Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2880 Views 4 Replies Latest reply: Feb 7, 2013 4:50 AM by xenon1 RSS
mcdave Apprentice 210 posts since
Jul 20, 2004
Currently Being Moderated

Feb 6, 2013 4:14 AM

mcshield service hangs in stopped status

We got several clientswhich have the mcshield service freezed at "stopping" status.

 

They also got an enormous huge (and still growing)hip8.0.core_.log that is consuming all the diskspace up to 100%

I can't delete it as long the mcshield is running.

 

I tried stopping the mcafee process but it nor any other of the mcafee processes (access denied)

Even if I disable the access protection (in the virusscan console) and unmark "Prevent McAfee services from being stopped"

 

How can I fix this WITHOUT REBOOTING?

 

 

Here is a fragment of the logfile:

*********************************************

McAfee System Core Installer

Copyright 2005-2011 McAfee Inc.

All Rights Reserved Version SYSCORE.14.4.0.454

*********************************************

Thu Jan 24 11:53:20 2013

 

C:\Program Files\McAfee\Host Intrusion Prevention\vscore\release\mfehidin.exe -i -l C:\WINDOWS\Temp\McAfeeLogs\hip8.0_core_hip_1_24_201311_53_20.log -x hip.xml firecore APDriver AVDriver

[11:53:20:906] - Parsing XML hip.xml

[11:53:20:906] - ***ParseXMLFile()***

[11:53:20:906] - action = pa_validate

[11:53:21:421] - ParseXMLFile: Found node <CoreInstall>

[11:53:21:421] - ParseXMLFile: Found <CoreInstall> element!

[11:53:21:421] - MD5 for document is 133d201b3434d3fc4e7df23d60f13eeb

[11:53:21:421] - ParseXMLFile: Found node <Signature>

[11:53:21:421] - ParseXMLFile: Found <Signature> element!

[11:53:21:421] - parseSignature:

[11:53:21:421] - parseSignedInfo:

[11:53:21:421] - parseReference:

[11:53:21:421] - parseDigestValue:

[11:53:21:437] - parseDigestValue: exit=0

[11:53:21:437] - parseReference: exit=1

[11:53:21:437] - parseSignedInfo: exit=1

[11:53:21:437] - parseSignatureValue:

[11:53:21:484] - parseSignatureValue: exit=1

[11:53:21:484] - parseSignature: exit=1

[11:53:21:484] - parseCoreInstall:

[11:53:21:484] - action = pa_preprocess

[11:53:21:484] - action = pa_preprocess

[11:53:21:484] - parseCoreInstall: exit=1

[11:53:21:484] - parseCoreInstall:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseGeneral:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - SetSystemCoreDest McAfee\SystemCore (x86 0)

[11:53:21:484] - SetSystemCoreDest path already C:\Program Files\Common Files\McAfee\SystemCore\

[11:53:21:484] - parseGeneral: CorePath retval 1

[11:53:21:484] - SetSystemCoreDest McAfee\SystemCore (x86 1)

[11:53:21:484] - SetSystemCoreDest path already C:\Program Files\Common Files\McAfee\SystemCore\

[11:53:21:484] - parseGeneral: CorePath_X86 retval 1

[11:53:21:484] - parseBase:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfehidk.sys

[11:53:21:484] - GetMD5ForFile mfehidk.sys

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfevtps.exe

[11:53:21:484] - GetMD5ForFile mfevtps.exe

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfehidk_messages.dll

[11:53:21:484] - GetMD5ForFile mfehidk_messages.dll

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfetdi2k.sys

[11:53:21:484] - GetMD5ForFile mfetdi2k.sys

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfewfpk.sys

[11:53:21:484] - GetMD5ForFile mfewfpk.sys

[11:53:21:484] - parseBase: exit=1

[11:53:21:484] - parseFeature:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseFeature: Feature=firecore

[11:53:21:484] - parseFeature: Feature firecore enabled

[11:53:21:484] - parseDriver:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseDriver: Will merge boot start value

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - GetDriverService mfefirek.sys

[11:53:21:484] - GetMD5ForFile mfefirek.sys

[11:53:21:484] - parseDriver: exit=1

[11:53:21:484] - parseDriver:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - GetDriverService mfendisk.sys

[11:53:21:484] - GetMD5ForFile mfendisk.sys

[11:53:21:484] - parseDriver: exit=1

[11:53:21:484] - parseDriver:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseDriver: Skipping driver with winver attr 6000- on OS 5220

[11:53:21:484] - parseDriver:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseDriver: Will merge boot start value

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - GetDriverService mfeavfk.sys

[11:53:21:484] - GetMD5ForFile mfeavfk.sys

[11:53:21:484] - parseDriver: exit=1

[11:53:21:484] - parseCore:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfehida.dll

[11:53:21:484] - GetMD5ForFile mfehida.dll

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfevtpa.dll

[11:53:21:484] - GetMD5ForFile mfevtpa.dll

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfefwctl.dll

[11:53:21:484] - GetMD5ForFile mfefwctl.dll

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - Searching for Macros in .\tools.

[11:53:21:484] - Expanded .\tools to: .\tools

[11:53:21:484] - ParseFileName: filename=.\tools\fwinfo.exe

[11:53:21:484] - GetMD5ForFile .\tools\fwinfo.exe

[11:53:21:484] - parseDirectory:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseDirectory: Skipping x64 file on x86

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfeavfa.dll

[11:53:21:484] - GetMD5ForFile mfeavfa.dll

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfehida.dll

[11:53:21:484] - GetMD5ForFile mfehida.dll

[11:53:21:484] - parseDirectory:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseDirectory: Skipping x64 file on x86

[11:53:21:484] - parseCore: exit=1

[11:53:21:484] - parseService:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - Searching for Macros in $COREPATH.

[11:53:21:484] - MACRO found: COREPATH

[11:53:21:484] - Expanded $COREPATH to: C:\Program Files\Common Files\McAfee\SystemCore\

[11:53:21:484] - GetMD5ForFile mfefire.exe

[11:53:21:484] - parseService: exit=1[11:53:21:484] - parseFeature: exit=1

[11:53:21:484] - parseFeature:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseFeature: Feature=firecore

[11:53:21:484] - parseFeature: Feature firecore enabled

[11:53:21:484] - parseFeature: exit=1

[11:53:21:484] - parseFeature:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseFeature: