3 Replies Latest reply on Apr 16, 2012 7:29 AM by sbenedix

    Event Id 5000: McShield started



      We have McAfee 8.8 with agent with agent 4.6, in tha last few weeks evry time the agent updateing with the EPO, the applications on the computers lost connection with the network.

      I investigated the microsoft log file, and I saw that every time I get "Event Id 5000: McShield started" I have this connection problem.


      can someone help me with this issue.




        • 1. Re: Event Id 5000: McShield started

          Event 5000 is generated when the scanner comes online.

          This means it's reading many megabytes of data into memory (~140mb), then flushing a large portion of that data back to disk (creating a ~90mb memory mapped file).


          This is a resource intensive operation.

          Apps that are sensitive to "heartbeat" probes are quite likely to think their heartbeat has stopped.


          If your VPN or other network access control solution uses a heartbeat, this is likely the issue. The resolution would be to lighten up the heartbeat check - though there are some thread priority tweaks you can look into in our knowledgebase.

          • 2. Re: Event Id 5000: McShield started



            I tried to find some tweaks in the knowledgebase, and I didn't find, can you please help me with those thread?





            • 3. Re: Event Id 5000: McShield started

              KB68965 and KB66044 discuss tweaks with regards to thread priority for the various processes involved in an update, namely the framework service. Another thing that can be tried is to schedule the update out of hours. Depends on your current setup, how the connection is re - created etc. I have used "thread priority" as keywords for the KB, there may be more articles to be found.