3 Replies Latest reply on Sep 24, 2009 2:01 PM by rmetzger

    McAfee Validation Trust Protection Service

    sthayden
      I have just really started to noticed this service to be a pain in my butt. We use Dameware in our environment, so more often then not, if I need to install AV on a computer, I use the remote command and run a batch file I created to remove the McAfee Agent and VSE. We have VSE 8.5 and 8.7 in our environment and I will rarely see an 8.0 pop up from a computer that has been stowed away for the past year or so. Obviously, I didnt start seeing this service or the mfevtps.exe process until I started our migration to VSE 8.7.

      To show you how I do my installs, here is my batch file I use:
      ______________________________________________________________________
      copy {server location}\framepkg.exe c:\

      if exist "C:\Program Files\Network Associates\Common Framework\frminst.exe" goto :1

      if exist "C:\Program Files\McAfee\Common Framework\frminst.exe" goto :2


      :1
      "C:\Program Files\Network Associates\Common Framework\frminst.exe" /forceuninstall /s
      msiexec.exe /x {5DF3D1BB-894E-4DCD-8275-159AC9829B43} REMOVE=ALL REBOOT=R /q
      if exist "C:\Program Files\McAfee\Common Framework\frminst.exe" goto :2 ELSE goto :3

      :2
      "C:\Program Files\McAfee\Common Framework\frminst.exe" /forceuninstall /s
      msiexec.exe /x {35C03C04-3F1F-42C2-A989-A757EE691F65} REMOVE=ALL REBOOT=R /q
      goto :3


      :3
      "C:\Program Files\McAfee\Common Framework\frminst.exe" /forceuninstall /s
      MsiExec.exe /x {147BCE03-C0F1-4C9F-8157-6A89B6D2D973} REMOVE=ALL REBOOT=R /q
      taskkill /f /im engineserver.exe
      taskkill /f /im mfevtps.exe
      sc delete McAfeeEngineService
      sc delete mfevtps
      goto :4

      :4
      reg delete "HKLM\Software\Network Associates" /f
      reg delete "HKLM\Software\McAfee" /f
      reg delete "HKU\.DEFAULT\Software\McAfee" /f

      rd /s /q "c:\Program Files\McAfee"

      rd /s /q "c:\Program Files\Network Associates"

      rd /s /q "C:\Documents and Settings\All Users\Application Data\McAfee"

      rd /s /q "c:\Program Files\Common Files\McAfee"

      rd /s /q "C:\Documents and Settings\All Users\Application Data\Network Associates"

      sc delete McTaskManager

      sc delete McShield

      c:\Framepkg.exe /install=agent /forceinstall /silent
      _______________________________________________________________________

      I only recently had to add the lines,

      taskkill /f /im engineserver.exe
      taskkill /f /im mfevtps.exe
      sc delete McAfeeEngineService
      sc delete mfevtps

      because it causes the McShield and McTaskManager services to give me an "access is denied" message when I try to delete them.

      The whole reason I do the install this way is so it is unintrusive to the user and to do it without a reboot. The problem is, that killing the mfevtps doesn't work, it immediately restarts itself and it won't let me stop or remove the service or even change it to manual start. In some cases I have tried rebooting and when it comes back up, it is still there, the service is started and the other 2 processes, which are now dead, are still sitting in there showing as stopped but I can't remove them.

      My concern with all of this is I have had ussues in the past with the reinstalls of VSE if those processes are not removed before a reinstall. At first, in most cases, it will allow me to reinstall VSE and run just fine, but a few days down the road, those particular machines will stop updating and sometimes running a Super Agent package against them won't even force them to update, and then I am back at square one.

      Has anyone else seen or had an issue with this at all and does anyone have a clue as to how to kill this thing. Mostly everything I look up on Google refers to this being related to HIPS with a few refernces out there to VSE. I am not yet running HIPS in our production environment, so this is related to VSE 8.7 only.
        • 1. Change Access Protection settings before running batch file.
          rmetzger

          I am guessing that you have left the default settings enabled:
          VirusScan Console > Access Protection > Properties:
          1) Checked - Prevent McAfee services from being stopped
          2) Common Standard Protection:
          Block (Checked) Prevent Termination of McAfee processes

          These settings will thwart your efforts (as well as many forms of malware) as designed. You will probably need to change these settings by other means in order for your batch file to work as you expect. (With the VirusScan Console on your PC and the administrator password, you should be able to Remote Console (Tools > Open Remote Console) into the remote PC and make the appropriate changes.)

          Trying to save a reboot: If the services were stopped then the file deletion should be successful. If not, the file will fail to delete and you can test for it's existence and take appropriate actions -- Reboot. Then, Re-install VSE.

          Debates over whether to Update VSE (v8.5 to v8.7) or to Remove, then Install New, has been discussed extensively in these forums. Usually, administrators are using ePO for this process, but the problems you are experiencing are common across many methods of install or update.

          I hope this has been helpful. Post back with addition questions.
          Ron Metzger
          • 2. RE: Change Access Protection settings before running batch file.
            sthayden
            I do use EPO for the initial VSE install, I only use this script if the computer is having an issue with VSE.

            I did specifically leave the default settings to not be able to stop or terminate the services. We have to many people that would just shut it off all the time because they want to "increase the performance" of their computer.

            The batch file worked flawlessly prior to the upgrade to 8.7, now I have this one hangup. I will try adding the file deletion line and see if that helps with it, but from what I can tell, the taskkill only works for a second before the process restarts itself and I don't think it would give it enough time to unload the service for the file deletion, but I will let you know what I find.

            Do you know what exactly the purpose of this process is? I don't think it was there before Patch 1, so it must be something to do with what was added there, possibly the heuristics to the On-Access...
            • 3. Change Access Protection settings before running batch file.
              rmetzger

              I do not have internal information on these processes. See Forum discussion and Corporate KnowledgeBase ID: KB60534 for additional information and discussion of this service.

              Note, this discussion started before the release of VSE v8.7i, Patch 1.

              Change the mentioned settings and attempt the batch file again.
              VirusScan Console > Access Protection > Properties:
              1) Checked - Prevent McAfee services from being stopped
              2) Common Standard Protection:
              Block (Checked) Prevent Termination of McAfee processes

              Let us know if this worked.

              Thanks,
              Ron Metzger