cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
tcox8
Level 10
Report Inappropriate Content
Message 1 of 5

Issue with some devices after upgrade to Agent 5.6.1.

Jump to solution

In the past few months we've upgraded from 5.5.0.447 to 5.6.1. Most devices have completed the upgrade but I have a handful (50-150 out of 3500) devices that just show "pending" on the 5.6.1 agent install. Attempting to push the install manually (not via product deployment) will fail. When checking the MFEagent.msi.log file in C:\Windows\temp\McAfeeLogs it says the following:

 

CustAct [12:59:52:868] main [I] setFilePermissions START
CustAct [12:59:55:106] Acl [E] Error trace:
CustAct [12:59:55:107] main [E] [setFilePermissions START]->
CustAct [12:59:55:108] Acl [E] [SetNamedSecurityInfo,C:\ProgramData\McAfee\Agent\msgbus\config.ini,1,536870916,1]->
CustAct [12:59:55:109] Acl [E] error 5: Access is denied.
CustAct [12:59:55:110] main [I] setFilePermissions END

It appears to be an issue with the permissions of config.ini file. I can delete the file but it immediately repopulates. I have tried pushing the policy to turn off self protection in the McAfee Agent General policy but that doesn't help. Any ideas are greatly appreciated.

1 Solution

Accepted Solutions
tcox8
Level 10
Report Inappropriate Content
Message 5 of 5

Re: Issue with some devices after upgrade to Agent 5.6.1.

Jump to solution

Figured out how to resolve this. I created a powershell script to handle it.

 

Step 1: Remove MAR

Step 2: Run FrmInst /Remove=Agent (This puts it in updater mode and allowed for communication to flow)

Step 3: Run FramePkg /Install=Agent (copied the new agent install early in the script)

 

Has been working great so far.

View solution in original post

4 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 5

Re: Issue with some devices after upgrade to Agent 5.6.1.

Jump to solution

On the client side where the agent logs are, check the mfecactl.log to see if you see any of our processes, or msiexec, blocked.  Those would need to be the ones blocked.  Also check ens or VSE access protection log to ensure there is nothing in there.  You may also try rebooting - perhaps there is a pending reboot operation that needs completed first.  Otherwise, you can maybe run procmon while doing the install and check any access denied entries.  You can view the stack at that moment to see what processes are involved - it may identify some 3rd party blocking it.  If all else fails, try removing the agent completely with forceuinstall, reboot and try again, but make sure there are no remnants of the previous agent.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

tcox8
Level 10
Report Inappropriate Content
Message 3 of 5

Re: Issue with some devices after upgrade to Agent 5.6.1.

Jump to solution

Mfecactl log shows that "C:\ProgramFiles\McAfee\Agent\X86\MCSCRIPT_INUSE.exe" was blocked on the day the install was pushed. But it also shows up before and after the 5.6.1 agent install happened.

 

We use ENS - I could not find anything blocked via access protection, ATP, SelfProtection, ThreatPrevention, etc. logs

 

The machines have been rebooted multiple times.

 

Looks like I'll need to try to get access to another machine to run procmon.

 

Note: If I try to push the agent from ePO, both with force and not, it will fail out with the Error 5:Access denied and then becomes unreachable through the McAfee Agent. At that point all agent logs are wiped out. I can only view logs for the machines that I have not forced a reinstall/install of the agent.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 5

Re: Issue with some devices after upgrade to Agent 5.6.1.

Jump to solution

Yea, as long as you see mcscript blocked in that log, it will fail with the access denied.  That indicates injection, which you can check out kb88085.  What was it blocked by?  Identifying that dll or process can help identify what software to deal with.  Sometimes it is a 3rd party software, that if removed, issue goes away.  The KB shows how to identify and remediate injection issues. 

If you run the install locally, it may succeed or fail, depending on if that blocking dll or process also blocks msiexec or any of our other processes.  Mcscript_inuse is only invoked for remote installs that the agent kicks off from a task.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

tcox8
Level 10
Report Inappropriate Content
Message 5 of 5

Re: Issue with some devices after upgrade to Agent 5.6.1.

Jump to solution

Figured out how to resolve this. I created a powershell script to handle it.

 

Step 1: Remove MAR

Step 2: Run FrmInst /Remove=Agent (This puts it in updater mode and allowed for communication to flow)

Step 3: Run FramePkg /Install=Agent (copied the new agent install early in the script)

 

Has been working great so far.

View solution in original post

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community