cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
VR
Level 7
Report Inappropriate Content
Message 11 of 11

Re: Howto kill mcafee services from the command line?

Jump to solution

It's under orchestration, and I am aware of the fact that ePO periodically overwrites my config and restarts OAS.  However, in this particular case, MFEConsole on the endpoint consistently reported that OAS was NOT active at the time (I even restarted MFEConsole to make sure) yet there was mcshield.exe pegged on one core.

I just repeated the process described above (restarted MFEConsole, unlocked the admin i/f on it, and unchecked the On-Access Scan and Access Protection checkboxes under "Threat Prevention" ).  McShield is still eating up a full core and continues to eat it (it's not winding down).

Stack trace of busy thread (via Process Explorer):

ntoskrnl.exe!KiCpuId+0xaa
ntoskrnl.exe!KeReleaseSpinLock+0x612
ntoskrnl.exe!KeWaitForMutexObject+0x1a3
ntoskrnl.exe!KeQueryActiveProcessorCountEx+0x218
ntoskrnl.exe!RtlNumberOfSetBitsUlongPtr+0x10cd
ntoskrnl.exe!KiCpuId+0x2553
ntoskrnl.exe!IoAllocateIrp+0x237
ntoskrnl.exe!CcCopyRead+0x4b7
ntoskrnl.exe!ObfDereferenceObject+0xd4
ntoskrnl.exe!ObOpenObjectByName+0x1081
ntoskrnl.exe!ObOpenObjectByName+0xd94
ntoskrnl.exe!longjmp+0x5b93
ntdll.dll!NtClose+0xa
!FindClose+0x64
!GetLongPathNameW+0x254
!GetFinalPathNameByHandleW+0x306
!AVInitialise+0x33a69
!AVInitialise+0x33797
!RetrieveSingleExtensionList+0x220c71
!RetrieveSingleExtensionList+0x9976a
!RetrieveSingleExtensionList+0x2c6dd5
!AVInitialise+0xdb1
!AVInitialise+0xb94
!AVScanObject+0xbe
!CSCleanupLuaRecyclers+0x534c2
!CSCleanupLuaRecyclers+0x54ea2
!CSCleanupLuaRecyclers+0x54dc2
!CSCleanupLuaRecyclers+0x32bdf
!CSCleanupLuaRecyclers+0x46f20
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4584
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x131d2
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4871
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x3cbf
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4abe
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x400
!CSCleanupLuaRecyclers+0x8372e
!CSCleanupLuaRecyclers+0x2a88d
!CSCleanupLuaRecyclers+0x25adc
!CSCleanupLuaRecyclers+0x20049
!CSCleanupLuaRecyclers+0x10e6f
!CSCleanupLuaRecyclers+0x1f0a7
!CSCleanupLuaRecyclers+0x4aa5
!DSGetScanLevel+0x6dcbf
!DSGetScanLevel+0x468ea
!DSGetScanLevel+0x45af0
!DSGetScanLevel+0x38ec0
!DSGetScanLevel+0x38925
!DSGetScanLevel+0x2b479
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4584
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x1317e
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4871
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x3cbf
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4abe
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x400
!DSGetScanLevel+0x7e953
!DSGetScanLevel+0x1f5f4
!DSGetScanLevel+0x5cc62
!DSGetScanLevel+0x65b6
!DSScan+0x3b
!RpcBindingSetAuthInfoW+0xe5
!NdrStubCall2+0x2df
!NdrServerCall2+0x1d
!NdrServerCall2+0x1dc4
!NdrServerCall2+0x1c26
!NdrServerCall2+0x237e
!NdrServerCall2+0x201d
!I_RpcInitNdrImports+0x13926
!I_RpcInitNdrImports+0x135b0
!NdrServerCall2+0x1dfb
!RpcBindingCopy+0x195
ntdll.dll!AlpcFreeCompletionListMessage+0x67d
ntdll.dll!DbgUiRemoteBreakin+0x5a4
!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x1d

According to Process Monitor, it's recursively scanning my filesystem (millions of files), despite my not having kicked off a manual scan *AND* OAS being disabled.  I'd be tempted to think that the fact of my resizing the partition just before mcshield.exe went bananas might have been misinterpreted as insertion of a removable drive and that there is a policy to scan removable drives upon insertion -- though I see no evidence of such an option/policy in MFEConsole.

The solution was (for now) to add the volume(s) in question to the excluded directory lists for now and mcschield.exe quieted down.  ePO will eventually overwrite my exclusions.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community