Community Help Hub

nurnay · ‎11-18-2015

Yes, I'm running the latest agent. I can run McTray.exe with no error, but when I do, the VirusScan icon disappears and I have no McAfee icons whatsoever. When I reboot, the VirusScan icon returns, McTray is not running. I have the following warnings in my AccessProtection log:

11/18/2015	8:19:38 AM	Blocked by Access Protection rule	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\SVCHOST.EXE	C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE	Common Standard Protection:Prevent termination of McAfee processes	Action blocked : Terminate
11/18/2015	8:19:38 AM	Blocked by Access Protection rule	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\SVCHOST.EXE	C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE	Common Standard Protection:Prevent termination of McAfee processes	Action blocked : Terminate
11/18/2015	8:19:38 AM	Blocked by Access Protection rule	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\SVCHOST.EXE	C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE	Common Standard Protection:Prevent termination of McAfee processes	Action blocked : Terminate
11/18/2015	8:19:38 AM	Blocked by Access Protection rule	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\SVCHOST.EXE	C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE	Common Standard Protection:Prevent termination of McAfee processes	Action blocked : Terminate
11/18/2015	8:19:38 AM	Blocked by Access Protection rule	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\SVCHOST.EXE	C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE	Common Standard Protection:Prevent termination of McAfee processes	Action blocked : Terminate
11/18/2015	8:19:38 AM	Blocked by Access Protection rule	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\SVCHOST.EXE	C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE	Common Standard Protection:Prevent termination of McAfee processes	Action blocked : Terminate
11/18/2015	8:20:01 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create
11/18/2015	8:20:10 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create
11/18/2015	8:20:20 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create
11/18/2015	8:20:29 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create
11/18/2015	8:20:41 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create
11/18/2015	8:20:52 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create
11/18/2015	8:21:40 AM	Would be blocked by Access Protection rule (rule is currently not enforced)	NT AUTHORITY\SYSTEM	C:\WINDOWS\SYSTEM32\WSCRIPT.EXE	C:\Windows\Temp\ConfigMgrStartup.vbs.log	Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder	Action blocked : Create

gpickers · ‎11-18-2015

Hello nurnay,

Your VirusScan Enterprise Access Protection rules are blocking SVCHOST.EXE from terminating the following McAfee processes:

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE

C:\WINDOWS\SYSTEM32\SVCHOST.EXE

C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE

The other warnings are not actively blocking as outlined by (rule currently not enforced).

In order to resolve this, add the exclusions to your Access Protection Policies in ePO.

Under the Common Standard Protection category edit the Prevent termination of McAfee processes rule.

Here you can add either the full path or just the executable files for the three McAfee processes of which the termination has been blocked.

Alternatively you can temporarily disable access protection from ePO for the endpoint that you are deploying the agent to, if you do not wish to add the exceptions to your policy permanently (just remember to re-enable access protection once the deployment is complete).

Whether you have applied the exclusions or temporarily disable access protection, re-deploy the McAfee Agent and see if the tray icons perform as expected.

Sadly this is not applicable to the original issue raised by DPE as they have outlined they are not using VirusScan Enterprise.

Hope this helps,

George

nurnay · ‎11-18-2015

This is only happening sporadically. And only on Windows 10 machines. All have the same settings in McAfee.

jhall2 · ‎11-18-2015

There is a known issue in which running previous versions of McAfee Agent extensions with McAfee Agent 5.0.2 results in this behavior. Can you check the McAfee Agent extension version and upgrade to 5.0.2 if not currently?

nurnay · ‎11-18-2015

I'm showing the 5.0.2.118 extension, although the McAfee Agent is at 5.0.2.132. Is there a newer extension? If so, where can I get it? I don't see anything newer under Software Manager.

Thanks!

petedc · ‎02-24-2016

Not sure if you have your issue figured out but i think i have an answer for you.

I recently had the same issue where the logs showed MCTray.exe being blocked and the MA icon not starting with the exact same error message you were getting.

I opened a ticket with McAfee and they found that there were some incompatibilities with having the Self Protection feature turned on with several different applications.

My particular one was with CCMEXEC.exe SCCM client and a few others that escape me right now. But the issue was the self protection feature and not the other applications.

See the screen shot below.

Just go to your Agent polices and uncheck the Enable Self Protection feature. After that the MA icon showed up and no more errors.

DPE · ‎06-08-2016

Hi petedc,

Sorry for the very late reply. Your suggestion worked. I unclicked 'Self protection' in my policy, upgraded the McAfee Agent to 5.0.2, and now the system tray icon is showing.

What exactly is the 'Self Protection' option doing? And is it a wanted scenario having this option disabled?

jagadeeshp · ‎03-08-2016

Hi DPE,

did you check installing the agent manually.try to download frame package from epo and install it and let me know if u are facing same issue.

tvuk · ‎04-25-2016

I am experiencing the same problem with the same errors in %temp%\McAfeeLogs - UdatrUI could not lauch McTray.

I have disabled the Self Protection feature of McAfee Agent but it did not help, the software is the very latest (Agent version 5.0.2.333, extension version 5.0.2.118). The only software installed, apart from Agent, is Device Encryption 7.1.3 (Agent and client). The disks are encrypted so Agent uninstall is out of the question.

The issue started after upgrade (old version, Agent 4.6 and EE 6.2.1 worked just fine).

bretzeli · ‎06-15-2016

* One would be SELF PROTECT for Windows

* Second one would be this is WANTED of RDP/Terminal Server if you use RDP to connect to the client

Problem

The McAfee icon is not present in the system tray during a remote session using terminal services.

The McAfee icon is not present in the system tray during a remote connection that uses session ID=2.

The MA 5.x updatereui.log records the following entry:

<date/time stamp> I #4304 Cmalib The environment variable SESSIONNAME = RDP-Tcp#0

The MA 4.8 Agent_<computer_name>.log records the following entry:

<date/time stamp> I Fsv 1076 UsrSpCt UpdaterUI won't be launched for Terminal Services client session (sessionID=2)

Cause

The McAfee system tray icon is displayed only in console sessions or a local session. The UDATERUI.EXE process runs only on the local session or console sessions. It does not run during terminal server client sessions.

This issue is not specific to Windows Terminal Services, and affects any remote connection utility that connects to Session ID 2. This is intended to prevent a user-loaded process from running for each individual user session.

Solution

If you require the McAfee Agent user interface function on other terminal services client sessions, you can run UDATERUI.EXE manually.

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Re: McAfee Agent 5.0.2 issue - System tray icon not showing

Problem

Cause

Solution

Community Help Hub

Join the Community