cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Nick_B
Level 11
Report Inappropriate Content
Message 1 of 22

Troubleshooting the Updating of Security Products on Managed Endpoints

Dear Community Members,

We have an estate here with around 7,000 managed endpoints running a mix of Windows 7 and Windows 10 systems. Servers too of course, but they run Trend Micro instead of McAfee.

A number of them seem to be stuck on older versions of the security products, one example being a Windows 7 laptop which has MA 5.5.1.388, VSE 8.8.0.2024, DLP 11.0.200.1002 and HIPS 8.0.0.4228.

The DLP version, although out of date is the version it should be on as I have not tagged it for 11.2 as yet.

It's the HIPS version which refuses to update however, being stuck on v8.0.0.4228 which translates to HIPS 8 Patch 9 with HF 1188590, I believe.

What would be the most useful log to interrogate in such a scenario?

I have downloaded from the client various logs, as below.

  • masvc
  • macmnsvc
  • macompatsvc
  • McScript
  • McScript_deploy
  • McScript_error
  • mfemactl

Although the logs do contain errors, it is unclear whether they are related to the issue at hand here, which is why the system does not update to HIPS 8.0.0.4789.

Also included below is a snip from the McAfee Activity Log.

Snip from McAfee Agent Activity LogSnip from McAfee Agent Activity Log

 

From the above snip, the forth line down - "...Patches and Service Packs" is the Update task that contains the relevant products to be updated on the endpoints, including HIPS.

11.59 GMT was the scheduled slot of the update to the device in question, a laptop called MAN...30.

11.59 GMT was about 10 minutes ago now so I would have expected this to be enough time for the update to apply.

Any ideas guys?

21 Replies
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

You are looking at the right logs - here is a brief explanation of the best ones to look at.

The masvc log shows tasks invoking and their status

mcscript log shows the update/deployment process where it gets files from the repositories and then runs the installers.  If you see something like point product isn't running or some other errors where the agent isn't communicating with the point product in question, you would look at the macompatsvc log. 

The first thing I would suggest with your version of agent, is to disable peer to peer in the agent policy and see if that helps any after you make sure client gets policy change.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 3 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Hey cdinet!

Good to hear from you again!

Well it's typical, as the machine I was picking on - MAN30 -, has decided it's not going to behave and I can't access the logs remotely anymore.

So I've picked on another one - MAN49 - which has a very similar predicament in that it refuses to update to HIPS P12. It has the latest versions of the other products (at least what is available from the Master Repository, anyway).

I'm seeing some Client Events for MAN49 like 2402 (update failed) as well as 2412 (deployment failed) from 11 June but none for today.

The VSE DAT files however, do update on these devices.

I'm including some extracts from the main logs of interest if that may shed light on the issue at all (see below). These were grabbed after the MA General policy was applied to MAN-49 which disabled the Peer-to-Peer options.

The scheduled slot for the Update task named Patches and Service Packs was at 15:28 today so they all start at that exact time. McScript log was enormous so only shows a very limited amount of the full log which must contains thousands of entries.

Look forward to hearing from you!Masvc.log from MAN49 - After Disabling P2PMasvc.log from MAN49 - After Disabling P2P

 

McScript.log extract from MAN49 - After Disabling P2PMcScript.log extract from MAN49 - After Disabling P2P

 

Macompatsvc.log from MAN49 - After Disabling P2PMacompatsvc.log from MAN49 - After Disabling P2P

 

 

Nick_B
Level 11
Report Inappropriate Content
Message 4 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Hey cdinet,

Good to hear from you again!

Typical isn't it, the system I was picking on - MAN30 - has decided it's not going to play ball anymore and is behaving awfully and I can no longer access the logs remotely.

So I'm picking on another system - MAN49 - which is in the same predicament in that it refuses to update to HIPS 8 P12. 

I've applied a McAfee Agent Policy to disable the Peer-to-Peer functionality.

The scheduled slot to receive the Update task entitled Patches and Service Packs was at 15:28 today, so I've grabbed some extracts from the main logs of interest from that exact time.

Please see below some extracts from the masvc, McScript and macompatsvc logs.

I look forward to hearing your thoughts!

masvc log from MAN49 - after Disabling P2Pmasvc log from MAN49 - after Disabling P2P

 

mcscript log from MAN49 - after disabling P2Pmcscript log from MAN49 - after disabling P2P

 

 

macompatsvc log from MAN49 - after Disabling P2Pmacompatsvc log from MAN49 - after Disabling P2P

 

 

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Can you possibly email me the mcscript log and mcscript deploy log if it exists?  I need to see full log.  I will send you my contact info.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 6 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Sure thing, I'll whizz them right over to you!

Nick_B
Level 11
Report Inappropriate Content
Message 7 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

They should be with you any minute!

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Got them, thanks.

The agent is running the exe to install p12 –

2019-06-12 16:12:25       I               #10296  ScrptExe              Executing "C:\ProgramData\McAfee\Common Framework\\Current\HOSTIPS_8000\Patch\12\0000\McAfeeHIP_ClientPatch12.exe"

2019-06-12 16:12:25       I               #10296  ScrptExe              Using Aac exclusion path C:\ProgramData\McAfee\Common Framework\\Current\HOSTIPS_8000\Patch\12\0000\McAfeeHIP_ClientPatch12.exe

 

So now you should go to the windows\temp\mcafeelogs directory to the hips patch 12 install log to see where that failed.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Nick_B
Level 11
Report Inappropriate Content
Message 9 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Thanks very much for that.

I deliberately selected devices that were local (in the same building anyway) so I'll visit the one in question tomorrow and see what's going on!

Nick_B
Level 11
Report Inappropriate Content
Message 10 of 22

Re: Troubleshooting the Updating of Security Products on Managed Endpoints

Hi Caryn,

Thanks very much for all your help on various issues of late. I'm learning a lot from you!

Can I ask a question - what is the difference between the McScript.log and the McScript_Deploy.log?

I pulled up the McScript_Deploy log from that device which is failing to upgrade to HIPS 8 P12 and the most recent entry was several hours behind that of the latest McScript log entry.

For many of them it's obvious what they are for, but there's one called mfemactl - what's the purpose of that one?

Speak soon.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community