1 2 Previous Next 13 Replies Latest reply on Apr 9, 2010 5:31 AM by andydu

    VirusScan 8.7 blocks ePO Agent

    eden_hsr

      I've a big problem with McAfee VirusScan 8.7 (Patch 2) and ePO Agent 4.0.0.1494.

      The following rule from VirusScan blocks the Agent to communicate with the ePO server:

      In VirusScan Console: Access Protection --> Common Standard Protection --> Prevent modification of McAfee Common Management Agent files and settings; both options (Block/Report) are checked.

       

      From some computer I received this and more error message via ePO server:

      --

      05.03.2010    14:04:07    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files\McAfee\Common Framework\naPrdMgr.exe    \REGISTRY\MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\Framework    Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings    Action blocked : Write

       

      05.03.2010    14:04:07    Blocked by Access Protection rule     NT AUTHORITY\SYSTEM    C:\Program Files\McAfee\Common Framework\FrameworkService.exe    C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\DB\Agent_<COMPUTERNAME>.xml    Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings    Action blocked : Write

      --

       

      Then I deactivate the rule on ePO server for all clients. And everything seems to be fine. After some days I activated the rule again to see, if the problem occurs again. Since that more than a third from all my clients could not connect with ePO server again. I receive more than ten thousands of emails a day.

       

      To solve the problem I uninstalled the VirusScan and installed it again via ePO server. That works fine. But is this the only solution?

       

      I also receive FullScan errors like below:

      --

      Computername / IP:

      <COMPUTERNAME> / <IP>

       

      Betroffenes Objekt:

      \REGISTRY\MACHINE\System\CurrentControlSet\Services\McAfeeFramework\Security

       

      Regelverstoß / Kategorie:

      Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings / Regelverletzung bei Zugriffsschutz entdeckt und blockiert

       

      zusätzl. INfo:

      C:\Program Files\McAfee\VirusScan Enterprise\SCAN32.EXE

       

      EreignisID / Datum:

      1092 / 09.03.10 14:36:55

      --

       

      There must be a problem with this rule. But I don't know what exactly is blocking. What you recommend? Deactivate the rule, uninstall VirusScan and install it again over ePO?

      Why blocks VirusScan the ePO agent? That couldn't be really true! ? ! ?

       

      Thanks for your help.

      If you need more information and logs, please ask.

        • 1. Re: VirusScan 8.7 blocks ePO Agent

          I'm wondering if the default "exclusions" for that rule have been erased.

           

          The rule is listed under "Access Protection" / " Common Standard Protection" / "Prevent modification of McAfee Common  Management Agent files and settings"

           

          Under "processes to exclude", are there entries listed?

          • 2. Re: VirusScan 8.7 blocks ePO Agent
            Attila Polinger

            Hi,

             

            if you have access to the ePO server which is managing your host, please check out the VSE 8.7 AP policies, especially for the rule you mention (and for workstation). naPrdMgr.exe and other McAfee files should be in the exclusion list (by default).

             

            If they are not there they must be added manually.

             

            Attila

            • 3. Re: VirusScan 8.7 blocks ePO Agent
              eden_hsr

              Thanks for the fast answer. I checked the rule exclusion.

              For the 8.7:

              ???setup.exe, ??setup.exe, ?setup.exe, amgrcnfg.exe, avtask.exe, cfgwiz.exe, cmdagent.exe, cqmghost.exe, dbinit.exe, EPOCMAPROCESSES, FCAGT.exe, firesvc.exe, FireTray.exe, FrameworkService.exe, fssm32.exe, giantantispywar*, HipManage.exe, ikernel.exe, InsFireTdi.exe, kavsvc.exe, McAfeeFire.exe, McAfeeHIP_Clien*, mcconsol.exe, McScript_InUse.exe, MPEScanner.exe, msi*.tmp, msiexec.exe, naPrdMgr.exe, navw32.exe, nmain.exe, RPCServ.EXE, RSSensor.exe, rtvscan.exe, SAEDisable.exe, SAEuninstall.exe, SAFeService.exe, SCAN32.EXE, SCAN64.EXE, scanner.exe, services.exe, setup*.exe, setup.exe, Setup_SAE.exe, SiteAdv.exe, TBMon.exe, uninstall.exe, update.exe, vstskmgr.exe, _ins*._mp

               

              For the old 8.5 (never had problems):

