0 Replies Latest reply on Mar 6, 2012 5:26 PM by hydew

    8.8P1 event 5051 on EICAR detection

      I currently have a support case open with McAfee regarding the scan engine crashing when detecting the EICAR test file on volumes other than C: when the filename ends in .TXT.  Here's an example event log entry:

       

      Log Name:      Application
      Source:        McLogEvent
      Date:          2/16/2012 3:12:10 PM
      Event ID:      5051
      Task Category: None
      Level:         Error
      Keywords:      Classic
      User:          SYSTEM
      Computer:      SERVERNAME
      Description:
      A thread in process C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe took longer than 120000 ms to complete a request.
      The process will be terminated. Thread id : 3124 (0xc34)
      Thread address : 0x00000000778F138A
      Thread message :

      Build VSCORE.14.4.0.375 / 5400.1158
      Object being scanned = \Device\HarddiskVolume7\test\eicar.txt
      by C:\Windows\system32\cmd.exe
      4(0)(0)
      4(0)(0)
      7200(0)(0)
      7595(0)(0)
      7005(0)(0)
      7004(0)(0)
      5006(0)(0)
      5004(0)(0)

       

      I have reproduced this issue on our 3-node Storage Server 2008 R2 SP1 cluster as well as another physical server and several VMs.  The last test with the VM was after a base install of 2008 R2 SP1 (not domain joined, no ePO agent) and installing 8.8 w/ P1 included.  The problem does not occur when using VSE 8.8 without patch 1. 

       

      McAfee will detect the EICAR file if I copy it from an excluded location to any other filename that does not end in .TXT.  It will also detect EICAR.TXT on the C: volume. 

       

      Support has stated that they are unable to reproduce the issue.  Anyone else want to see if they can reproduce this on any of their machines?   I've had the case open for over a month and I'd like to get this resolved.