Bump. This affects Win2k8 R2 as well.
might be the vscan.bof file issue... ?
c:\program files\mcafee\virusscan enterprise\vscan.bof
its checked in with the normal dats, just might need replication to machines.
Thank you for this idea, but this .bof file:
Buffer Overflow DAT for VirusScan Enterprise 480
is already checked in. I am still getting over 10 000 msgs a day.
Ok, and I'll speculate that you have done some spot checks of some machines and made sure the correct file is there. the patch 3 vscan.bof isn't much different, it's like version 4.67 i think... Good Luck..
Have these issue been occuring ever since the BOC DAT update 480, which was posted on the 16/03/2010?
If you check your Access Protection log and Update log and confirm when the BOC DAT Update occured and whether these events of termination started to occur on or around the same time or after? Or did you see these events before the 16/03/2010?
1. 64 Bit only
2. First events: 17.03.10 16:39:17
3. Sp 3 checked in: 15.03.2010 14:51
4. .boc dat checked in: 16.03.2010
I can't find log files older then 17.03 - I cleaned log files on the EPO Server (I know not very clever) and clients logs reached max. size - first events from 19.03.
The sure thing is, that before SP3 access protection
was OK, but I can't tell u if it is after .boc file or after sp3.
Since 19.03.10 130 122 events ID 1092
Interesting those are PC generating 1092 events - I will take a closer look at those:
Thank you very much - it will be this case .. but, this is very interesting:
This is expected behavior. The Access Protection rule Prevent Termination of McAfee Processes
is currently not
supported on 64-bit computers and will not be supported in the future in this environment due to 64 bit security.
To suppress relevant errors, install
VirusScan Enterprise 8.7i Patch 1 (or later). This places an extra rule file (
extra460575.rul) in the VirusScan installation folder of 64-bit computers which disables this particular rule.
1 of 1 people found this helpful
For x64 systems this rule is meant to be disabled.
McAfee accomplishes this by including a Extra*.rul file that tells Access Protection this rule is disabled. The file is named EXTRA460575.RUL, found in the VSE install folder.
There is an upgrade path for x64 systems that is causing this file to be removed. We're not sure why yet.
The solution is to replace this file.
McAfee Support are working on updating the appropriate KB article to attach this file, and even to have it wrapped in an installer package.