cancel
Showing results for 
Search instead for 
Did you mean: 
VR
Level 7
Report Inappropriate Content
Message 11 of 11

Re: Howto kill mcafee services from the command line?

Jump to solution

It's under orchestration, and I am aware of the fact that ePO periodically overwrites my config and restarts OAS.  However, in this particular case, MFEConsole on the endpoint consistently reported that OAS was NOT active at the time (I even restarted MFEConsole to make sure) yet there was mcshield.exe pegged on one core.

I just repeated the process described above (restarted MFEConsole, unlocked the admin i/f on it, and unchecked the On-Access Scan and Access Protection checkboxes under "Threat Prevention" ).  McShield is still eating up a full core and continues to eat it (it's not winding down).

Stack trace of busy thread (via Process Explorer):

ntoskrnl.exe!KiCpuId+0xaa
ntoskrnl.exe!KeReleaseSpinLock+0x612
ntoskrnl.exe!KeWaitForMutexObject+0x1a3
ntoskrnl.exe!KeQueryActiveProcessorCountEx+0x218
ntoskrnl.exe!RtlNumberOfSetBitsUlongPtr+0x10cd
ntoskrnl.exe!KiCpuId+0x2553
ntoskrnl.exe!IoAllocateIrp+0x237
ntoskrnl.exe!CcCopyRead+0x4b7
ntoskrnl.exe!ObfDereferenceObject+0xd4
ntoskrnl.exe!ObOpenObjectByName+0x1081
ntoskrnl.exe!ObOpenObjectByName+0xd94
ntoskrnl.exe!longjmp+0x5b93
ntdll.dll!NtClose+0xa
!FindClose+0x64
!GetLongPathNameW+0x254
!GetFinalPathNameByHandleW+0x306
!AVInitialise+0x33a69
!AVInitialise+0x33797
!RetrieveSingleExtensionList+0x220c71
!RetrieveSingleExtensionList+0x9976a
!RetrieveSingleExtensionList+0x2c6dd5
!AVInitialise+0xdb1
!AVInitialise+0xb94
!AVScanObject+0xbe
!CSCleanupLuaRecyclers+0x534c2
!CSCleanupLuaRecyclers+0x54ea2
!CSCleanupLuaRecyclers+0x54dc2
!CSCleanupLuaRecyclers+0x32bdf
!CSCleanupLuaRecyclers+0x46f20
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4584
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x131d2
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4871
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x3cbf
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4abe
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x400
!CSCleanupLuaRecyclers+0x8372e
!CSCleanupLuaRecyclers+0x2a88d
!CSCleanupLuaRecyclers+0x25adc
!CSCleanupLuaRecyclers+0x20049
!CSCleanupLuaRecyclers+0x10e6f
!CSCleanupLuaRecyclers+0x1f0a7
!CSCleanupLuaRecyclers+0x4aa5
!DSGetScanLevel+0x6dcbf
!DSGetScanLevel+0x468ea
!DSGetScanLevel+0x45af0
!DSGetScanLevel+0x38ec0
!DSGetScanLevel+0x38925
!DSGetScanLevel+0x2b479
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4584
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x1317e
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4871
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x3cbf
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x4abe
!GEN_e4f14ea841887b6dd3d4da6c84d20033+0x400
!DSGetScanLevel+0x7e953
!DSGetScanLevel+0x1f5f4
!DSGetScanLevel+0x5cc62
!DSGetScanLevel+0x65b6
!DSScan+0x3b
!RpcBindingSetAuthInfoW+0xe5
!NdrStubCall2+0x2df
!NdrServerCall2+0x1d
!NdrServerCall2+0x1dc4
!NdrServerCall2+0x1c26
!NdrServerCall2+0x237e
!NdrServerCall2+0x201d
!I_RpcInitNdrImports+0x13926
!I_RpcInitNdrImports+0x135b0
!NdrServerCall2+0x1dfb
!RpcBindingCopy+0x195
ntdll.dll!AlpcFreeCompletionListMessage+0x67d
ntdll.dll!DbgUiRemoteBreakin+0x5a4
!BaseThreadInitThunk+0xd
ntdll.dll!RtlUserThreadStart+0x1d

According to Process Monitor, it's recursively scanning my filesystem (millions of files), despite my not having kicked off a manual scan *AND* OAS being disabled.  I'd be tempted to think that the fact of my resizing the partition just before mcshield.exe went bananas might have been misinterpreted as insertion of a removable drive and that there is a policy to scan removable drives upon insertion -- though I see no evidence of such an option/policy in MFEConsole.

The solution was (for now) to add the volume(s) in question to the excluded directory lists for now and mcschield.exe quieted down.  ePO will eventually overwrite my exclusions.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator