cancel
Showing results for 
Search instead for 
Did you mean: 
kink80
Level 12
Report Inappropriate Content
Message 1 of 8

McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

I am trying to apply patch 5 for VSE 8.7i to one of my Windows 2003 servers that was running VSE 8.7i Patch 3. When I tried to do an "Update Now" on the server, after checking in Patch 5 into the Current Branch of the ePO Master Repository, it looked like it was going to install successfully however  I had the following in my Application Event log:

Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5004
Date:  2/7/2013
Time:  8:32:48 AM
User:  NT AUTHORITY\SYSTEM
Computer: XXXXXXXXX
Description:
Could not contact Filter Driver.
Error = 0x7f : The specified procedure could not be found.

When I looked in the McAfee Agent log I see this:

2013-02-07 08:33:05 I #4600 Manage New plugin <VSEMAS870000> found

2013-02-07 08:33:05 I #4600 Sched >>--CSchedule::RegisterProduct

2013-02-07 08:33:06 I #6084 Sched >>--CSchedule::ModifyTask

2013-02-07 08:33:08 I #5592 Sched Plugin DLL for VSEMAS870000 has been registered

2013-02-07 08:33:08 W #5592 Sched Plugin checking: error  -1011, SoftwareID = VIRUSCAN8700

2013-02-07 08:50:44 I #3300 Manage Enforcing policies

2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for VIRUSCAN8700

2013-02-07 08:50:45 I #3300 Manage CManage::EnforcePolicies() - Failed - "VIRUSCAN8700" (error = -1000).

2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for EPOAGENT3000META

2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for EPOAGENT3000

2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for McAfee Agent

I then removed VSE from this server via Add and Remove Programs and I received no errors and it appeared like it was successfully removed. As I could not find anything in C:\Program Files\McAfee\VirusScan Enterprise. I then re-installed VSE 8.7.0.570 with an ePO Product deployment task. Which again seemed to succeed. It then ran the DAT update successfully then ran the HotFix Update and I saw;

2013-02-07 10:23:05 I #5804 UpdEvents Generating update event:EventId=2401:Severity=4:ProductId=VIRUSCAN8700:Locale=0000:UpdateType=HotFix:UpdateError=0:NewVersion=5:DateTime=

2013-02-07 10:23:10 I #5804 UpdEvents Generating update event:EventId=2401:Severity=4:ProductId=VIRUSCAN8700:Locale=0000:UpdateType=ExtraDAT:UpdateError=0:NewVersion=2012.1128.1826.10:DateTime=

A little further down in the McAfee Agent log i spotted this again:

2013-02-07 10:25:39 i #3300 Manage Enforcing Policies for VIRUSCAN8700

2013-02-07 10:25:40 I #1208 Sched >>--CSchedule::ModifyTask

2013-02-07 10:25:40 E #1208 Sched <<--CSchedule::ModifyTask hr=0x80000017 : Task is being modified

2013-02-07 10:25:40 I #5660 Sched >>--CSchedule::DeleteTask

2013-02-07 10:25:40 E #5660 Sched <<--CSchedule::DeleteTask hr=0x80000017 : Task is being modified

2013-02-07 10:25:40 I #472 Sched >>--CSchedule::GetTask

2013-02-07 10:25:40 I #3300 Manage CManage::EnforcePolicies() - Failed - "VIRUSCAN8700" (error = -1000).

2013-02-07 10:25:40 i #3300 Manage Enforcing Policies for EPOAGENT3000META

2013-02-07 10:25:40 i #3300 Manage Enforcing Policies for EPOAGENT3000

And this in the Application Event log:

Event Type: Error
Event Source: McLogEvent
Event Category: None
Event ID: 5004
Date:  2/7/2013
Time:  10:27:55 AM
User:  NT AUTHORITY\SYSTEM
Computer: XXXXXXXX
Description:
Could not contact Filter Driver.
Error = 0x7f : The specified procedure could not be found.

So I am back at square one has anyone seen this before? Any ideas as to how to solve this?  Thanks in advance.

