cancel
Showing results for 
Search instead for 
Did you mean: 
davei
Level 9

Move MP 4.6 - errors in log

Hi

I'm moving from Agentless to MP so some of this is new to me.

I seem to have MP deployed to a couple of test clients successfully (according to ePO and mvadm on client, protection status is 'Enabled').  I can see stats on the OSS servers (mvadm stats) and the numbers are steadily increasing, the correct number of clients\heartbeats are shown, the test eicar notifications at client install worked OK.

However I see some errors in the mvagent.log file on the clients that I can't find any hits on in Google:

U.3180.3708: Aug 25 2017:15:02:07.633:   ERROR: svc_policies.c: 1041: Failed to send oas exclusion path cmd. err: 22

U.3180.3708: Aug 25 2017:15:02:07.633:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.3180.3708: Aug 25 2017:15:02:07.633:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

K.5476.5480: Aug 25 2017:15:04:36.304:   WARNING: utl_rt.c    :  109: Process info is NULL for proc handle 0x1564

K.5476.5480: Aug 25 2017:15:04:36.304:   WARNING: fsh_winnt.c :  255: Failed to get for process info of (sppsvc.exe)

K.0004.3412: Aug 25 2017:15:04:36.351:   WARNING: utl_rt.c    :  109: Process info is NULL for proc handle 0x4

K.0004.3412: Aug 25 2017:15:04:36.351:   WARNING: fsh_winnt.c :  255: Failed to get for process info of (System)   <------ this seems to be a known ignorable error

These errors are then repeated ever minute or two.

I'm worried about the svc_policies.c errors as it's (obviously) very important we get the per-VM policies working as expected.

Any thoughts?

Thanks.

Davei

9 Replies
nashcoop
Level 7

Re: Move MP 4.6 - errors in log

I see the same errors on a lot of my servers after migrating from the 3.6.1 clients to 4.5.  Running the "mvadm exp list oas" command on the client displays the list of on access scan exceptions, and I see them listed in the registry key "HKLM\SYSTEM\CurrentControlSet\services\mvagtdrv\Parameters"  (PassThruList/ProcessPassthru).  The error seems to be pointing at that PassThruList entry.  I would love to hear a solution to cleaning up these errors.  Move seems like a pretty great product, but it's a hard sell to system owners when the logs are always littered with errors that McAfee eventually posts KB's for saying they're normal and can be ignored.

U.1420.2188: Oct 31 2017:01:16:02.984:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.2188: Oct 31 2017:01:16:02.984:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.3636: Oct 31 2017:01:46:03.047:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.3636: Oct 31 2017:01:46:03.047:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.2944: Oct 31 2017:02:16:03.548:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.2944: Oct 31 2017:02:16:03.548:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.3308: Oct 31 2017:02:46:02.989:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.3308: Oct 31 2017:02:46:02.989:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.4644: Oct 31 2017:03:16:03.084:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.4644: Oct 31 2017:03:16:03.084:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.2052: Oct 31 2017:03:46:02.805:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.2052: Oct 31 2017:03:46:02.805:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.4536: Oct 31 2017:04:16:02.854:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.4536: Oct 31 2017:04:16:02.854:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.4956: Oct 31 2017:04:46:02.903:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.4956: Oct 31 2017:04:46:02.903:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.2792: Oct 31 2017:05:16:02.936:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.2792: Oct 31 2017:05:16:02.936:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.4592: Oct 31 2017:05:46:02.953:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.4592: Oct 31 2017:05:46:02.953:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.4608: Oct 31 2017:06:16:03.002:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.4608: Oct 31 2017:06:16:03.002:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.3292: Oct 31 2017:06:46:03.566:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.3292: Oct 31 2017:06:46:03.566:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.2868: Oct 31 2017:07:16:02.273:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

U.1420.2868: Oct 31 2017:07:16:02.273:   ERROR: svc_policies.c: 1053: Failed to send oas process passthrough cmd. err: 22

U.1420.2296: Oct 31 2017:07:46:02.337:   ERROR: svc_policies.c: 1207: svc_normalize_path fail for

0 Kudos
roms_didi
Level 7

Re: Move MP 4.6 - errors in log

Same problem here (whith same logs).

Any news ?

Regards,

0 Kudos
IanMFE
Level 7

Re: Move MP 4.6 - errors in log

Any update on this? Having the same issue.

0 Kudos
IanMFE
Level 7

Re: Move MP 4.6 - errors in log

FYI, I solved this issue, in case someone else has it in the future. Looks like there is a bug within the ePO GUI. When you open an existing On Access Policy, the UI adds a blank line at the top of the Process exclusions list. It's a thin line above your first defined exclusion. You can select it with the mouse and click Remove. This will fix your policy, and remove the errors from any log files.

0 Kudos
markpryor
Level 7

Re: Move MP 4.6 - errors in log

Nice work, Ian. I had the same thing, and your fix has at least cleared that issue.

I'm hoping it was a factor in the significant performance issues we're experiencing. Have you noticed anything along those lines?

0 Kudos
IanMFE
Level 7

Re: Move MP 4.6 - errors in log

Hi Mark, what is your hypervisor infrastructure running on? We have both VMware and Citrix / HyperV. The VMware infrastructure experiences about a 5% overhead with MOVE. The Citrix environment is significantly worse however.

What is your VM to MOVE server ratio? Our's is pretty light < 150 hosts / server. I'd take a look at the health of the whole infrastructure. One of the issues we had was latency on the SAN infrastructure, once that was resolved, performance was substantially better.

0 Kudos
bleeder
Level 9

Re: Move MP 4.6 - errors in log

I also had the blank line at the top of my process exclusion list.  I removed it and saved the policy.  When I go back to edit the policy again, the blank line has returned.  Do you see the same behavior?

0 Kudos
IanMFE
Level 7

Re: Move MP 4.6 - errors in log

Yes, it appears to be a bug within the MOVE extension. Every time you modify that policy (or view it and save), you will get that extra blank line. You have to remember to remove that line every time you save the policy. Hopefully McAfee will fix that, but in the meantime, don't forget to remove the line each time you open the policy.

0 Kudos
Highlighted
bleeder
Level 9

Re: Move MP 4.6 - errors in log

Fyi, this bug is still present in the MOVE 4.7 extension.

0 Kudos