Well, I can add that it is an orphan process or a Zombie if you are Linux freaky. I have tried all sorts of tools and have a call open with McAfee about it. It's not new - it happnes with older agents too. It is also not windows server version specific. I have a sneaky suspicion that it might also happen if you have other sessions such as TS or RDP open on the server, but I can't confirm that. Ho hum. Servers all around the world getting out of date......
So, just to clarify what you are seeing....
The process mcscript_inuse dies/hangs under the following circumstances:
- Agent v4.5 patch 2 (or older) on any platform
- Symptoms include:
- updates not completing
- process is running, but does nothing (until killed)
- occasionally, systems freeze
Are you getting any Client Events or Threat Events from these clients?
Do agents continue to operate normally otherwise?
Do systems continue to operate normally otherwise?
When you try to stop the process, does it return Access Denied or something else?
The process remains after an agent install/update I believe. It has a parent process, which has closed. This makes it impossible to terminate. Some of the agent functions still appear to work, but it will not process any software updates or changes to policy/tasks defined in EPO. If you try to reinstall the agent, you get a 'fatal error'. If you try to terminate it from task manager, you get access denied. If you use process explorer. it says nothing. Same for various other tools. I see little in the evnt logs but admit I have not looked that closely. It does not happen on all systems, so it may be related to how the agent is actually pushed.
Systems are otherwise unaffected. I have recently seen a number of systems totally freeze after agent install (they ping but nothing else) but I am not sure the two are related. That could purely be an agent 4.5 patch2 issue as I do not think I got such happenings with the prior version.
I do need to try and establish some consistency, but my first priority is to try and find a way to kill the process and return the status quo without rebooting or killing any other vital server processes. Restarting Mcafeee services does not help. kill, pskill and some other tool i forget the name of with 16 ways to kill (that McAfee actually treats as an unwanted program by default ha ha) do not work.
You may want to double-check the Access Protection rules within VSE. If AP is on at all, you probably have options enabled that prevent either the stopping and/or termination of various McAfee processes.
It would be wonderful to get this to a point where it is reproduceable. Anything else that might help narrow things down?