1 Reply Latest reply on Sep 13, 2011 1:12 PM by wwarren

    McAfee McShield service received an invalid filename from the NaiFiltr device driver.

        Hello,

       

          I am reciving the following warning from a server in our enterprise.

       

      Event Type: Warning

      Event Source: McLogEvent

      Event Category: None

      Event ID: 5028

      Date:  9/12/2011

      Time:  4:33:18 PM

      User:  NT AUTHORITY\SYSTEM

      Computer: XXXXXXXX

      Description:

      McAfee McShield service received an invalid filename from the NaiFiltr device driver.

      Received name =

      Process = C:\Program Files\Group Logic\ExtremeZ-IP\ExtremeZ-IP.exe

       

        We use EPO 4.5 and AV 8.7 Patch 5, I have setup the .exe in the low risk processes. From my understanding, this should stop McAfee from throwing this warning. I have also reinstalled the AV 8.7 on the local server. It is odd becasue the warning does not show up every day, and only seems to last for a few seconds.

       

           Any insight as to why this warning is coming up, what are possible work around or steps for resolution.

       

           Also, when I setup the exe in the low process, there seems to be double \\ infront of every directory i.e - C:\\Program Files\\Group Logic\\ExtremeZ-IP\\ExtremeZ-IP.exe.. Is this correct? I have removed and added again, but after I save the policy, it shows up the same.. Is there a certain way to add the full path? Maybe quotes or something? I have also just added the file name with out the pathing i.e ExtremeZ-IP.exe.

       

            Thank you,

        • 1. Re: McAfee McShield service received an invalid filename from the NaiFiltr device driver.
          wwarren

          The event was logged because our scanner service (mcshield) received an invalid file name to scan.

          As you can see from the details of the event, there is no filename or "Received name". Somehow our file system filter driver got to place where it told our scanner "Hey Mcshield, scan [nothing] please"... to which Mcshield responds "Huh?  I'm telling on you.... [Log event 5028]".

           

          This is an error scenario we have catered for since we know it's a plausible logical outcome in handling file I/O. But unfortunately we can't capture enough contextual information about the occurrence to tell you "Why" it occurred.

          If you have a system or systems that can reproduce this, I suggest working with the McAfee Support team to see if we can delve into this further and get that contextual info that's missing, to help us understand why it's occurring for you. Past efforts in other field reports have been inconclusve because of the rarity and unpredictability of it - but based on past attempts to investigate, you could check if you have the option to scan processes on enable turned on? We recommend it not be enabled unless you've configured the product for "maximum security".