Showing results for 
Show  only  | Search instead for 
Did you mean: 
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 11 of 26

Re: MA 4.6.0 Patch 2

Just to let people know - this issue is with the developers and is being looked at with high priority. I don't have a timescale for a solution yet but it will be as soon as possible.



Level 7
Report Inappropriate Content
Message 12 of 26

Re: MA 4.6.0 Patch 2

Hi all,

Anyone who has rolled back to Patch 1 as a result of this should be aware of McAfee KB75956 ( which I was just informed of by mcafee support.

The short version is: Rolling back corrupts the windows catalog store. This then leads to a BSOD on boot due to windows being unable to verify driver signatures on 64 bit windows.

So, if you've rolled back to Patch 1, please check for catroot corruption before restarting. I've ordered a hold on this month's windows security updates on my SuperAgents (read: site DCs and DNS servers) in our environment so we can validate that this isn't going to

happen to us and leave us with non-booting DCs in remote sites.

Depending on your remote desktop settings, this can also lead to you being unable to RDP in to the server in question (I think this only impacts people with TLS and/or NLA configured for RDP).

I've got at least one of these running in a VM, and I *think* have a procedure that will allow the catalog store to be repaired before reboot, and I will post this as soon as I'm sure it works.


Level 7
Report Inappropriate Content
Message 13 of 26

Re: MA 4.6.0 Patch 2

OK, so the procedure to repair catroot properly on a running system is as follows (If you are locked out of RDP, but still have file access to the server for file access, you can use sysinternals psexec to start and stop the service below, and the file move operations can be accomplished through the administrative share).

1. Stop the cryptographic services service:

     net stop cryptsvc

2. Move the C:\windows\system32\catroot\Tmp??? folder mentioned in KB85956 back to C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}

     If there is more than one such TMP folder. In the case of our system, the correct folder contains several thousand catalog files.

3. In the folder c:\windows\system32\catroot2, move all the files to another folder, (do not rename or delete catroot2 itself, as it has a service SID permission on it for the cryptograpgic services service that cannot be added to another folder within the UI).

4. Start the cryptographic services service:

     net start cryptsvc

The catroot2 folder should then be re-built. This can take up to 10 minutes, and appears to be complete once the creation of .log files stops.

I would also recommend renaming the bootcat.cache file as mentioned in the KB article before the first reboot attempt. At least in our case, this led to the file being re-built on boot, and the system starting correctly, and in this case, if you are trying to do this remotely, you will only get one shot at it before someone is going to have to pay the server a visit.

Hope this helps someone...


Re: MA 4.6.0 Patch 2

"Roll back the agents" is not an option if patch desribed in Microsoft Security Bulletin KB271853 has been installed on your system(s). Otherwise BlueScreen - MS patch applied since July 10 via WSUS is the 'normal' status.

Hopefully McAfee will repost Patch 2 of their Agent with a new build number. We have already deployed the Agent 2918 to 75% of our systems - with confirmed result that Framework Service service crashes on lot of systems.

I like to expect that we can see which agent build is installed when Patch 2 is reposted.

As all our Super Agent Repositories are affected and service crashes under load so far only Failure 1 and 2 in Recovery options set for the Framework Service service to automatically restart improves the chaos.

When service crashed replication no longer works between central ePO server and our distributed repositories ww - so our WAN is deeply impacted by unneeded bandwidth consumption when updates are downloaded from central server instead of local repository.

Is McAfee still testing their patches before release?


Re: MA 4.6.0 Patch 2

My hopes that McAfee would finally stop this crazy practice of a "repost" when they patch their code was dashed this morning when they "reposted" patch 2. This just goes against everything I know in software life cycle development as they even state "new features, fixes and enhancements." That would say you change the patch release. Instead they still call it patch 2, but change the file versions



Even more confusing is this release leaves the non-windows version of the reposted patch at 2918, while the windows versions go to 2935.

You can read more about it here:

McAfeeAgent 4.6.0 Patch 2 Windows Repost is now available.

This releaseincludes new features, fixes, and enhancements including:

To downloadthis release, go to the McAfee Downloads site at  

To viewthe Release Notes, see PD23886(


Re: MA 4.6.0 Patch 2

I thought after the Intel acquisition the history of releasing  bad software would stop but nope!!

If anybody has deployed the 'new' 4.6 P2 agent please report back, especially where deploying to superagent repositories.

I will be holding off from deploying it after still having burnt fingers from deploying the first release


Re: MA 4.6.0 Patch 2


i tested it on our superagent repositorys and it seems to be working.

no replication errors so far.


Re: MA 4.6.0 Patch 2

Thanks Schnuecks did you have the SA issues with the first release and then have to roll back to Patch 1 agents on them?


Re: MA 4.6.0 Patch 2

Yes , i rolled them back to 2292 and now update to 2935.


Re: MA 4.6.0 Patch 2

Thanks mjd, the DB folder looks to have disappeared although I have these events in the Application log.

MSIinstaller Event ID 11728

Product: McAfee Agent -- Configuration completed successfully.
For more information, see Help and Support Center at

McLogEvent Event ID 257

Blocked by access protection rule. Access to object C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE was blocked by rule Common Standard Protection:Prevent termination of McAfee processes.

McLogEvent EVent ID 257

Blocked by access protection rule. Access to object C:\Program Files\McAfee\Common Framework\udaterui.exe was blocked by rule Common Standard Protection:Prevent termination of McAfee processes.

McLogEvent EVent ID 258

The update failed; see event log.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community