8 Replies Latest reply on May 26, 2009 10:07 AM by rmetzger

    Mcshield.exe popup errors

      L.S.

      Recently I began work on a new standard image (sysprepped) for all our systems. The main difference is we're now going to use XP with SP3 instead of SP2, and Office 2003 instead of 2000.

      The method and version of installing McAfee have remained exactly the same (using altiris to deploy framepkg.exe). Most systems with this new image will give this error at one point or other, whereas they do not appear on systems with the old image:
      --------------------------------------------
      Type gebeurtenis: Fout
      Bron van gebeurtenis: McLogEvent
      Categorie van gebeurtenis: Geen
      Gebeurtenis-ID: 5019
      Datum: 25-5-2009
      Tijd: 15:34:00
      Gebruiker: NT AUTHORITY\SYSTEM
      Computer: C93782
      Beschrijving:
      Er Is een uitzondering opgetreden in McShield.Exe!
      Uitzonderingsdetails:
      VSCORE.13.3.2.125
      Exception Code : 0XC0000005
      Exception Address : 0X65498CBE
      Exception Parameters : 2
      Param 1 = 0X00000008
      Param 2 = 0X65498CBE

      More information :
      Exception in RegWatch thread.
      -------------------------------------------
      I have no clue why this is happening, although it seems to happen after it's trying to update itself. Any help with this would be greatly appreciated.

      Thanks in advance,

      Johan M. Kooijman
        • 1. RE: Mcshield.exe popup errors
          tonyb99
          what patch level of VSE 8.5 are you installing?

          this was aknown error before patch 2

          https://kc.mcafee.com/corporate/index?page=content&id=KB50778&actp=search&search id=1243331625513
          • 2. RE: Mcshield.exe popup errors
            Thanks, currently running 8.5.0i patch 6.
            • 3. RE: Mcshield.exe popup errors
              tonyb99
              was this error generated between the base install and the update to patch 6?
              • 4. RE: Mcshield.exe popup errors
                I believe so, yes. Here are the events which immediately precede the error followed by the error itself and the event immediately after the error:

                ---------------------------------------------
                Event Type: Information
                Event Source: McLogEvent
                Event Category: None
                Event ID: 5000
                Date: 25-5-2009
                Time: 15:33:39
                User: NT AUTHORITY\SYSTEM
                Computer: C93782
                Description:
                McShield service started.
                Engine version : 5200.2160
                DAT version : 5215.0000

                Number of signatures in EXTRA.DAT : Geen
                Names of threats that EXTRA.DAT can detect : Geen
                ------------------------------------------
                Event Type: Information
                Event Source: MsiInstaller
                Event Category: None
                Event ID: 11707
                Date: 25-5-2009
                Time: 15:33:51
                User: NT AUTHORITY\SYSTEM
                Computer: C93782
                Description:
                Product: McAfee VirusScan Enterprise -- Installation complete.

                For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
                Data:
                0000: 7b 33 35 43 30 33 43 30 {35C03C0
                0008: 34 2d 33 46 31 46 2d 34 4-3F1F-4
                0010: 32 43 32 2d 41 39 38 39 2C2-A989
                0018: 2d 41 37 35 37 45 45 36 -A757EE6
                0020: 39 31 46 36 35 7d 91F65}
                ----------------------------------------------
                Event Type: Error
                Event Source: McLogEvent
                Event Category: None
                Event ID: 5019
                Date: 25-5-2009
                Time: 15:34:00
                User: NT AUTHORITY\SYSTEM
                Computer: C93782
                Description:
                Exception in McShield.Exe!
                Exception details follow :
                VSCORE.13.3.2.125
                Exception Code : 0XC0000005
                Exception Address : 0X65498CBE
                Exception Parameters : 2
                Param 1 = 0X00000008
                Param 2 = 0X65498CBE

                More information :
                Exception in RegWatch thread.
                ---------------------------------------------------
                Event Type: Information
                Event Source: McLogEvent
                Event Category: None
                Event ID: 5000
                Date: 25-5-2009
                Time: 15:34:11
                User: NT AUTHORITY\SYSTEM
                Computer: C93782
                Description:
                McShield service started.
                Engine version : 5200.2160
                DAT version : 5215.0000

                Number of signatures in EXTRA.DAT : Geen
                Names of threats that EXTRA.DAT can detect : Geen
                ----------------------------------------------------------------------------

                Edit: After a few other application notifications, these appear:
                --------------------------------------------------------
                Event Type: Error
                Event Source: McLogEvent
                Event Category: None
                Event ID: 1008
                Date: 25-5-2009
                Time: 15:34:53
                User: N/A
                Computer: C93782
                Description:
                The McShield service terminated unexpectedly.
                Please review event 5019 or 5051 for details. The McShield service will be restarted in 5 seconds;
                ---------------------------------------------------
                Event Type: Information
                Event Source: McLogEvent
                Event Category: None
                Event ID: 5000
                Date: 25-5-2009
                Time: 15:38:42
                User: NT AUTHORITY\SYSTEM
                Computer: C93782
                Description:
                McShield service started.
                Engine version : 5301.4018
                DAT version : 5625.0000

                Number of signatures in EXTRA.DAT : Geen
                Names of threats that EXTRA.DAT can detect : Geen
                -------------------------------------------------
                So after that it does have the new version and seems to run fine. I've never seen a single system give this error more than once either.
                • 5. RE: Mcshield.exe popup errors
                  tonyb99
                  so there you go its just the known errors with the old patch which will show until it updates.

                  job done
                  • 6. RE: Mcshield.exe popup errors
                    Sure, once it updates it's fine, but users will start panicking when they see the error popping up. Perhaps there is a way to tell the agent to get a different client engine package(one that's already up to date)?
                    • 7. Several solutions.
                      rmetzger


                      Yes. Though I think it is the Patch that is the problem, not the engine.

                      1) Download the latest version of v8.5 with Patch already prepackaged. Then install that version.

                      2) If needed, you can customize it with McAfee Installation Designer (MID) to apply your custom defined policies. This can also be used to create an ePO deployable custom package as well. Not sure if you can update a MID package with the 5301 engine though.

                      3) Download the Patch and deploy this via a script of your choosing.

                      Personally, I prefer the MID solution. Use your grant number to download the tool.

                      Hope this is helpful.
                      Ron Metzger
                      • 8. RE: Mcshield.exe popup errors
                        Cheers for the help and replies, I'm confident I can get it sorted now. happy