              ???setup.exe, ??setup.exe, ?setup.exe, amgrcnfg.exe, avtask.exe, cfgwiz.exe, cleanup.exe, cmdagent.exe, cqmghost.exe, firesvc.exe, FireTray.exe, framepkg.exe, framepkg_upd.exe, frameworks*, frminst.exe, fssm32.exe, giantantispywar*, ikernel.exe, InsFireTdi.exe, kavsvc.exe, McAfeeFire.exe, McAfeeHIP_Clien*, mcscript*, mctray.exe, MPEScanner.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, naimserv.exe, naprdmgr.exe, naprdmgr64.exe, narepl32.exe, navw32.exe, nmain.exe, RPCServ.EXE, RSSensor.exe, rtvscan.exe, scanner.exe, services.exe, setup*.exe, setup.exe, SiteAdv.exe, udaterui.exe, uninstall.exe, update.exe, updaterui.exe, _ins*._mp

               

              For the 8.7 I looked at the error messages and added the processes to the exclusion list. I don't know, why the processes are not stored them anymore.

              • 4. Re: VirusScan 8.7 blocks ePO Agent

                Here's what my default VSE 8.7i+Anti-Spyware, P3, non-epo managed rule has for exclusions:

                 

                ???setup.exe, ??setup.exe, ?setup.exe, amgrcnfg.exe, avtask.exe, cfgwiz.exe, cleanup.exe, cmdagent.exe, cqmghost.exe, dbinit.exe, FCAGT.exe, firesvc.exe, FireTray.exe, framepkg.exe, framepkg_upd.exe, frameworks*, frminst.exe, fssm32.exe, giantantispywa*, HipManage.exe, ikernel.exe, InsFireTdi.exe, kavsvc.exe, McAfeeFire.exe, McAfeeHIP_Clie*, mcconsol.exe, mcscript*, mctray.exe, MPEScanner.exe, msi*.tmp, msiexec.exe, mue_inuse.exe, naimserv.exe, naprdmgr.exe, naprdmgr64.exe, narepl32.exe, navw32.exe, nmain.exe, RPCServ.EXE, RSSensor.exe, rtvscan.exe, SAEDisable.exe, SAEuninstall.exe, SAFeService.exe, scanner.exe, services.exe, setlicense.exe, setup*.exe, setup.exe, Setup_SAE.exe, SiteAdv.exe, TBMon.exe, udaterui.exe, uninstall.exe, update.exe, updaterui.exe, vstskmgr.exe, _ins*._mp

                 

                 

                Message was edited by: Mal09 on 10/03/10 09:39:34 GMT
                • 5. Re: VirusScan 8.7 blocks ePO Agent
                  eden_hsr

                  Thanks for your exclusion list Mal09

                  I applied yours to my list. But still let the rule deactivated.

                   

                  How can I activate the clients to communicate again with the ePO Server in an easy way?

                   

                  Deleting ePO AgentID doesn't help. Its logical.

                  • 6. Re: VirusScan 8.7 blocks ePO Agent
                    twenden

                    I believe that you have fallen into the same software trap that I did about 3 weeks ago. I made a custom rule under Access Protection which then caused the clients EPO agents to block the McAfee Framework service. This then prevents the clients from updating. Spent overr 2 1/2 hours on the phone with McAfee who referenced the following knowledgebase article:

                     

                    Title: The EPOCMAPROCESSES variable incorrectly excludes processes for the  McAfee Agent

                     

                    Problem

                    A McAfee Agent process, such as FrameworkService.exe, is blocked  by Access Protection. This can happen on clients that have received a  modified policy using the EPOCMAPROCESSES variable.

                    These computers might not be manageable via ePO any more.

                     

                    Knowledge Base : KB67452

                     

                    It wass a painful experience for us as we had over 600 plus systems that stopped communicating. McAfee can provide you with a script that will automatic fix the issue. Make sure that they give the script that clears the events otherwise you will get 1000's of error events being passed back to the server as soon as they get fixed.

                     

                    If they are part of a domain/AD you can push these scripts.

                     

                    Don't want to experience this again as the majority of our systems are not part of a domain. This meant we had to email users and post the fix on our website. Sometimes the script works sometimes it does not. This means we still have visit a few to fix the McAfee. Life sucks some times.

                    • 7. Re: VirusScan 8.7 blocks ePO Agent
                      eden_hsr

                      Thank you very very much for your information. Your post exactly the problem I have.

                      Actually I cannot logon to the ePO console. In the event viewer there's written, that the SQL server is overfilled with logs, I think...

                      Have to fix that first...

                       

                      I'll contact McAfee and will ask for the script.

