cancel
Showing results for 
Search instead for 
Did you mean: 
joas
Level 8
Report Inappropriate Content
Message 1 of 10

OAS disabled: Root Cause Analysis

Jump to solution

Hello everyone,

I have found multiple occurrences within my organization where OAS has been disabled on random machines. Lately I have been tracking down machines that haven't contact EPO in the past month to find more subjects to investigate and hopefully find a pattern to help us find the root cause. Below is some information about what we are running, plus some patterns that I have found within the machines I have assessed, as well as my questions to the matter.

Running:

McAfee Agent: 4.5

VirusScan Enterprise 8.7i

Pattern:

I have found that OAS has been disabled around 8/6/10-8/9/10 dates. These machines all have the similar event log entry of  "The McAfee McShield service depends on the following nonexistent service: mfevtp" which starts coming up around those dates

According to McAfee this event log is ONLY shown when downgrading from 8.7 to 8.5. We never downgraded any systems, so this is not our case.

https://kc.mcafee.com/corporate/index?page=content&id=KB53973&pmv=print

My Questions

  • Is there a way that I can get a list of McAfee's Updates and when they were pushed onto the community so that I may compare the dates and maybe narrow it down to an update that might have caused this?

I have searched my way around the forum and found some similar threads, but they didn't help. Our EPO enforces OAS being enabled on these machines. All machines that have this problem are virus/spyware free. If you guys have anything that might help with this investigation it would be very much appreciated. Thanks!!

Message was edited by: joas on 3/15/11 8:56:16 AM CDT
1 Solution

Accepted Solutions
joas
Level 8
Report Inappropriate Content
Message 10 of 10

Re: OAS disabled: Root Cause Analysis

Jump to solution

Root cause was found. We found a bad policy that made our AV revert to 8.5 on those dates. Thank you all for your help.

9 Replies
joas
Level 8
Report Inappropriate Content
Message 2 of 10

OAS disabled: Root Cause Analysis

Jump to solution

bump

OAS disabled: Root Cause Analysis

Jump to solution

Then you should upgrade with Patch 3-4 or VSE 8.8

joas
Level 8
Report Inappropriate Content
Message 4 of 10

OAS disabled: Root Cause Analysis

Jump to solution

Alexander, thank you for your response. However this doesn't help me in finding the root cause analysis on why OAS is being disabled. Thanks.

OAS disabled: Root Cause Analysis

Jump to solution

It seems to be a product issue, you should contact McAfee support if you want to receive the root cause of this problem.

wwarren
Level 15
Report Inappropriate Content
Message 6 of 10

OAS disabled: Root Cause Analysis

Jump to solution

In your post you state the cause for McShield being disabled:

"These machines all have the similar event log entry of  "The McAfee McShield service depends on the following nonexistent service: mfevtp"

The cause for why mfevtp is missing is what is unknown. Only certain things can induce that, and you ruled out the most likely one.

The solution is to remove and reinstall the product, because something came along and axed a critical service.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
joas
Level 8
Report Inappropriate Content
Message 7 of 10

OAS disabled: Root Cause Analysis

Jump to solution

wwarren, thank you for your response. We are uninstalling and reinstalling the product across the organization as we run into these, but it still doesn't explain what the root cause is. Thanks!

PhilR
Level 12
Report Inappropriate Content
Message 8 of 10

Re: OAS disabled: Root Cause Analysis

Jump to solution

Download the VSE870MLRP4 full install zip from McAfee's download site, check that (and its extensions) into ePO.

Download and check in patch 4 as well.

Try again.  This problem happened with the original VSE8.7 with no patches.

Your scan log shows engine 5300.2777, that's ancient and suggests you're installing the original RTM build of VSE 8.7.

Message was edited by: PhilR on 11/03/11 09:56:33 CST

Re: OAS disabled: Root Cause Analysis

Jump to solution

Joas,

Could you confirm the options :

Enable on-access scanning at system startup

Enable on-access scanning when the policy is enforced.  are checked, in On Access general policies.

If  u r answer is yes,

Pls. log ticket with McAfee to find root case with follwing detials:

- MER result with log level 8 from any one of the affected system.

- Full Crash Dump for McShield.exe process from the affected system..

joas
Level 8
Report Inappropriate Content
Message 10 of 10

Re: OAS disabled: Root Cause Analysis

Jump to solution

Root cause was found. We found a bad policy that made our AV revert to 8.5 on those dates. Thank you all for your help.