cancel
Showing results for 
Search instead for 
Did you mean: 

Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

I have a cluster of VM's with a primary and secondary SVM both running the 4.8.0.186 MFP Move software, and ENS 10.6.1.1449, Threat Prevention 10.6.1.1550, McAfee agent 5.6.1.157.  The two SVM's are managing around 60 VM's.  Not a heavy load.  They are manually assigned to the SVM's, so there is no SVM manager.  Last night I had thousands of alerts generated from the VM's due to Event ID 36976 "Scan Times Out" on legitimate McAfee and MS files.  E.g. svchost.exe, lsass.exe, csrss.exe, WmiPrvSE.exe, McTray.exe, mfevtps.exe, TrustedInstaller.exe.  I hadn't made any policy changes.  The VM's were all locked up, and after removing the ENS software from the SVM's the VM's in the cluster were still locked up and generating timeout errors.  I rebooted the SVM's, and then was able to remove the Move clients from the VM's that were being managed.  Unfortunately, removing the client also removed the most recent mvagent.log files from the affected systems.  The affected servers application event logs are filled with the error's like you see below.  Is anybody else familiar with this issue?  I have opened a ticket with tech support, and running MER on the SVM's, so hopefully that will provide some clarification.  Thanks

 

scan timed out.jpg

Labels (1)
1 Solution

Accepted Solutions
Highlighted
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

first i would update move (svm/clients) to build 4.8.0.411 which you can get from software manager in epo.  there is an issue with the svms where it fails to initialize properly and will cause the issues you are seeing.  the new build fixes that problem and should address the issue you are seeing.  if you still experience the issue then i would call into support and get a ticket opened so we can investigate further.

View solution in original post

7 Replies
Highlighted
McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

first i would update move (svm/clients) to build 4.8.0.411 which you can get from software manager in epo.  there is an issue with the svms where it fails to initialize properly and will cause the issues you are seeing.  the new build fixes that problem and should address the issue you are seeing.  if you still experience the issue then i would call into support and get a ticket opened so we can investigate further.

View solution in original post

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

SR# 4-20012988337 was opened yesterday morning.  MER logs collected and sent.  After opening the SR in the morning I updated four SVM's yesterday afternoon to 4.8.0.411.  Two SVM's from the original cluster that had a problem on 6/18, and two managing another cluster.  Primary and secondary servers are manually assigned to the both clusters, and have been SVM's for at least of couple of years.  The hotfix upgrade required a reboot, so I started with the secondary SVM, and as soon as I rebooted it all of the VM clients that have it assigned as a secondary SVM began having the scan timeout issue.  I verified that the Move service was running on the SVM following the reboot.  Even after the SVM was back on line the scan time out errors continued.  The primary SVM never went offline during this time, but the VM clients behavior was as if neither were on line even after the secondary that just had the hotfix applied came back on line.  I decided at that point that I had nothing to lose by installing the hotfix for .411 on the primary, so I did that, rebooted and both the primary and secondary SVM's were now on line with .411 running, and I verified that the Move server service was running on both.  The scan timeout errors continued until I rebooted the secondary SVM server a second time, then the scan timeouts stopped.  These two SVM's are managing about 40 VM clients, and with the timeout configured at 300 seconds I was getting about 100 alerts or more every few minutes. The problem seems to be triggered when the SVM's are rebooted, and even after they're both on line sometimes a second reboot is needed to stop the scan timeouts.  I ran MER on these two SVM's and a couple of clients, and uploaded them to the SR#.  I saw the same issue yesterday afternoon as well with the primary and secondary SVM managing the cluster of VM clients that originally had the problem on 6/18.  For that group I redeployed the 4.8 client on 5 VM's after upgrading the SVM's to 4.8.411.  A few of those 4.8 clients, not all of them, started having scan timeouts after I rebooted the secondary SVM.  The problem was fixed this time with a second reboot of the primary SVM.  At this point I'm very nervous about rebooting any of the SVM's running 4.8 and ENS.

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

This is continuing to be a problem that upgrading to 4.8.0.411 on the Move SVM's has not solved.  My ticket with tech support is still open 4-20012988337 and I was provided a "POC" to test/install, but I wasn't provided any instructions for how to do that. (see attached image)  It's a single file named "mvserver.exe" and version 4.8.0.495 but double clicking on it just quickly flashes what appears to be a command prompt screen.  I don't know if this is supposed to replace the existing mvserver.exe file on the Move SVM?  A couple of days ago I responded to the tech support email for more instructions regarding the "POC" test/install mvserver.exe file, but haven't received a response from them.  I awoke this morning to thousands of more alerts from the Move clients running 4.8.0.186 because overnight the issue arose again in one of my VM clusters.  Again, they are scan time outs with event ID 36976 shown in the EPO threat events. There's a application error in the application event log on one of the SVM's that preceded the scan time out events which shows the mcshield.exe file unexpectedly crashed.  I ran the MER utility this morning on the Move SVM's and a couple of the affected clients but I'm unable to upload them to McAfee because I get a message saying I've "reached the maximum amount of uploads."  At this point the Move 4.8 client and ENS combo on the Move SVM's seem completely unstable, and I'm considering rolling back the SVM's and clients to 4.6 and VScan 8.8 with P13 until McAfee tech support can provide an explanation and solution to what they have admitted is a known issue.

POC.jpg

McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 5 of 8

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

i added the steps to install the poc in the support case.  

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

Thanks. I applied the POC file to two affected SVM's. After applying the POC the version number of the Move SVM's is still displaying in EPO version number 4.8.0.411 even though the file provided was labeled 4.8.0.495. I'm not sure if that is expected. Also, after completing the file swap should I run the "set integrity" command again and assign it a value other than "0"? In the ten minutes that have followed after applying the file swap I have not received any errors from the Move clients that report to the SVM's.

McAfee Employee tlange
McAfee Employee
Report Inappropriate Content
Message 7 of 8

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

what you are seeing is correct with the version staying the same.  that's expected.

 

you can leave the value at zero for now.  if you want to re-enabled the self protection just set the integrityenabled value to 7

Re: Move MFP 4.8.186 "Scan Timed Out" (Event ID 36976)

Jump to solution

Ok thanks.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community