I currently have a support case open with McAfee regarding the scan engine crashing when detecting the EICAR test file on volumes other than C: when the filename ends in .TXT. Here's an example event log entry:
Log Name: Application Source: McLogEvent Date: 2/16/2012 3:12:10 PM Event ID: 5051 Task Category: None Level: Error Keywords: Classic User: SYSTEM Computer: SERVERNAME Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 120000 ms to complete a request. The process will be terminated. Thread id : 3124 (0xc34) Thread address : 0x00000000778F138A Thread message :
Build VSCORE.18.104.22.1685 / 5400.1158 Object being scanned = \Device\HarddiskVolume7\test\eicar.txt by C:\Windows\system32\cmd.exe 4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)
I have reproduced this issue on our 3-node Storage Server 2008 R2 SP1 cluster as well as another physical server and several VMs. The last test with the VM was after a base install of 2008 R2 SP1 (not domain joined, no ePO agent) and installing 8.8 w/ P1 included. The problem does not occur when using VSE 8.8 without patch 1.
McAfee will detect the EICAR file if I copy it from an excluded location to any other filename that does not end in .TXT. It will also detect EICAR.TXT on the C: volume.
Support has stated that they are unable to reproduce the issue. Anyone else want to see if they can reproduce this on any of their machines? I've had the case open for over a month and I'd like to get this resolved.