Since this morning all our XenApp 6.5 servers has been updated to DAT version 8183.0000
Now the following error message appears in the event viewer:
Event viewer ID: 5051
|Event ID 5051|
A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.
The process will be terminated. Thread id : 12816 (0x3210)
Thread address : 0x0000000076DAC08A
Thread message :
Build VSCORE.18.104.22.1683 / 5800.7501
Object being scanned = \Device\HarddiskVolume3\Users\%username%\AppData\Local\Citrix\Receiver\WindowsAppRHelper_SelfService.exe.dll
by C:\Program Files (x86)\Citrix\ICA Client\SelfServicePlugin\SelfService.exe
Followed by Event ID: 7034
|Event ID 7034|
|The McAfee McShield service terminated unexpectedly. It has done this 35 time(s).|
Then after a while the Server unexpected reboots with a Blue Screen.
-McAfee ePolicy 5.1.1.
-McAfee VirusScan Enterprise 8.8 Patch 4
The environment hasn't been changed..only the VirusScan Enterprise has a new DAT file.
With version 8182 and before we had no Event ID's 5051.
What has been changed in version DAT 8183?
For now we added the selfservice.exe as low risk policy.
Hi RayP -
DAT 8183 has a confirmed issue that causes McShield.exe to terminate. Until the next DAT is released it is recommended to rollback to DAT 8182.
There's a confirmed problem with DAT 8183. I had the VSE service crash on ~400 servers this morning. It seems to have only impacted my Windows 2008 R2 servers. I'm running VSE 8.8 P7 across the board. Issues occurred across Citrix XenApp and Infra servers (file, SQL, etc). I didn't have any reboots, though, just the service crashes.
McAfee support confirmed that they've had a few escalations on the same issue (this was around 11 am EDT), but hadn't tracked down a cause as of yet. They did also confirm that 8184 was being withheld until this issue was identified.
It's highly recommended that you log a call and potentially submit some MER logs, as it may help them identify the root cause.
DAT 8184 was released a couple hours ago. You will need to rollback to 8182 and then you can move forward to 8184. If this does not work for you or your organization, log a call with support and they can provide options.
Because it has VSE 8.8 P4 and part of the error messages in common, I share my experience hereon:
I have the same error messages with the (delayed) release of the DAT 8184 on our Windows 2008 R2 based VSES 1.1.0 AV scanning blades.
Due to compatibility issues with VSES and VSE, they are still running VSE 8.8 P4. I did not have issues with the Windows 2012 Server based VSES 1.1.0 installations, so it might be platform dependent.
In my situation the incremental update failed. I had the following message in the Agent's log:
2016-06-03 02:41:02.756 i #3980 Updater Error occurred while copying . File is locked or missing from the package.
2016-06-03 02:41:02.756 i #3980 Updater Update failed to version 8184.0000.
In Eventlog I have the following events:
Description: A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 90000 ms to complete a request.
Description: Unable to connect to filer <IP>: -1073741635
Description: The McAfee VirusScan Enterprise for Storage service terminated unexpectedly. It has done this 1 time(s).
Description: The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).
I worked around this issue by downloading the current signature files from McAfee, Inc. - Downloads - Virus Protection - DAT Files. There were only a couple of systems (6) to update this way and the manual installation worked. Now I'm about to update to VSE 1.2.0 to be able to get rid of VSE 8.8 P4.
I also opened a supportcase (SR 4-14506430771) regarding this.
Looks like McAfee has released a KB article relating to this. It is KB87253.
Not all systems with DAT 8183 will display the symptoms reported, and systems running DAT 8184 will never experience these issues. Before changing any settings, verify your system or environment is affected.
On Standalone systems:
In ePolicy Orchestrator (ePO) managed environments:
If your systems are running DAT 8184 or later, the following steps do not apply to you.
On affected systems: