cancel
Showing results for 
Search instead for 
Did you mean: 
mcdave
Level 10
Report Inappropriate Content
Message 1 of 12

wrong DATVersion in registry

Hi,

On a few clients the DATVersion in the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8700" is wrong while the client is up to date (it reports correctly in epo) but our vulnerability scanner uses this registry key.
This results in false positives how does it come that the info in the registry is wrong and how can I fix it?

Will this keyvalue be updated when I delete it?

regards,

Dave

11 Replies
Tristan
Level 15
Report Inappropriate Content
Message 2 of 12

Re: wrong DATVersion in registry

What operating system? Have they been rebooted recently (or stop and restart the McAfee services)?

What is the value against the 'DATInstallDate' key? and what is in the 'AVDATVersion' key in HKLM\Software\McAfee\AVEngine

All my 8.7 installs (on Win2K) report the correct DAT version against both keys.

The other option is to use the 'AVDatVersion' key in HKLM\Software\McAfee\AVEngine in your vulnerability scanner.

mcdave
Level 10
Report Inappropriate Content
Message 3 of 12

Re: wrong DATVersion in registry

OS: Win 2008 R2

Yes the server has been rebooted twice yesterday.

The Values in "HKLM\Software\McAfee\AVEngine" are also wrong ('AVDATVersion' = "2010/02/15")

It are the same values as in "HKLM\Software\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8700"
It also reports the wrong installed HotFix version (2 instead of 5)

I tried to fix it with a "repair" without improvements.

Tristan
Level 15
Report Inappropriate Content
Message 4 of 12

Re: wrong DATVersion in registry

32bit or 64bit?

All the registry values would suggest that the machine is not up to date and not updating.  I assuming that you've checked what DAT version is reported in the 'about' box when you right click on the agent taskbar icon.

This isn't a virtual machine by any chance? Possibly what your seeing in ePO is not the details of this particular computer but a duplicated entry of cloned VM instance that is updating correctly.

mcdave
Level 10
Report Inappropriate Content
Message 5 of 12

Re: wrong DATVersion in registry

it's a 64bit.
The version in the aboutbox is correct.
It's no virtual Machine

Highlighted
strongy
Level 9
Report Inappropriate Content
Message 6 of 12

Re: wrong DATVersion in registry

Get your vuln scanner to check the following location for 64 bit system's.

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Application Plugins\VIRUSCAN8700

mcdave
Level 10
Report Inappropriate Content
Message 7 of 12

Re: wrong DATVersion in registry

Indeed that key contains the correct information, but I can't change the vulnerability check of our vulnerability scanner
And we do have other similar 64bit systems that doesn't have the issue?

strongy
Level 9
Report Inappropriate Content
Message 8 of 12

Re: wrong DATVersion in registry

I have seen this behavior before. I am not 100% sure. But I think it may have something to do with UAC during the Agent install.

Maybe check if it's enabled / disbaled, change to the other. remove and re-install the Agent / VSE on those systems?

Not tried it myself, but worth a try.

Maybe by changing UAC in itself may solve it too ?

Message was edited by: strongy on 28/03/12 05:00:33 CDT
alexn
Level 14
Report Inappropriate Content
Message 9 of 12

Re: wrong DATVersion in registry

To manually FIX the registry issue:

  1. Click Start, Run, type regedit, and click OK.
       
        Windows Vista or 7 users, right-click regedit in the results and select Run as Administrator.
       
        
  2. Navigate to the appropriate location below:
       
       
    • 32-bit systems: HKLM\Software\McAfee\AVEngine, AVDatVersion
    • 64-bit systems:  HKLM\Software\Wow6432Node\McAfee\AVEngine, AVDatVersion
             
              
       
  3. In the right pane, right-click and select New, DWORD value, and name the new value AVDatVersion.
  4. Double-click AVDatVersion and set the Value data to 0.
  5. Close the registry editor.

OR  download SUper DAT file extract it and run exe on the affected system.

Re: wrong DATVersion in registry

I seem to also have this issue at a client. It comes back very unregular, at multiple servers.

UAC is turned off for these servers.

All run McAfee Enterprise 8.8 patch 1.

The registry seems to retain an older version at some point.

Though it is reporting the correct version to epolicy correctly.

Restarting the "McShield" service seems to resolve the issue.

Unfortunately, this happens at a lot of server, and I cannot ask our operations department to restart these services that often.

Is there any way to stop this "error"?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator