9 Replies Latest reply on Feb 19, 2010 7:19 AM by rackroyd

    MA 4.5 creating lots of subdirs under own folder

    Attila Polinger

      Hello,

       

      we have installed ePO 4.5 + Patch 1 in our test Windows environment. We created an MA 4.5 deployment task as well. On computers that get Ma installed, soon subdirs appear under C:\Program Files\McAfee\Common Framework.

      Screenshots included.

       

      These folders have the same content (seemingly) and because their number is growing gradually consume free disk space.

       

      Currently the test environment ePO server could be down (unfinished reboot) for them. Could that be the reason?

      If yes, how can we eliminate these until the problem solves?

       

      Thanks for any ideas.

       

      Attila

       

       

      Message was edited by: Attila Polinger on 2/15/10 9:46:24 AM CST

       

       

      Message was edited by: Attila Polinger on 2/15/10 9:48:48 AM CST
        • 1. Re: MA 4.5 creating lots of subdirs under own folder
          rackroyd

          Hi,

           

          I'm guessing you get a new one of these folders each time you deploy or redeploy the agent.

          As it's a test environment you may be doing that a lot one way or another and therefore see a lot of them created.

           

          So, since it's a test environment try stopping the agent service then removing the lpcrt_***** folders, then restarting the agent service.

           

          I don't think this'll be the reason your test ePO server is down though.

          Not unless it's eaten all the free disk space on the server itself !

           

          Hth,

           

          Rob

          1 of 1 people found this helpful
          • 2. Re: MA 4.5 creating lots of subdirs under own folder
            Attila Polinger

            Hello,

             

            no, the agent deployment runs every day just once (as does its counterpart in the production environment), and these folders get created every 2-5 (varying) minutes or so. I have just checked and in addition to these folders I saw some twenty McAfee Agent icons on the systemtray, which disappeared one by one as I ran the mouse over them.

            The policy enforcement interval is 60 minutes and ASCI is 180 minutes.

             

            What is set to 5 minutes is the priority event forwarding in MA policy.

             

            NB: the server was down due to manaul shutdown inadvertently and I thought the folders got created because they contain some temporary data in lack of server connection. But when theserver has started again, the folders did not vanish.

             

            I would say the folders might get created because old ones could not be deleted by the agent, and they all seemingly have the same content.

             

            Any other idea (which I thank you in advance) ?

             

            Attila

            • 3. Re: MA 4.5 creating lots of subdirs under own folder
              rackroyd

              The two to five minute timing has me a little stumped to say the least.

              Would be worth walking back through the agent logs for unexpected behaviour. Try filtering on 'lpc' to reduce the volume.

               

              Anyway, the usfeul file in this folder structure is mfelpc.dll

              There should be two copies with an MA 4.5 installation.

               

              One location is controlled by the value in:

              HKLM\SOFTWARE\Network Associates\TVD\Shared Components\Framework\MA_LPC_RUNTIME

              It should point to one of your many folders. Perhaps this key is being regularly updated or deleted ?

              You should be able to stop the service and remove the rest of the lpcrt_***** folders I think. (don't quote me on that though !)

               

              The other copy of mfelpc.dll is fixed in \Program Files\McAfee\Common Framework\

              Don't touch this one.

               

              Otherwise I guess you could use regmon/filemon to watch if this registry key or file is being updated, and then perhaps by which process.

               

              Rgds,

               

              Rob.

              1 of 1 people found this helpful
              • 4. Re: MA 4.5 creating lots of subdirs under own folder
                Attila Polinger

                Hi,

                 

                /sorry I must copy bigger chunks of agent log here/

                 

                I had to open the agent_hostname.log (which was nearly 10 MBs) because the Agent_hostname.xml was 0 byte.

                Searching for the string 'lpc' finds this in the log:

                 

                2010-02-03 14:57:17 I #15284 Datastore Did not find setting AssignmentList in section Policy for software ID PolicyRoot
                2010-02-03 14:57:21 I #15284 LpcConnMgr Initializing lpc data
                2010-02-03 14:57:21 I #15284 LpcConnMgr Registering software id EPOAGENT3000 with a hash value of 197307931
                2010-02-03 14:57:21 I #15284 LpcConnMgr Registering software id CMNUPD__3000 with a hash value of 1496913389
                2010-02-03 14:57:21 I #15284 LpcConnMgr Starting lpc connection manager
                2010-02-03 14:57:21 I #15284 LpcConnMgr Setting up lpc server
                2010-02-03 14:57:21 I #15284 LpcConnMgr lpc server path \\.\pipe\ma_named_pipe
                2010-02-03 14:57:21 I #15284 WinLpcSvr Initializing LPC server
                2010-02-03 14:57:21 I #15284 WinLpcSvr Using randomized name \\.\pipe\ma_named_pipe184719824 for first instance "\\.\pipe\ma_named_pipe"
                2010-02-03 14:57:21 I #15284 WinLpcSvr Setting server path to \\.\pipe\ma_named_pipe184719824
                2010-02-03 14:57:21 I #15284 WinLpcSvr Starting LPC server
                2010-02-03 14:57:21 I #15284 WinLpcSvr Creating server run thread
                2010-02-03 14:57:21 I #15284 WinLpcSvr server started successfully
                2010-02-03 14:57:21 I #15284 LpcConnMgr Setting up message queue
                2010-02-03 14:57:21 I #15284 LpcConnMgr Setting up heart beat component

                 

                which repeats according to the interval mentioned. And I think I know why:

                 

                This stands in front of each ccurerence of the above exceprt:

                2010-02-03 15:03:25 i #15344 Agent Next policy enforcement in 60 minutes
                2010-02-03 15:04:03 I #15284 FrmSvc Stopping Subsystem <User Space Controller>
                2010-02-03 15:04:03 I #15284 FrmSvc Stopping Subsystem <Listen Server>
                2010-02-03 15:04:03 I #12464 LstnSvr CHttpServer::StopListening - m_pListen->Close, SetHttpPortBound(FALSE)
                2010-02-03 15:04:04 I #9364 LstnSvr WQIsEmpty - Entered m_csWQItemList critical section...
                2010-02-03 15:04:04 I #9364 LstnSvr WQIsEmpty - Exited m_csWQItemList critical section...
                2010-02-03 15:04:04 I #8132 LstnSvr WQIsEmpty - Entered m_csWQItemList critical section...
                2010-02-03 15:04:04 I #8132 LstnSvr WQIsEmpty - Exited m_csWQItemList critical section...
                2010-02-03 15:04:04 I #13532 LstnSvr WQIsEmpty - Entered m_csWQItemList critical section...
                2010-02-03 15:04:04 I #13532 LstnSvr WQIsEmpty - Exited m_csWQItemList critical section...
                2010-02-03 15:04:04 I #12464 LstnSvr CHttpServer::~CHttpServer
                2010-02-03 15:04:04 x #15284 LstnSvr Subsystem stopped
                2010-02-03 15:04:04 I #15284 FrmSvc Stopping Subsystem <Agent>
                2010-02-03 15:04:04 x #15284 Agent Subsystem stopping....
                2010-02-03 15:04:04 I #15796 Agent Agent Data Channel ePO Request Handler worker thread terminating
                2010-02-03 15:04:04 I #14920 Agent Agent Data Channel Request Handler worker thread terminating
                2010-02-03 15:04:04 I #4364 Agent Agent Data Channel worker thread terminating
                2010-02-03 15:04:04 I #15736 Agent Agent communication thread terminating
                2010-02-03 15:04:04 I #9176 Agent Agent worker thread terminating
                2010-02-03 15:04:04 I #1612 Agent Agent event worker thread terminating
                2010-02-03 15:04:04 I #15060 Agent Agent Immediate Events  worker thread terminating
                2010-02-03 15:04:04 I #15344 Agent Agent policy worker thread terminating
                2010-02-03 15:04:04 I #6448 Agent Agent communication thread terminating
                2010-02-03 15:04:04 x #15284 Agent
                2010-02-03 15:04:04 I #15284 FrmSvc Stopping Subsystem <Scheduler>
                2010-02-03 15:04:04 i #15284 Sched The Scheduler is shutting down
                2010-02-03 15:04:04 i #15284 Sched Scheduler is now stopped
                2010-02-03 15:04:04 I #15284 FrmSvc Stopping Subsystem <Updater>
                2010-02-03 15:04:04 I #15284 updsubs Stopping updater subsystem
                2010-02-03 15:04:04 i #15284 Updater
                2010-02-03 15:04:04 I #15284 FrmSvc Stopping Subsystem <Management>
                2010-02-03 15:04:04 I #12976 Manage WorkThread - WaitForMultipleObjects = WAIT_OBJECT_0
                2010-02-03 15:04:04 I #12976 Manage Mangement plugin watch worker thread terminating
                2010-02-03 15:04:04 x #15284 Manage Subsystem stopped
                2010-02-03 15:04:04 I #15284 FrmSvc Stopping Subsystem <Logging>
                2010-02-03 15:04:04 x #15284 Logging
                2010-02-03 15:04:04 I #15284 naInet HTTP Session closed
                2010-02-03 15:04:04 I #1704 FrmSvc Set COM launch permissions and service settings
                2010-02-03 15:04:04 I #1704 FrmSvc END
                2010-02-03 15:04:18 E #9140 Logging addAgentInfoToLog GUID query error 2
                2010-02-03 15:04:18 I #9140 FrmSvc START cmdline="c:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart
                2010-02-03 15:04:18 I #9140 FrmSvc ServiceStart
                2010-02-03 15:04:18 I #9140 FrmSvc Running
                2010-02-03 15:04:18 I #15624 FrmSvc Starting Subsystem <Logging>
                2010-02-03 15:04:18 x #15624 Logging Subsystem started
                2010-02-03 15:04:18 I #15624 FrmSvc Starting Subsystem <User Space Controller>
                2010-02-03 15:04:18 I #15624 FrmSvc Starting Subsystem <Management>
                2010-02-03 15:04:18 I #12616 Manage Mangement plugin watch worker thread started

                 

                seems as if a repeated agent shutdown and startup were occurring causing the phenomenon. This happens also on the ePO server itself.

                 

                The test ePO server is in a firewall protected environment. Does not the agent expect some access freedom lacking of which this issue occurs?

                 

                Attila

                • 5. Re: MA 4.5 creating lots of subdirs under own folder
                  Attila Polinger

                  I have done some more investigation and now it seems that Rogue System Detection is to blame. There is an automatic response to install McAfee Agent on hostst that Rogue System Sensor detects as unmanaged. Due to a likely issue of not upgrading RSD 2.0 to RSD 4.5 during the ePO 4 to 4.5 upgrade regarding RSD, ePO server and many hosts are considered unmanaged, resulting in 5 minutes trigger of this response on the same hosts over again (5 minutes because the RSD cache lifetime is by default 300 secs, until re-detected system is "left alone").

                   

                  This might be causing the folders in question to be created but not deleted afterwards (need confirmation though). As long as there is space, the push install continues and when it is depleted, the following error appears in server.log:

                  20100215194051 I #14620 NAIMSRV  Push Agent Install parameter: FramePkg.exe /ForceInstall /Install=Agent /Silent /InstDir="<PROGRAM_FILES_DIR>\McAfee\Common Framework"
                  20100215194051 E #14356 NAIMSRV  Failed to start remote agent install service. Err=997

                   

                  I disabled the Push McAfee Agent action in the automatic response as a workaround.

                  • 6. Re: MA 4.5 creating lots of subdirs under own folder
                    Attila Polinger

                    Not a fully developed resolution but have to do with it temporarily.

                    • 7. Re: MA 4.5 creating lots of subdirs under own folder
                      rackroyd

                      Hi,

                       

                      Reading through it I think you're on the mark with your analysis.

                      If you want to take it further it's probably best to open a support call at this point, I suspect it may need a review from our developers to fully understand the cause.

                       

                      Please quote the thread if you do open a call, this should help expedite the escalation process.

                       

                      Thanks,

                       

                      Rob

                      1 of 1 people found this helpful
                      • 8. Re: MA 4.5 creating lots of subdirs under own folder
                        Attila Polinger

                        Rob,

                         

                        one of my intentions is finding RSD 4.5 install package and check in ePO 4.5. Trouble is I can't find it on the McAfee grant-based program download section area with ePO 4.5. Is it avaliable separately? I assumed ePO 4.5 will automatically check in the new package as has checked in the new extension.

                         

                        Attila

                        • 9. Re: MA 4.5 creating lots of subdirs under own folder
                          rackroyd

                          Hi,

                           

                          Correct again. ePO 4.5 checks in the extension and install package for RSD 4.5 as part of the installation.

                          It's not available as a separate download as there is currently no need.

                           

                          Rgds,

                           

                          Rob.