4 Replies Latest reply on Mar 23, 2010 6:48 AM by S12bug

    After Dat Update, Client Processor is 100%

      Daily at 9am through ePO the Server updates it's Dat from McAfee.  At 10am the client then pull the new dat file from the server.  However on some Windows XP Pro SP3 running Agent 4.5 and AV 8.7i the EngineServer.exe process pegs at 100% for a few minutes.  After is has timed out the following events are posted in the Event Viewer.

       

      Event Type:    Information
      Event Source:    McLogEvent
      Event Category:    None
      Event ID:    5000
      Date:        12/31/2009
      Time:        10:04:06 AM
      User:        NT AUTHORITY\SYSTEM
      Computer:    COMPUTERNAME
      Description:
      McShield service started.
      Engine version : 5400.1158
      DAT version : 5847.0000

      Number of signatures in EXTRA.DAT : None
      Names of threats that EXTRA.DAT can detect : None



      Event Type:    Information
      Event Source:    McLogEvent
      Event Category:    None
      Event ID:    257
      Date:        12/31/2009
      Time:        10:04:16 AM
      User:        NT AUTHORITY\SYSTEM
      Computer:    COMPUTERNAME
      Description:
      The scan of C:\Program Files\McAfee\Common Framework\naSPIPE.dll has taken too long to complete and is being canceled.  Scan engine version used is 5400.1158 DAT version 5847.0000.



      Event Type:    Information
      Event Source:    McLogEvent
      Event Category:    None
      Event ID:    257
      Date:        12/31/2009
      Time:        10:04:17 AM
      User:        NT AUTHORITY\SYSTEM
      Computer:    COMPUTERNAME
      Description:
      The scan of C:\WINDOWS\Prefetch\ENTVUTIL.EXE-314A3317.pf has taken too long to complete and is being canceled.  Scan engine version used is 5400.1158 DAT version 5847.0000.



      Event Type:    Information
      Event Source:    McLogEvent
      Event Category:    None
      Event ID:    257
      Date:        12/31/2009
      Time:        10:04:18 AM
      User:        NT AUTHORITY\SYSTEM
      Computer:    COMPUTERNAME
      Description:
      The scan of C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\NextProp.xml has taken too long to complete and is being canceled.  Scan engine version used is 5400.1158 DAT version 5847.0000.



      Event Type:    Information
      Event Source:    McLogEvent
      Event Category:    None
      Event ID:    257
      Date:        12/31/2009
      Time:        10:04:19 AM
      User:        NT AUTHORITY\SYSTEM
      Computer:    COMPUTERNAME
      Description:
      The scan of C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\DB\Agent_VQASC.xml has taken too long to complete and is being canceled.  Scan engine version used is 5400.1158 DAT version 5847.0000.

       

      This occurs daily.  It looks as if it attempts to rescan the files with the new dat file but timesout after the attempt fails.

       

      Does anyone have any ideas of what is causing this?


        • 1. Re: After Dat Update, Client Processor is 100%
          JoeBidgood

          I can't say I've seen that before, but - as a possible quick and dirty workaround - if you add an exclusion for the agent folder(s) to VSE, does that fix it?

           

          Regards -

           

          Joe

          • 2. Re: After Dat Update, Client Processor is 100%
            rmetzger


            Hi Magnum,

             

            What version of ePO are you using and what is the version of the Agents? Also, how much RAM is in the affected workstations?

             

            Try: https://kc.mcafee.com/corporate/index?page=content&id=kb53690 "CPU usage spikes during policy enforcement and a DAT update"

            Lowering the working thread priority helps relinquish CPU cycles to other processes during updates.

             

            I have found this solution helpful.

             

            Specifically,

            Workaround  1

            CAUTION: This article contains information about opening or modifying the registry.
            • The following information is intended for System Administrators. Registry modifications are irreversible and could cause system failure if done incorrectly.
            • Before proceeding, McAfee strongly recommends backing up your registry and understanding the restore process. For more information, see: http://support.microsoft.com/kb/256986
            • Do not run a .REG file that is not confirmed to be a genuine registry import file.


            Lower the priority of the McAfee Framework Service so it does not consume all available CPU resources.
            1. Click Start, Run, type regedit, then click OK.
            2. Navigate to and select the following registry key:

              [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]

            3. In the right-hand pane, right-click a blank space and select New, DWORD Value.
            4. For the name, type LowerWorkingThreadPriority and press ENTER.
            5. Right-click LowerWorkingThreadPriority and and select Modify.
            6. In the Value data field type 1, then click OK.
            7. Click Registry, Exit.
            8. Restart the McAfee Framework Service.

