3 Replies Latest reply on Nov 15, 2010 10:12 PM by Pritish

    Diagnosing mcShield: mcShield.exe active and Perfmon says read queue when nothing should be going on

      I have an old W2K server SP4.  It is acting as a file and database server.  I have a pretty good handle on what user and cron type activities we have on the server.

       

      We have a 05:30 process that is auromated against a large DB and runs till about 08:00.  The last few weeks (maybe over a month) we have been having problems with the users reporting this as "hung" and the payload not arriving in the database when the business wakes up.

       

      After moving the process from one client machine to another and getting the same symptom I logged onto the server @ 04:30 to see what the server was doing.

       

      Looking at % processor for the database service (nearly 0) and mcShield (consistently 5 - 16%) which is normally 0, disk read queue (2-4 consistently) which is normally 0 and spikes to 2 or so every so often.

       

      This looks to me like a large file copy / backup or Scheduled scan.

       

      If it is a copy, then I have a problem as no-one should be.

      Backup completes before 00:00.  All scheduled tasks as done by 01:00.

      So I am looking at some windows thing that it reading a lot or a scheduled scan.

      It shouldn't be doing scheduled scans as they are off in the profile and in the portal it doesn't have a record of the last full scan.

       

      Does the mcshield so the scheduled scan?

      If I am up early tomorrow - how can I tell what file it is scanning or what it is doing?

       

      I haven't watched it all night, but 04:30 -> 06:30 and 08:00 -> 09:30 [the gap is when I wasn't watching], then back to 0.

       

      Any help gratefully received.

       

      Regards,

        • 1. Re: Diagnosing mcShield: mcShield.exe active and Perfmon says read queue when nothing should be going on
          rengaraj

          Hi,

           

          I have read your post.

           

          Please let us know the version of the McAfee SaaS Endpoint protection that you are currently running on the Server.

           

          Please let us know if this is happening only on the servers/computers running the Windows 2000 SP4 Server Operating system.

           

          Please let us know the above details and we shall help you further.

           

          Regards

           

          Pritish P.

          • 2. Re: Diagnosing mcShield: mcShield.exe active and Perfmon says read queue when nothing should be going on

            Pritish / Rengaraj,

             

            Thanks for taking the time to reply.

             

            I couldn't say if any of the other machines were suffering from this as this is the only one that is doing this type of function. We would have no idea of what other machines were doing in terms of disk queues etc as they a dormant at this time and are users machines (we rely on users complaining to notify us there is a problem on their work stations).

             

            5.0.0 Patch 6

             

            I guess the question still exists for all machines I am going to have to support though, i.e.:

            does mcShield.exe CPU usage mean it could be On Access / Scheduled / On demand?

            How can you tell what files have been scanned / what it currently scanning (is there a flag to write logs?).

             

            Regards,

            JAC

            • 3. Re: Diagnosing mcShield: mcShield.exe active and Perfmon says read queue when nothing should be going on
              Pritish

              Hi,

               

              I have read your reply.

               

              Please be informed that McAfee has now released the new v5.2 of the McAfee SaaS Endpoint protection.

               

              All the older 5.0 versions will be upgraded to v5.2 in a week or two.

               

              This new v5.2 does not support Windows 2000 Sever versions as McAfee has withdrawn support for the Windows 2000 operating systems.

               

              Eventhough you have the 5.0 with patch 6.00 the new DAT updates that you get will support the Windows 2000 OS.

               

              This is because, even Microsoft has withdrawn support for the Windows 2000 OS.

               

              Please upgrade your Operating System to have the continued protection.

               

              Regards

              Pritish P.