Yes, I'm running the latest agent. I can run McTray.exe with no error, but when I do, the VirusScan icon disappears and I have no McAfee icons whatsoever. When I reboot, the VirusScan icon returns, McTray is not running. I have the following warnings in my AccessProtection log:
11/18/2015 | 8:19:38 AM | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE | Common Standard Protection:Prevent termination of McAfee processes | Action blocked : Terminate |
11/18/2015 | 8:19:38 AM | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE | Common Standard Protection:Prevent termination of McAfee processes | Action blocked : Terminate |
11/18/2015 | 8:19:38 AM | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE | Common Standard Protection:Prevent termination of McAfee processes | Action blocked : Terminate |
11/18/2015 | 8:19:38 AM | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE | Common Standard Protection:Prevent termination of McAfee processes | Action blocked : Terminate |
11/18/2015 | 8:19:38 AM | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE | Common Standard Protection:Prevent termination of McAfee processes | Action blocked : Terminate |
11/18/2015 | 8:19:38 AM | Blocked by Access Protection rule | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE | Common Standard Protection:Prevent termination of McAfee processes | Action blocked : Terminate |
11/18/2015 | 8:20:01 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
11/18/2015 | 8:20:10 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
11/18/2015 | 8:20:20 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
11/18/2015 | 8:20:29 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
11/18/2015 | 8:20:41 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
11/18/2015 | 8:20:52 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
11/18/2015 | 8:21:40 AM | Would be blocked by Access Protection rule (rule is currently not enforced) | NT AUTHORITY\SYSTEM | C:\WINDOWS\SYSTEM32\WSCRIPT.EXE | C:\Windows\Temp\ConfigMgrStartup.vbs.log | Anti-spyware Maximum Protection:Prevent execution of scripts from the Temp folder | Action blocked : Create |
Hello nurnay,
Your VirusScan Enterprise Access Protection rules are blocking SVCHOST.EXE from terminating the following McAfee processes:
C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\VSTSKMGR.EXE |
C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES (X86)\MCAFEE\VIRUSSCAN ENTERPRISE\MFEANN.EXE |
C:\WINDOWS\SYSTEM32\SVCHOST.EXE | C:\PROGRAM FILES\COMMON FILES\MCAFEE\SYSTEMCORE\MCSHIELD.EXE |
The other warnings are not actively blocking as outlined by (rule currently not enforced).
In order to resolve this, add the exclusions to your Access Protection Policies in ePO.
Under the Common Standard Protection category edit the Prevent termination of McAfee processes rule.
Here you can add either the full path or just the executable files for the three McAfee processes of which the termination has been blocked.
Alternatively you can temporarily disable access protection from ePO for the endpoint that you are deploying the agent to, if you do not wish to add the exceptions to your policy permanently (just remember to re-enable access protection once the deployment is complete).
Whether you have applied the exclusions or temporarily disable access protection, re-deploy the McAfee Agent and see if the tray icons perform as expected.
Sadly this is not applicable to the original issue raised by DPE as they have outlined they are not using VirusScan Enterprise.
Hope this helps,
George
This is only happening sporadically. And only on Windows 10 machines. All have the same settings in McAfee.
There is a known issue in which running previous versions of McAfee Agent extensions with McAfee Agent 5.0.2 results in this behavior. Can you check the McAfee Agent extension version and upgrade to 5.0.2 if not currently?
I'm showing the 5.0.2.118 extension, although the McAfee Agent is at 5.0.2.132. Is there a newer extension? If so, where can I get it? I don't see anything newer under Software Manager.
Thanks!
Not sure if you have your issue figured out but i think i have an answer for you.
I recently had the same issue where the logs showed MCTray.exe being blocked and the MA icon not starting with the exact same error message you were getting.
I opened a ticket with McAfee and they found that there were some incompatibilities with having the Self Protection feature turned on with several different applications.
My particular one was with CCMEXEC.exe SCCM client and a few others that escape me right now. But the issue was the self protection feature and not the other applications.
See the screen shot below.
Just go to your Agent polices and uncheck the Enable Self Protection feature. After that the MA icon showed up and no more errors.
Hi petedc,
Sorry for the very late reply. Your suggestion worked. I unclicked 'Self protection' in my policy, upgraded the McAfee Agent to 5.0.2, and now the system tray icon is showing.
What exactly is the 'Self Protection' option doing? And is it a wanted scenario having this option disabled?
Hi DPE,
did you check installing the agent manually.try to download frame package from epo and install it and let me know if u are facing same issue.
I am experiencing the same problem with the same errors in %temp%\McAfeeLogs - UdatrUI could not lauch McTray.
I have disabled the Self Protection feature of McAfee Agent but it did not help, the software is the very latest (Agent version 5.0.2.333, extension version 5.0.2.118). The only software installed, apart from Agent, is Device Encryption 7.1.3 (Agent and client). The disks are encrypted so Agent uninstall is out of the question.
The issue started after upgrade (old version, Agent 4.6 and EE 6.2.1 worked just fine).
* One would be SELF PROTECT for Windows
* Second one would be this is WANTED of RDP/Terminal Server if you use RDP to connect to the client
<date/time stamp> I #4304 Cmalib The environment variable SESSIONNAME = RDP-Tcp#0
The MA 4.8 Agent_<computer_name>.log records the following entry:
<date/time stamp> I Fsv 1076 UsrSpCt UpdaterUI won't be launched for Terminal Services client session (sessionID=2)
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA