This content has been marked as final. Show 13 replies
We are having great difficulties with 64-bit servers running Exchange 2007. The Hub Transport and Edge Transport servers get extremely slow -- to the point that simply logging onto the server can take 10 minutes or more. Strangely, there is no memory, CPU, disk or network overconsumption going on (a lot of spikiness on page faults, though). When we shut down the McAfee services the server suddenly regains life. This happens about once a week. We have had great difficulty with McAfee support on this.
Please feel free to contact me if you'd like more information. I'll look at the handle counts next time I see the problem.
Same symptom here: Server gets progressively slower, until it's essentially non-responsive. If I let it go it will bluescreen. I already had to remove Groupshield from it due to excessing processor utilization and it looks like VirusScan will be next. I've been using McAfee AV software for over a decade; it's sad that's the quality has gone downhill so significantly in the last year.
The handles issue is present on 64 bit servers without Exchange 2007- I've checked two of them.
Here is the final response from Microsoft PSS:
"I have reviewed this case and I think that I have found what is most likely causing the performance issues for your server. There is a handle leak with the process FRAMEWORKSERVICE.EXE. This process is started by the “McAfee Framework Service” service on your system. For the moment, I would postpone any changes to the system related to the reported “Server Sluggishness” and contact the vendor for assistance with this handle leak."
McAfee? Anyone reading this who can comment on a fix, patch, or workaround, or do I need to replace your product?
You need to actually contact mcafee not post on here if you want them to look at this, this is user led support.
what version of the epo agent is installed (generating the frameworkservice)
Any updates on this? Any chance patch 5 fixed it? What patch are people running on Win2003 x64 machines? Are any of the 8.5i patches stable on this platform?
Patch 5 does not fix the problem. The first box I put it on was right up to 23,000+ handles in use within days.
Bummer. Did you get any answer from McAfee on this? Did it first start with Patch 4 or was there a problem with Patch 3, too?
I never contacted them directly. Someone else said they had and just wasted a bunch of time and energy getting the usual "No one else has reported this problem. It must be something in your environment" run-around.
I don't know when the problem started, or if it started with one of the patches.
Aren't you looking in the wrong place - FRAMEWORKSERVICE.EXE is a component of the CMA.
AFAIK The CMA is 'normally' used to manage VirusScan (and other products) from the McAfee management systems like ePO and PPP. Having said that in a standalone environment VirusScan 8.5i will also install the CMA to handled updates etc.
Anyhow, my real point is that I don't believe the VirusScan Patches actually address issues with the CMA - they are purely the VirusScan system itself. The CMA is normally listed seperately on the McAfee Updates (My Support) site.
What version of the CMA are you running?. If you have the McAfee CMA Shield showing you can right-click and select About to get the version, or if not I think you can look at the version of FRMINST.EXE or UDaterUI.EXE to get a version number. Certainly on my system the version number of these files shows the same as the About screen.
The current version appears to be 22.214.171.1244 (CMA 3.6.0 Patch 3), released 28-11-2007 (from the readme).
Looking at the McAfee Knowledgebase, CMA 3.6.0 Patch 1 (126.96.36.1996) addressed a similar issue:
A handle leak was discovered in the Common
Management Agent on Microsoft Windows 64-bit
machines. When the 32-bit framework service
attempted to retrieve the Process ID of a 64-bit
process, it abandoned approximately three
handles per call.
The offending routine has been modified to close
all opened handles.
Finally - my aplogises if this was information you already realised / had checked. I'm just trying to be helpful!.