I am running Windows 7 Enterprise x64 with 8.7i Patch 2 (scan engine 5400.1158, DAT 5872.0000).
I have my taskbar set to auto-hide. Roughly every 40 seconds it spontaneously pops up on the display. After some trial and error, and breaking out my handy-dandy copy of Microsoft Sysinternals Process Monitor, I identified the culprit as McAfee.
Every 40 seconds or so, a new WscAVExe.exe process starts. In turn it invokes the new Windows 7 console handler conhost.exe. Up pops the taskbar.
This is a compatibility bug because the background McAfee console application interferes with the foreground application, and did not do this on the same machine running Windows Server 2008 a couple of days ago. On checking this out, I found that Microsoft modified the Windows 7 console handler in response to security concerns and strongly advised ISVs to test and correct their apps to work with the new feature.
Is anyone else seeing this? Does anyone know if there is a fix available?
I guess it is oddly funny that a security fix in the OS breaks a security program, but it is unbelievably irritating on a small display.
CMessage was edited by: C PM on 1/27/10 2:31:54 PM CST
I am running x64 Windows 7 as well at the current patch level. I cannot duplicate the condition your describing on my machine. Are you 100% sure McAfee AV is the culprit? Can you reproduce the condition in test?
Is EPO at current SP level (SP1)?
AV fully patched to include all EPO extensions?
Was this an upgrade or clean install?
Anything in the system logs to indicate McAfee is the cause?
Any access denied condtions in the logs?
Any other McAfee products running on the host such as HIPS?
One bug does not always mean that you have a defective product. It could be a unique situation related to your system image or a situaition in your environment. Any special GPO's assigned to that computer object?Message was edited by: Robert Rathbun on 1/27/10 12:12:00 PM GMT-05:00
Thank you for your interest in this issue.
My machine is not attached to a domain. Since my earlier posting, I have found that colleagues whose machines are on the domain do not see this problem, but they have an additional McAfee agent with a different icon pushed to their machines. Is your machine on a domain?
I do not know what EPO level is installed or how to find out.
This is a clean Windows 7 installed this week with a McAfee install from our corporate share.
I checked the Windows logs (security, application, system) and there are no error messages.
I don't know what HIPS is.
I do, however, think I have the clincher that ties it to this executable. I watched the task bar pop up regularly for a few minutes. Then I renamed the wscavexe.exe to wscavexe.exe.old and watched the system for over 5 minutes. The taskbar stayed down. I renamed the program back to wscavexe.exe, and the problem recurs roughly every 40 seconds. I say roughly because there are some times that it will skip for a while (up to about 2 minutes).
Guess what I did next? 🙂
As an aside, I don't think the product is defective, it just has a compatibility problem. I do appreciate that this could be something special on my machine which is why I asked if anyone else has seen this. There is a selection effect, though, in that few people run with auto-hide enabled, using their corporate anti-virus solution, not on a domain.
Your GPO comment was interesting because although my machine is not on a domain, I did modify 2 local group policy entries to enable/permit down-level NTLM communication so I could log on to an intranet server.
Again, thanks for your interest.
Hi, Just a quick follow-up. Has anyone else seen this? Can anyone in McAfee comment on my observation of a 40-second timer?
It seems that renaming the file makes Windows 7 think there is no anti-virus installed, so that disturbs me a bit.
I have had two users inform me of this as well. They are both running Windows 7 64-bit with VirusScan 8.7 patch 2. They do not have HIPS installed, and both have McAfee agent 4.0 w/patch 3 (22.214.171.1244) installed. Also, neither of them are on a domain (I believe...may have to double-check that one), so no GPOs should apply. Since it did not appear to cause any issue per se, but was more of just an annoyance, I have not put a lot of cycles in to it. I would be interested to know if McAfee could reproduce and come up with some kind of solution though.Message was edited by: tdmomega on 2/1/10 10:10:44 PM CST
Thanks for your reply. This is the first corroboration I have had of my report. The solution I described (renaming the executable) does eliminate the problem, but I don't know what that executable does, so I am concerned that disabling it by renaming it might reduce the effectiveness the McAfee product.
Is that the same issue, which I see on all our Windows 7 Pro machines, x64 and x32 equivalently, with latest VirusScan 8.7i, Patch 2?
All of the sudden, I see very quick Security Center pop-up, which disappears a moment later. I did not know what was that, and had to use the screen-cast recoding utility to catch the message. Appeard to be what you see in the attachment.
Is it known bug in VS 8.7 P2? Is there a timeline to fix it?
Currently we are holding the Windows 7 migration of because of this. We can not afford 3,000 users calling a helpdesk with this issue.
Thank you for your reply.
This is not exactly what I have been seeing, but if you time the occurrence of the messages and they appear every 40 seconds, then you might have another manifestation of the same underlying problem.
3000 users complaining about spurious messages seems like a serious problem. I hope you can get it resolved. Please post back to share with us what you discover while working the issue with McAfee support. I am particularly interested in knowing exactly what the "WSCavexe.exe" file does, and whether it is safe to rename it.
Note that in Windows 7 you can tell the System and Security Action Center that you will monitor the status of your antivirus solution yourself. That will suppress the error message you are seeing, but it is not a long-term supportable solution to the problem.
The time between pop-ups varies, but about 1 minute or so. Also there is no option to "I monitor on my own" since Windows 7 sees that McAfee is On and operational. Frankly, I have no time to change it in that split second, when Security Center thinks that McAfee is down.
Sounds like I need to submit a ticket to McAfee for this...
Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center