Antivirus folder-level exclusions for Enterprise Vault and McAfee Antivirus version 8.8

Article: 100013388
Last Published: 2020-09-23
Ratings: 1 0
Product(s): Enterprise Vault

Problem

A search of an Enterprise Vault archive using Search.asp, Searcho2k or Archive Explorer returns partial or no results. The message 'Unable to list the contents of the whole archive. Contact your administrator is displayed in the search window.


Note: The below errors may be seen also while performing a Verify, Synchronization or Rebuild of Indexes. Program faults with Event Id 40966 would be reported by the Enterprise Vault Index Admin Service.

Error Message

A review of the Enterprise Vault event logs list a corresponding event id 41315 reported by Index Query Server.

The content of the 41315 event can vary:

  • Invalid access to memory location. (Exception from HRESULT: 0x800703E6)
  • The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
  • A search failed with error "The HTTP request was forbidden with client authentication scheme 'Ntlm'.
  • Attempted to read or write protected memory. This is often an indication that other memory is corrupt.

V-437-41315

Cause

Enterprise Vault 64-bit Index broker uses Windows and inetpub temporary folder for search queries and results. Many organizations feel that these folders present a security risk, and will not exclude them from Anti-Virus (AV) scans. As a result, McAfee has been known to falsely identify EV index related  items as a threat, and block access to these items. 

Solution

Ensure that the correct antivirus folder-level exclusions recommended for Enterprise Vault are in place. See 100017720

 

Ensure that the following antivirus folder-level exclusions are excluded from antivirus scanning on the Enterprise Vault servers:

  • **\inetpub\temp\appPools\EnterpriseVaultAppPool\
  • **\Windows\inf\Enterprise Vault Index Query Server\
  • **\Windows\TEMP\
  • <install_path>Program Files (x86)\Enterprise Vault\EVIndexing\data
  • <install_path>\Users\<VaultServiceAccount>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5

If Access Protection is enabled, monitor the Access Protection logs for blocked Enterprise Vault processes, and exclude those processes from the Access Protection Rules.

Note:

After extensive testing, it has been determined that even with all of these exclusions in place, EV cannot be reliably configured to work properly with McAfee 8.8 Patch 4. Further testing determined that Patch 5 and Patch 6 did not experience the same issues. As a result, McAfee 8.8 Patch 4 is no longer supported. Please see the compatibility guide, in the related articles section, for supported versions.

 

Applies To

McAfee Antivirus 8.8.

References

Etrack : 3554013 Etrack : 3527476

Was this content helpful?