                      • 8. Re: VirusScan 8.7 blocks ePO Agent
                        twenden

                        Glad that this info helps you. If has been a time consuming exercise for me. Had to create a custom report that helps me find the broken systems. We are now down to about 59 systems that have not updated. I also had issues with the console. Each system, when fixed, will send thousands of 1092 events to the EPO server which at times can make the console quit responding and possibly fill up your SQL database.

                         

                        In our case, we use MSDE and came close to filling it up. Had to keep monitoring the size and then purge frequently to keep it manageable.

                         

                        If you look at knowledge base article KB51873 it will show you some OSQL commands that you can run to remove events if the database was to get too full or exceed it's limit.

                         

                        It would also be good to call McAfee to double check. I am relieved that I am not the only person that had to deal with this problem. what a knightmare it has been, it almost made me walk out of my job.

                        • 9. Re: VirusScan 8.7 blocks ePO Agent
                          eden_hsr

                          Thank you twenden for your very useful informations.

                           

                          I wrote a script who uninstall VSE and clear Log files. Twice, the server DB was full. I wrote a report and purge frequently the Events with ID: 1092.

                          At the moment ~450 clients aren't manageable and over 780 are okay. But the script isn't published to all clients yet. I'll do that in the next days. Happy to have Altiris!

                           

                          After all and for your information: McAfee couldn't help me.

                           

                          Here's my script:

                          --

                          @echo off
                          cls
                          echo McAfeeRepair.cmd
                          echo ----------------
                          echo This script will uninstall McAfee VirusScan 8.7.
                          echo Delete the log files and AgentGUID from the registry.
                          echo Restart the McAfeeFramework service and connect with ePO.
                          echo.
                          echo Version 1.3
                          echo.
                          echo.

                           

                          echo 1. Check McAfee version and set variable...
                          if exist "%ALLUSERSPROFILE%\Application Data\McAfee" (set install_dir=McAfee)
                          if exist "%ALLUSERSPROFILE%\Application Data\Network Associates" (set install_dir=Network Associates)
                          if exist "%ALLUSERSPROFILE%\Application Data" (set app_data=Application Data)
                          if exist "%ALLUSERSPROFILE%\Anwendungsdaten" (set app_data=Anwendungsdaten)

                           

                          echo 2. Uninstall McAfee VirusScan 8.7...
                          msiexec /x {147BCE03-C0F1-4C9F-8157-6A89B6D2D973} REMOVE=ALL REBOOT=N /passive /q

                           

                          echo 3. Check if FullScan is running and stop them...
                          taskkill /F /IM scan32.exe 2>nul
                          taskkill /F /IM scan64.exe 2>nul

                           

                          echo 4. Remove logfiles...
                          del /f /s /q "%ALLUSERSPROFILE%\%app_data%\%install_dir%\Common Framework\AgentEvents">nul

                           

                          echo 5. Delete registry key AgentGUID...
                          rem Create a temporary REG file
                          > %TEMP%\GUID_del.reg ECHO Windows Registry Editor Version 5.00
                          >>%TEMP%\GUID_del.reg ECHO.
                          >>%TEMP%\GUID_del.reg ECHO [HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent]
                          >>%TEMP%\GUID_del.reg ECHO "AgentGUID"=-
                          >>%TEMP%\GUID_del.reg ECHO.
                          regedit /s %TEMP%\GUID_del.reg
                          del /f /s /q %TEMP%\GUID_del.reg>nul

                           

                          echo 6. Stop and start McAfeeFramework service...
                          rem A new AgentGUID would be created. Note: McAfee VirusScan must not be activated!
                          net stop McAfeeFramework>nul
                          ping -n 11 localhost>nul
                          net start McAfeeFramework>nul
                          ping -n 11 localhost>nul

                           

                          echo 7. Connect with ePO server...
                          rem Usage:  cmdagent /P /E /C /S
                          rem         /P Create and send properties
                          rem         /E Enforce Policies
                          rem         /C Check for new polices/tasks
                          "%ProgramFiles%\%install_dir%\Common Framework\CmdAgent.exe" /P
                          ping -n 11 localhost>nul
                          "%ProgramFiles%\%install_dir%\Common Framework\CmdAgent.exe" /C
                          ping -n 11 localhost>nul
                          "%ProgramFiles%\%install_dir%\Common Framework\CmdAgent.exe" /E
                          ping -n 11 localhost>nul

                           

                          echo 8. Repair finished.

                          --

                          1 2 Previous Next