Unclear situation at corporate Exchange server: the VSE deployed and activated fine, but the update freezes in process.
More information I collected:
- Tried 2 deploy methods (via ePO and local installation from scratch, after McAffee Remover was completed), effect looks the same (deploy - OK, update - hangs);
- The VSE deploy phase finishes OK, the DAT version 1111.0000 is reported (agent inventory log is attached below);
- The issue rises during update only;
- The server reboot between deinstallation/installation phases changes nothing;
- Server has MIcrosoft Network Load balancing active;
- Server has Symantec e-mail protector version 7.5;
The questions are:
- Can the Symantec or network load balancing affect the VSE update process?
- What else I should check to find the cause of an issue much accurately?
- Could anyone suggest the possible steps to find a workaround?
Solved! Go to Solution.
I had a similar issue with an Exchange server, but managed to finally fix it today. After removing and reinstalling McAfee agent 220.127.116.112, and VScan with Patch 12 (and running MCPR each time) multiple times without fixing the update issue I decided to try installing an older version of VScan. I had been installing the McAfee agent first, then VScan. This time I installed VScan with Patch 9, then ran an update which successfully grabbed the DAT from McAfee. Then I installed the 18.104.22.1688 agent, and ran another update which then grabbed tasks & policies from our EPO server and updated to patch 12.
My guess would be a potentiall dll injection into the McAfee Agent processes - but there could be a number of reasons why it's failing. Which agent version are you using?
No, even a standalone VSE installation will contain the agent.
In your agent logs %Programdata%\Mcafee\Agent\Logs - open the mfemactl log, look for "update" - do you have any entries in the log similar to:
2019-01-25 14:55:15.771 mfemactl(5184.3668) mfemactl.Info: The process <C:\PROGRAM FILES\MCAFEE\AGENT\MCSCRIPT_INUSE.EXE>(8116) was blocked from accessing('CREATE' (1)) <AAC_OBJECT_SECTION:C:\WINDOWS\example\test.DLL> via the rule <Sanitize selected MA Processes>
> if yes, that in this example test.dll was injecting, causing the update to not be initiated.
chealey, great thanks for the idea about 'dll injection'!
We tried that sequence:
Now the VSE is actual, DAT is actual, ePO management is operating. The images and agent inventory are below. Tomorrow we will check the schedule update result. I will write it here and look at VSE log file.
Seems no, the update seems does not occur, while self-check is OK.
The mfemactl file has no messages about update, I put it into spoiler below.
In addition, the message about hanged update process is displayed upon desktop exit.
May be that process locked the update... We will try to reboot the server again soon.
Looks good from the dll injection part - I would now probably look into the mcschield log. Look for "ScrptMain START" (without the quotation marks) and look at the time stamp to match with your update task time. If you follow the thread through, you can look for "failed" and this will identify if any portential network issues are present.
I see no file, which might be the mcschield log.
In addition, we tried to install an older VSE (22.214.171.1245) from standalone installer. Effect is solid - update does not occured.
Instead, something interesting was found in McScript.log. Seems, the infinite loopback consists of such messages, which corresponding with screenshot attached
Sorry, my reply to chealey disappeared. Again.
Additionally, we tried to install the older VSE (126.96.36.1995 from 14.08.2012). Effect is solid, no update.
I see no files, which might be the mcschield log. But in the McScript file I found messages, which are correlating with update process. The 'infinite loopback' has following strings:
I've dealt with the DAT 1111 / Updater failing - I created a VSE winrar package with a simple command: "...setupvse.exe" REINSTALLMODE=AMUS /q , repackaged with McAfee EEDK and deploy via ePO. Seems to correct the DAT / Updater issue for me.
You may also consider toggleing on debug logs for VSE & Agent:
McAfee Agent 5.x