Hmm, an update should be the first thing to consider, you are running on an old set of drivers (8.8 RTW), P1 for VSE 8.8 will update you to 188.8.131.527. Note issue 15 in the P1 readme. From the data presented, difficult to say what is going on and what is at the root, that would require perfmon, poolmon, dump analysis. I'm quite confident though that P1 will alleviate the symptoms you describe. Make sure the OS is up to date (Windows update).
The numbers are odd though.
More reading if you are interested, I found useful: http://blogs.msdn.com/b/ntdebugging/archive/2006/12/18/understanding-pool-consum ption-and-event-id_3a00_--2020-or-2019.aspx
You would be able to analyse MFE0 memory consumption with a memory snapshot (kernel dump) while the machine is in the state of exhibiting the symptoms.
I found a way to dump all pool allocations tagged with MFE0 without restarting the system.
- Create a memory dump (memory.dmp) without restarting the system - https://kc.mcafee.com/corporate/index?page=content&id=KB50467
- Download PoolTools from http://computer.forensikblog.de/en/2007/11/pooltools-version-130.html
- Open poolfinder.pl and change the line 'usage|?|' => \$opt_usage, to 'usage' => \$opt_usage,
- Repeat the previous step for PoolDump.pl
- perl poolfinder.pl --dbcreate –dbfile Pool.db3 --nolisting memory.dmp
- perl PoolDump.pl --dbfile Pool.db3 --dumpfile memory.dmp --tag MFE0 > MFE0.txt
- Open MFE0.txt in text editor which does not try to load the whole file into memory (I used TextPad)
Step 5 and 6 require perl with necessary packages installed (I used ActivePerl). These two steps may take several hours.
These instructions probably are far from optimal, but they give freedom to everyone technically literate to follow them, to obtain an approximate idea of what is going on without relying on the interpretations of someone else.
In MFE0.txt, which I generated by following essentially the same instructions, I found a lot of "cygwin" strings. Recently I compiled OpenSSL in Cygwin environment in order to create self-signed certificates.
On the basis of that information I created a test case which clearly illustrates the memory issue:
- Install Cygwin
- Download openssl-1.0.1.tar.gz from http://www.openssl.org/source/
- Extract the archive and install all Cygwin packages, which are necessary for compilation of OpenSSL
- Start Poolmon, sort the list by Bytes (b) and save a screenshot:
- Open Cygwin console and enter into the directory of OpenSSL
- There execute: ./config && make && make test
- If the compilation and tests are successful then close Cygwin. Otherwise fix the compilation problems, extract OpenSSL into another folder and return to step 4.
- Wait 20 minutes and save a screenshot of Poolmon:
Although the test case involves compilation of source code the underlying memory problem may manifests itself in other situations.
> I'm quite confident though that P1 will alleviate the symptoms you describe.
I don't see a clear reason to think so. Issue 15 in the release notes of Patch 1 refers to the process validation service, which aparently is part of Access Protection. Access Protection is not installed on the system.
You should check to see if you have a process that's leaking Handles.
We have seen and addressed NPP leak issues in our drivers in previous releases, but we haven't seen anything for a long time that has been confirmed as a McAfee issue - instead what we've found is we are a victim of a poorly behaving process, who is opening file handles endlessly (which we are having to track in our driver code, thus using up memory).
Otherwise, you should force the system to dump (or you can try live dumps if your system must remain up, but live dumps aren't 100% reliable to have the data we'll need - or at least the data may not be coherent). With a dump we'll be able to track the pool usage and probe for other potential causes.
ESET NOD32 Business Edition 184.108.40.206 passed the test case without leaking memory.
After uninstall of McAfee VirusScan Enterprise 8.8 (and McAfee Agent) and subsequent system restart, part of McAfee remains active and occupies RAM memory:
One way to remove that part is the following:
- Start -> Run -> cmd
- sc delete mfetdi2k
- del %SystemRoot%\system32\drivers\mfetdi2k.sys
- Restart the system