IBM Support

McAFEE 8.0i ScriptScan causes a four to seven seconds delay in rendering pages from the WebSphere Product Center Web application.

Question & Answer


Question

What can I do to prevent the delayed performance issue when rendering WebSphere Product Center pages and the McAFEE scan is enabled?

Cause

McAFEE 8.0i ScriptScan acts as a transparent proxy for Internet Explorer, Outlook Express, and any other applications that rely on the Windows Scripting Host [WSH] to run JavaScript and VBScript that is either embedded in the HTML pages or runs natively as stand-alone scripts. This ensures that the anti-virus can examine and scan the scripts BEFORE they are executed by WSH and rendered in Internet Explorer, Outlook Express, or any other application using WSH. In this way the McAfee 8.0i anti-virus can detect a potential threat earlier, before the potential threat triggers in memory and before anything is scanned by the On-Access-Scanner [OAS, the real-time protection]. Even when you do not explicitly use ScriptScan rogue, JavaScript, or VBScript (embedded in HTML pages), they are triggered. Their actions are not detected by the OAS until a file is written or modified on the system [or other protected system areas are written to or modified], and that will only happen if the threat is already known and detected/blocked by the OAS either through virus signatures or one or more of the heuristics rules that the scanner uses to detect known or new threats.

Answer

Because the WebSphere Product Center Web application is a trusted application that runs mostly in-house, we don't need to incur the overhead of ScriptScan. McAFEE was contacted to see if a Hot -Fix Patch-14 for 8.0.i can be used to exclude certain processes. McAFEE's response is that a 'process' is an 'executable file', so you would need to exclude the executable for 'Internet Explorer'. This means you have to effectively turn off ScriptScan protection for ALL browsing. Also, upgrading from 8.0i to 8.5i does not solve the problem as the ScriptScan component is effectively unchanged.

Possible Options:

  1. You can determine if the delay caused by ScriptScan is acceptable. If the current users find the performance of the system as 'bearable' then leaving the ScriptScan enable is an option.
  2. You can determine if your IT/Systems team will change the security policy for you to disable ScriptScan for WebSphere Product Center users.
  3. You can determine if buying and installing a gateway filtering device such as McAfee Webshield is a possible option for your situation. McAfee Webshield offers similar protection as ScriptScan from threats and enhanced protection from Web threats.
  4. You can determine if updating the client machines with more memory or faster processors might help to reduce the impact [delay] caused by ScriptScan. Testing will need to be carried out to verify whether this will adequately reduce the delay.
Formal statement from McAfee:

McAFEE has posted this formal statement on their website regarding ScriptScan and they official acknowledge the performance issues with the tool:

McAfee ScriptScan PM Statement.pdf

This Product Management statement is in response to concerns expressed by customers regarding the ScriptScan feature of VirusScan Enterprise 8.0i.

To date, upwards of 2000 script-based malware and variants have been detected in the wild. All of these malicious scripts will be detected and blocked by OAS when they access the file system. However, because the scripts can execute in memory before they touch the file system, ScriptScan was developed as a client-side feature to provide added protection for Java and Visual Basic scripts launched by client-side applications which use Microsoft scripting APIs. (ScriptScan is not intended or appropriate for server environments and can safely be disabled on servers.)

ScriptScan is sensitive to the way web pages are constructed, in particular, Java-based web pages. Jscript pages can be built from many component files, each of which must be scanned by ScriptScan. The processing time required for scanning these pages, and therefore the delay seen by the end-user in opening these pages, is directly related to the number of these individual components.

We recognize, however, that this can potentially put customers in the difficult position of making the trade-off between enhanced protection and end-user performance. By examining their ePO reports, customers can determine the relative concern of ScriptScan detections versus On Access Detections in their environment. For example, a customer data set provided to McAfee indicated that ScriptScan detections were about 3% of the total malware detections with the bulk of the detections from OAS. The customer’s data also indicates, however, a significant degradation in end-user performance when ScriptScan is enabled. It is likely, therefore, that in this customer’s environment, the benefits of running ScriptScan are out weighed by the negative impact on end-user performance and McAfee could concur that it was reasonable business practice for this customer to disable the VirusScan Enterprise 8.0i ScriptScan feature.

It is also likely that the script-base malware this customer had seen was from external sources not internal processes; otherwise, the percentage of ScriptScan detections would have been much higher. Therefore, this customer could elevate their protection level back to a comparable level by installing a Secure Web Gateway appliance just behind their externally-facing web-servers. This solution will provide the same protection as does ScriptScan, but directed only at the external web traffic and leaving the internal portal traffic unencumbered.

ScriptScan is a capability not currently provided by our major competitors. Customers can be confident that even though ScriptScan may not be right for all environments, VirusScan Enterprise 8.0i provides superior protection against blended threats, with integrated Buffer Overflow protection for common desktop applications and services, Access Protection rules to block and contain common threat models, true On-Access Scanning for malware, including Anti-Spyware, and rapid-response daily-DAT updates—backed by the power and performance of ePO.

[{"Product":{"code":"SSNJBH","label":"WebSphere Product Center"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.3.2;5.3;5.2.1;5.2;5.1;5.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Product Synonym

WPC ;WebSphere Product Center

Document Information

Modified date:
16 June 2018

UID

swg21291267