4 Replies Latest reply on Jul 27, 2012 3:59 AM by sbenedix

    win2008r2, VSE 8.7.0i, sql 2008 sp3, mfevtps.exe = memory leak


      MFEVTPS.EXE is usually at 4% CPU Utilization and is constantly eating up more memory until eventually the server is virtually non responsive.

      Observed on 14 servers (7 pairs of active/passive) using identical configuration.

      Issue is not observed on 21 other servers that are not running SQL or configured in a cluster


      Here is the setup:

      • Physical Node
      • Windows 2008 R2 Enterprise
      • VSE 8.7.0i
      • SQL 2008 SP3
      • FailOver and Clustering (passive/active configuration)
      • MS KB2641690 installed
      • C:\windows\System32\crypt32.dll version: 6.1.7601.17514 and 6.1.7601.17827


      Following On-Access Scan Exclusions are in place:

      ?:\Program Files (x86)\Microsoft SQL Server\ [+Subfolder Folders]

      ?:\Program Files\Microsoft SQL Server\ [+Subfolder Folders]






      C:\windows\cluster [+SubFolders]

      Q:\ {+SubFolders]


      Cluster Configuration:

      Q:\ = Quorom

      M:\ = MSDTC

      E:\ SQL Data

      L:\ SQL Log



      1. Memory leak observed on servers running both 6.1.7601.17514 and 6.1.7601.17827 of crypt32.dll
      2. If process sqlsrvr.exe is not running then mfevtps.exe does not leak memory
      3. Other servers that are not running SQL Server (Windows 2008 R2 Standard) do not have this memory leak issue
      4. Occurs on both passive and active servers within the cluster
      5. Common denominator is "sqlsrvr.exe" is running, mfevtps.exe continuously leaks memory.


      Other Information:

      Have already consulted the following links:





      http://www.butsch.ch/post/Windows-XP-Sp3-Event-516-mfehdik-SLL-API-memory-Leak-c rypt32dll.aspx



      Will Upgrading to 8.8 SP1 resolve this issue? Is there something else going on here? It's obviously related to SQL...does anyone have any comments/suggestions?

        • 1. Re: win2008r2, VSE 8.7.0i, sql 2008 sp3, mfevtps.exe = memory leak

          Do you have any Patch for 8.7 installed?

          The current version is Patch 8 as far as I remember. Those Patches solved also a lot of issues, maybe also yours.

          Can't say if that happens again in 8.8 SP1 without testing it.     

          • 2. Re: win2008r2, VSE 8.7.0i, sql 2008 sp3, mfevtps.exe = memory leak

            pato, the scan engine version is 5400.1158 and the DAT version is 6776.0000


            Under "Installed Patches" it says 5. Does that mean I'm missing 3? If so where can I download it from and apply it to the clients (I'm fairly new with McAfee ePO and VSE so I apologize if this sounds like a stupid question).


            EDIT: Searching on the net I found this:




            Looks like Patch 8 is for 8.0 and 8.5.

            For 8.7 Patch 5 is the latest patch so it looks like my clients are fully up to date (im definately at HF643440 maybe even later, anyone know how to tell which HF's have been applied and which ones are still needed?)




            Message was edited by: stzintzis on 7/20/12 8:45:59 AM CDT
            • 3. Re: win2008r2, VSE 8.7.0i, sql 2008 sp3, mfevtps.exe = memory leak

              Oh ok, yeah in that case you use the current version.

              There should be an article around on how to discover which hotfix is installed, but I don't remember it.

              I guess I can't help you then, at least it looks like you already use the latest version.

              Might be worth to open a case directly with Mcafee.

              • 4. Re: win2008r2, VSE 8.7.0i, sql 2008 sp3, mfevtps.exe = memory leak

                Hmm, what you describe sounds very much like KB73018, I see though that you have already digged through the KB by the looks of it. Per definition there should be no issue any longer ... unless you discovered something else :-) Patch 5 is the latest Patch for VSE 8.7, Patches are cumulative, no need to install Patch 3 separately.

                To answer your question, yes upgrading to VSE 8.8 P1 is certainly advisable and if you are at it you can also roll out HF735512, which is attached to KB75007. This will bring you the lates set of drivers/files for VSE. I would very much expect the symptoms to disappear after upgrading to VSE 8.8.