Showing results for 
Show  only  | Search instead for 
Did you mean: 
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 1 of 5




The ePO 5.9 and 5.10 install guides have a section in them for Troubleshooting and log file reference information.

NOTE: Always be sure the product versions you are installing are supported versions for the specific build of OS/platform you are installing on.  KB51109 is the master KB for supported environments for our products.

Server (ePO or agent handler) logs can be located in ePO/AH install directory\db\logs folder.  The server log will show push agent failures or other possible communication issues.

On the client side, the logs will be located in c:\programdata\mcafee\agent\logs folder.

Masvc log will show it getting the client task and invoking it (or failing to invoke at the scheduled time).

Macompatsvc log will show agent to point product communication failures.

Mcscript log will show the update process.  For deployments, depending on agent version, there may be an mcscript_deploy log.  Those are for product deployment tasks only, where the mcscript log will be for updates.  If there is no mcscript_deploy log, then all updates and deployments will be in the mcscript log.  Mcscript will show where the breakdown occurs and whether it is a repository issue, point product lpc communication failure with the agent, or a point product issue.  Here are the steps it will go through.

  1. Can it reach the repository and pull files from it? The log will show it downloading or failing to download files from a repository for one reason or another.  A “not up to date site” means that it hasn’t been replicated to yet since new content was added to the master repository.
  2. Once it gets the files from the repository, can the agent communicate with the point product to send the updates to? You may see “point product is not running” or a failure to find a qualifying product (or similar error).  You may want to reinstall or upgrade the agent and/or point product in that case.
  3. Once it gets past that point, in the case of deployments, you will see it running the setup for the point product. When the agent executes the setup files, then the agent part is done and successful.  The failure then will be on the OS or point product.
  4. C:\windows\temp\mcafeelogs folder will then contain the install logs for the point product to look at for troubleshooting those failures. At that point, you would go to that point product team for assistance.

Agent Deployment (Push Agent)

  • Review Server Task Log result and most importantly, server_servername.log (DB\Logs)
  • Keyword “push” in server.log – don’t forget that if multiple handlers exist in an environment, the push could be in a different server.log (when deploying, you can select the handler to use!)
  • Relies heavily on access to \\machinename\admin$ of endpoint. For all requirements and testing, see KB56386.


  • Injection can occur when third-party DLLs which either have untrusted certs or no certs at all load up with McAfee processes, like McScript_InUse.exe. In that scenario, updates will end up failing with curl error 28 (meaning a timeout) and will be seen in the McScript.log or the McScript_deploy.log.


  • This is due to McAfee Agent’s Self-Protection functionality – the self-protection rules are working as designed in this scenario – we WANT to prevent the process (McScript_InUse.exe, in this example) from successfully making network connections because it could be compromised by a potentially malicious file.
  • Example from McScript.log:

o    network    URL({0e773b7e-9786-11e7-3115-73e51b00cce7}) request, failed with curl error 28, Response 0, Connect code 0,

o    downloader                 Downloading file from{0e773b7e-9786-11e7-3115-73e51b00cce7} to C:\Windows\TEMP\SiteStat.xml failed.

  • The log that contains the rest of the data is called mfemactl.log. It will show entries like:


o    C:\PROGRAM FILES\MCAFEE\AGENT\X86\MCSCRIPT_INUSE.EXE>(7208) was blocked from accessing('CREATE' (1)) <aac_object_section:c:\windows\syswow64\bmnet.dll <br="">

  • Run the sysprep tool first to see if there are any DLLs that it finds and trusts.


A common problem, “my DATs/AMCore isn’t updating” can have many unique causes but is generally troubleshot in the same three-step manner:

  1. Reproduce the issue
  • It’s best to create and assign a new task (use an easily searchable name, like TestTask123). Remember that after assigning a new client task, the machine will have to communicate to receive the task (so send an Agent WakeUp or hit Collect & Send Props!)
  1. Confirm the task invoked and note status
  • To see where and when a task started, review the masvc_machinename.log. Search the task name from the bottom up – the first thing you find should be the result of the task (if it has completed). For example:

2019-01-09 17:00:14.426 masvc(444.4768) Updater.Info: Updater engine exited with exit status as 0 and  term signal 0.

2019-01-09 17:00:14.497 masvc(444.4768) compatservice.Info: is_compat_running: 1, is_compat_required: 1

2019-01-09 17:00:15.428 masvc(444.4768) scheduler.Info: The task Daily Update Task is successful

  1. Review logging

Non-Windows Agent Guide


Keep in mind:

  • The McAfee Agent has separate packages for the different platforms. For example – a Windows package, a Linux package, etc. These packages must be checked in to the ePO Master Repository separately.
  • The McAfee Agent can still be deployed (Push Agents) to non-Windows platforms, however it works entirely differently. Since a Windows deployment utilizes Windows file sharing, obviously that’s impossible for non-Windows clients. Instead, SSH protocol is utilized (port 22 by default). Red Hat/centOS have specific requirements to enable deployment and is a common source of push failures on those platforms. See the McAfee Agent Installation Guide for details.
  • The Agent still has three services on non-Windows platforms: masvc, macmnsvc and macompatsvc.
  • Non-Windows platforms are case-sensitive when working in the terminal/command line. Be wary to make sure your cases match, otherwise it will appear that the locations you’re attempting to access do not exist.


Log locations and data collection and service information



MAC MER tool: KB86785

/Library/McAfee/agent/ (install files)

/var/log/install.log (to view install logs)

/var/McAfee/agent/ (data directory: includes logs, db files, etc.  Equivalent on Windows is ProgramData)

/etc/ma.d/ (product plugins)


To view the status of a service:

Sudo /Library/McAfee/agent/scripts/ma status


Stopping and starting services:

Sudo /Library/McAfee/agent/scripts/ma start

Sudo /Library/McAfee/agent/scripts/ma stop

Sudo /Library/McAfee/agent/scripts/ma restart



All other non-Windows platforms (Linux, UNIX, etc.)

Linux MER tool: KB83005

/opt/McAfee/agent (install files)

/var/McAfee/agent (data directory)

/etc/ma.d/ (product plugins)



Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

4 Replies


Amazing and thanks!  Not only will this help me but I'm sure this will help others; it should be a sticky.


Thanks again!

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 5


Trying to make it a sticky, but there are some issues with that at the moment they are working on.  Thanks!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Level 10
Report Inappropriate Content
Message 4 of 5


Thanks for the documentation!

Is there a way to send a notification (email or via Splunk) to the ePO admins if the amcore is not updating?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 5


You can set up automatic responses for sending notifications for failed updates (event id 2402) that can send an email.  If you have a registered syslog server in epo, you can enable specific events for being sent to that syslog server under server settings, event filtering.  

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community