7 Replies
kink80
Level 12
Report Inappropriate Content
Message 2 of 8

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

All of the drivers listed below are present in C:\WINDOWS\system32\drivers

  • mfeavfk.sys,
  • mfeapfk.sys
  • mfebopk.sys
  • mfehidk.sys
  • mfetdik.sys

If I look in the Device Manager and Show Hidden Devices  I have three McAfee Inc. Devices that show a Yellow Exclamation along with several ones that do not have the yellow exclamation. But it seems there are multiple mfeavk drivers each with a unique number after mfeavk (i.e. mfeavk23, mfeavk30).

alexn
Level 14
Report Inappropriate Content
Message 3 of 8

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

Reason could be 

Path to mfeapfk, mfeavfk, and mfebopk which live under HKLM\SYSTEM\CurrentControlSet\Services\, with the full path to the driver - e.g.c:\windows\system32\drivers\mfeapfk.sys. Registry Patyh is not updated and your drivers are in Drivers folder but cant connect with Mcshield.

Please follow these steps to resolve this.

Solution 1

Verify that the following filter driver files are present in C:\Windows\System32\Drivers

  • mfeavfk.sys
  • mfeapfk.sys
  • mfebopk.sys
  • mfehidk.sys
  • mfetdik.sys
If the filter driver files are not present, then uninstall and reinstall them:

  1. Click Start, Run, type cmd, and then click OK.
  2. From the command prompt, navigate to: C:\Program Files\McAfee\VirusScan Enterprise.
  3. To uninstall the driver, type the following and press ENTER:

    mfehidin -u mfeavfk.sys mfeapfk.sys mfebopk.sys mfehidk.sys mfetdik.sys

  4. To reinstall the driver, type the following and press ENTER:

    mfehidin.exe -i mfeavfk.sys mfeapfk.sys mfebopk.sys mfehidk.sys mfetdik.sys
If the filter driver files are present, ensure they are enabled in Device Manager:

  1. From the desktop, right-click My Computer and select Properties.
  2. Click the Hardware tab.
  3. Click Device Manager.
  4. Select View, Show Hidden devices.
  5. Expand Non-Plug and Play Drivers.
  6. For every McAfee Inc. entry, right-click the entry, select Properties, and from the drop-down menu, select Enable.
  7. When prompted Do you want to restart your computer now? click No.
  8. When all McAfee Inc. entries have been processed, close the Device Manager and restart your computer.

Solution 2

If the filter driver files are present and enabled, but the error (Event id : 5004) is still generated, uninstall and reinstall VSE.

If this does not resolve the issue, it is likely that a third-party product is present that is not compatible with VSE. Upgrade to the latest version of VSE and apply the latest patch.

If you dont see any luck after doing this, then go for latest VSE 8.8 P2.

kink80
Level 12
Report Inappropriate Content
Message 4 of 8

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

Thank for the reply. I did see this KB and did alter the registry to point to the full path to the drivers (i.e. C:\Windows\system32\drivers). This did not resolve my issue. I have removed VSE 8.7 once again and all of the drivers are gone from the Drivers directory. I still see numerous McAfee Inc. devices in the Device Manager 3 of which have the yellow exclamation. I think I will try a reboot and then try to re-install VSE 8.7 again. If that does not work I will put  a call into McAfee support.

alexn
Level 14
Report Inappropriate Content
Message 5 of 8

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

Also Make sure that you dont have 3rd party AV programe on your server, and also update to to the current version of VSE 8.8 patch 2.

After reboot recheck your Device Manager for any Mcafee inc exclamation mark.

kink80
Level 12
Report Inappropriate Content
Message 6 of 8

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

There is no 3rd party AV on this server. It has been running McAfee VSE 8.7i Patch 3 for a long time. This issue manifested when I tried to patch the system to VSE 8.7i Patch 5. Yes I was planning on checking the Device Manager after the restart. Thanks.

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

Any luck resolving this as I have the exact same issue. Followed the same trouble shooting process and got the the final same point of everything looking good except for those 3 !!! on the hidden drivers.

Any help would be much appreciated. SR taking for ever to progress....

Thanks!

kink80
Level 12
Report Inappropriate Content
Message 8 of 8

Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

I ended up just installing VSE 8.8 P2 on the server and everything was good again. We were planning on upgrading this serve at some point to 8.8 so that was the logical choice for me.

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.