService) <3684> EV:L {RequestArchivedFile::Process} (Exit) Status: [Success]
4446 16:54:24.883 [3572] (EvPlaceholderService) <3684> EV:L {CQueue::DeQueue} (Entry)
4447 16:54:24.883 [3572] (EvPlaceholderService) <3640> EV:M WorkItem::GetExeNameUsingPHHelper: exit - PID:11028, exe name:mcshield.exe
4448 16:54:24.883 [3572] (EvPlaceholderService) <3640> EV:M WorkItem::GetExeName: The .exe name for for pid: 11028 is mcshield.exe
========================================================================================================================================================================
I believe is Altiris, but not sure
========================================================================================================================================================================
Pass-Through cache initialization of the file \\?\\Users\Lgallardo\Archivos_en_D\GutierrezOO\GeneraciónVarios\GeneraciónCTCC_Operativa.xls is not allowed. Pass-Through is disable on file server.
803 16:54:23.947 [3572] (EvPlaceholderService) <3640> EV:M [EvRequestArchivedFile] Queueing placeholder request for file: E:\Groups\Golosinas\Administracion Golosinas\Gestión 2010\Cierre de Costos 2010\2010-10\Met 40 - PPP\2010-10 Asiento Resumen Esencias Met40.xls
804 16:54:23.947 [3572] (EvPlaceholderService) <3680> EV:L {PassThroughRecallLimiter::RespondToFSADriver} (Exit) Status: [Success]
805 16:54:23.947 [3572] (EvPlaceholderService) <3640> EV:L {RequestArchivedFile::RequestArchivedFile} (Entry)
806 16:54:23.947 [3572] (EvPlaceholderService) <3680> EV:L {PassThroughRecallLimiter::Process} (Exit) Status: [Success]
807 16:54:23.947 [3572] (EvPlaceholderService) <3680> EV:L {CQueue::DeQueue} (Entry)
808 16:54:23.947 [3572] (EvPlaceholderService) <3640> EV:M WorkItem::GetExeName: Trying to get the .exe name for pid: 10268
809 16:54:23.947 [3572] (EvPlaceholderService) <3640> EV:M WorkItem::GetExeNameUsingPHHelper: entry - PID:10268
810 16:54:23.963 [3572] (EvPlaceholderService) <3640> EV:M WorkItem::GetExeNameUsingPHHelper: exit - PID:10268, exe name:AeXAuditPls.exe
811 16:54:23.963 [3572] (EvPlaceholderService) <3640> EV:M WorkItem::GetExeName: The .exe name for for pid: 10268 is AeXAuditPls.exe
========================================================================================================================================================================
There is a release note from McAfee with a workaround for this issue, but basically, we need to turn off line this tool, so, is not a good solution for us.
325.11 | Offline files incorrectly recalled |
- We found also that MAC is doing unexpected recalls.
If Mac OS user goes over File Server, depending on the visualization type configured on MacOS.
We need a list with software and other applications that run massive recalls
Any idea?