2 Replies Latest reply on Dec 16, 2010 10:34 AM by mhenke

    VSE 8.7 Patch 4 install failure

    mhenke

      After deploying Patch 4, we noticed an increase in users reporting malware that wasn't being detected/addressed by VSE.  Upon further investigation, we found that On-Access scanning was disabled, because a few key McAfee Windows services were not running.  On-Demand scans worked fine, but On Access scanning would report as disabled.  This was verified in checking deep within ePO for the endpoint, that if you displayed the VSE details, and scrolled down to "On Access General", the "bEnabled" flag was zero.

       

      To determine how many of our endpoints were impacted, we needed to query how many machines have the 'bEnabled" flag set to zero.  But this isn't something that ePO let's you query.  This necessitated us to query the SQL database directly. We found nearly 40% of our endpoints had On Access scanning disabled.

       

      Below is a query for ePO 4.5.0 build 937 with the database running on MS SQL 2005.  Run this against your ePO database using MS SQL Server Management Studio.  I thought I'd share for others in the community.

       

      SELECT [dbo].[EPOLeafNode].NodeName
            ,[dbo].[EPOLeafNode].LastUpdate
            ,[dbo].[EPOProductProperties].[productcode]
            ,[dbo].[EPOProductProperties].[productversion]
            ,[dbo].[EPOProductProperties].[hotfix]
            ,[dbo].[EPOProductSettings].[SectionName]
            ,[dbo].[EPOProductSettings].[SettingName]
            ,[dbo].[EPOProductSettings].[Value]
      FROM [dbo].[EPOProductSettings]
        inner join [dbo].[EPOProductProperties] on
          [dbo].[EPOProductSettings].ParentID = [dbo].[EPOProductProperties].autoid
        inner join [dbo].[EPOLeafNode] on
          [dbo].[EPOProductProperties].ParentID = [dbo].[EPOLeafNode].AutoID   
        WHERE SettingName = 'bEnabled'
        AND SectionName = 'On-Access General'
        AND Value = 0
      order by 4, 5, 2 desc

        • 1. Re: VSE 8.7 Patch 4 install failure
          Attila Polinger

          Hi mhenke,

           

          thank you very much for your script.

           

          Would you please tell us, if the problem has resolved since (if so, how)? Did it happen because of missed reboots of computers or due to another cause? Did any special message(s) appear in Windows event logs that related to the error and if so, what was it?

           

          Attila

           

           

          Message was edited by: Attila Polinger on 12/16/10 8:18:12 AM CET
          • 2. Re: VSE 8.7 Patch 4 install failure
            mhenke

            We are in the process of resolving the issue.  The problem turns out to be some sort of install failure in the VSE install script.  We use an ePO "Product Update" task to download & install any patches.  That task reported to ePO as successfully completing, and we thought all was well. What happened is we started having an increase of users reporting malware infections to our help desk.  Upon further investigation, we discovered these users machines had OAS disabled.

             

            Symptoms that the machines exhibited are that the "McAfee Validation Trust Protection Service" and the "McAfee MCShield" service were not able to start.  Windows system event logs show that the service would error out logging that the file could not be found.  Thus, VSE was installed, and On-Demand scans would work, but OAS was disabled.  We have approximately 5,500 machines, and by using the SQL script from my earlier post, we identified 2,700 of them have OAS disabled.

             

            The resolution was simple: copy two files to the machine and start the services. (though I would have to dig to find out which two files they were)  We wrote a simple .VBS script to perform this function, and pushed that script to the machines using our desktop management system.  We're using the SQL query to monitor progress.  We have not conducted a post-mortem to try to identify what was unique about these machines which caused patch 4 to fail.