I'm working with software that has heavy use of application pools in IIS. The issue was that these pools were recycling on a fairly regular basis, although were not scheduled to do so. With improved logging, we started seeing that the WAS service was claiming that the pools were recycled due to a configuration change, even though there was no change to the configuration.
There seemed to be a great deal of anecdotal evidence that anti-virus or back-up software can have this effect. With the uninstall of McAfee being the only change, what had been a daily event stopped occurring altogether.
Does anyone know if there is an official McAfee stance on this? And should it be enough to set exclusions on folders that contain .config files? Or simply exclude *.config altogether?
I've never personally seen the app pools recycle due to VSE. Not saying it isn't VSE but I would definitely start by looking at the VSE logs to see if there is something OAS is doing around the same time you should also be getting event log notifications for the recycle. Then see if they correlate?
The VSE logs are found within C:\ProgramData\McAfee\DesktopProtection
Looking at the IIS exclusions we have set for our IIS servers, we are specifically excluding the IIS working folder:
**\IIS Temporary Compressed Files\
Not sure if that helps or not.
Looks like this might be a known issue in VSE 8.8 Patch 4: https://kc.mcafee.com/corporate/index?page=content&id=KB81595
It specifically deals with .config files and w3wp.exe. I suspect that the change to the metadata that VSE makes is enough to spoof a config change.
Could be, try it out and let us know. I have VSE 8.8 patch 4 running on almost all of our 500+ servers without any real issues, but I am excluding those IIS directories I posted earlier for our web servers.
With VSE uninstalled (it's a customer's server), there's no good way for me to dig deeper on this without having it reinstalled (which will likely happen) and then having them ignore my exclusion recommendations (which would be a bad move on their part). I'd love to have them be a guinea pig and play with adding/removing that exclusion to see the results, but I don't see that happening. Maybe one of your servers wants to be a laboratory mouse?
Hah. Same here.. it's was a major pain even getting our customers servers upgraded to patch 4. Hopefully you'll be able to test it out at some point though..
Patch 5 addresses this issue, but it will be 2015 before that is available.
A hotfix exists that also addresses this issue, but that hotfix introduces a lot of new code to the product such that it would warrant retesting/validating of the entire product in the environment.
So, if that's an option, seek it out from McAfee Support. P.S. Patch 5 would warrant the same testing effort and is the safer migration path.
The workaround (exclusions, as described in KB81595) is the recommended way forward though. They work.
We have had people claim that it does not work, but those were due to a) a different issue that had not been identified, b) misconfiguration in trying to abide the article's advice.