             

            My version of the .reg file:

            REGEDIT4

             

            ;; - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
            ;; see https://kc.mcafee.com/corporate/index?page=content&id=KB53690&pmv=print
            ;;  'CPU usage spikes during policy enforcement and a DAT update'
            ;; Solution:
            ;;   A noticeable performance improvement is found when using McAfee Agent 4.0
            ;;   and ePolicy Orchestrator 4.0 server because ePO 4.0 compiles the policy
            ;;   before sending it to the agent.
            ;;
            ;; Workaround:
            ;; Solution 1 - "LowerWorkingThreadPriority"
            ;; 1. Click Start, Run, type regedit, then click OK.
            ;; 2. Navigate to and select the following registry key:
            ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]
            ;; 3. In the right-hand pane, right-click a blank space and select New, DWORD
            ;;    Value.
            ;; 4. For the name, type LowerWorkingThreadPriority and press ENTER.
            ;; 5. Right-click LowerWorkingThreadPriority and and select Modify.
            ;; 6. In the Value data field type 1, then click OK.
            ;; 7. Click Registry, Exit.
            ;; 8. Restart the McAfee Framework Service.
            ;;
            ;;  Only implement Solution 2 if the previous solution is not sufficient to
            ;;  reduce the CPU usage sufficiently during a policy enforcement and update.
            ;;  Solution 2 - Disable the NoUpdateUI via the registry to reduce the CPU
            ;;  usage:
            ;; 1. Click Start, Run, type regedit, then click OK.
            ;; 2. Navigate to the following registry location:
            ;;    [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]
            ;; 3. Right-click on NoUpdaterUI and select Modify.
            ;; 4. In the Value Data field change the value to 1, then click OK.
            ;; 5. Click Registry, Exit.
            ;; 6. Restart your computer.

             

            ;; Solution 1

                [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework]
                "LowerWorkingThreadPriority"=dword:00000001
            ;;  "LowerWorkingThreadPriority"=-

            ;; Solution 2 (Switch the ;; on NoUpdaterUI lines to activate)

                [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator]
            ;;  "NoUpdaterUI"=dword:00000001
                "NoUpdaterUI"=-

            Hopefully this is helpful, and post back with any questions. Let us know if this works, please.

             

            Thanks,

             

            Ron Metzger

            • 3. Re: After Dat Update, Client Processor is 100%

              Hey Magnum

               

              How did you get on with this? Is the problem solved?

              • 4. Re: After Dat Update, Client Processor is 100%

                Hi,

                 

                 

                We have on our PCs two processes (Services) which should never be interrupted for more than 0.5 seconds, because they handle two SCSI hardware devices. But the McAfee Dat update seems to stop all services (to restart McShield with the new DAT file) during its update for a much longer time (at about 09:15) , which causes our two processes to fail because the users connected to one of the two hardware devices gets an access timeout. The problem is that the process gets an handshake timeout because the restart of McShield with the new DAT file blocks the system for about 5 seconds.

                 

                We have applied your suggested workaround 1, without improvement.

                 

                 

                We are using these McAfee versions:

                 

                EPolicy-Orchestration-Agent Version 3.6.0.574

                Last update on 23.03.2010 09:12:00

                McAfee  AutoUpdate      Version 3.6.0.574 Language English

                Product Coverage report Version 3.6.0.574 Language English

                McAfee Virus Scan Enterprse WorkStation

                Version 8.5.0.781

                Virus definition 5928.0000

                Installdatun 23.03.2010 09:12:11

                Erstelt am 22.03.2010

                Scan-Modul

                   Version 5400.1158

                   Installation datum 19.11.2009 17:31:09

                Hot Fixes

                  Version 8

                  Install dataun 09.02.2010 10:00:06

                 

                 

                Questions:

                 

                1. Will your new version 4.0 correct this problem? If the new version simply implements the same as the workaround, it would not!
                2. Is it possible to make a exclusion list so that our two services would not be stopped by the DAT update?
                3. Would it be possible to temporary prevent the DAT update by maybe creating/changing a registry entry somewhere. We do have control over the users of the hardware devices, so that we could first set the McAfee update delay flags, initiate the hardware user, and after that process finishes , let McAfee Dat update proceed.
                4. Could you run the McShield process with a lower priority, so that the system is not block for such a long time when it restarts..

                 

                 

                 

                Regards,

                 

                Lucas

                 

                 

                Message was edited by: S12bug on 23/03/10 06:45:16 CDT

                 

                 

                Message was edited by: S12bug on 23/03/10 06:48:48 CDT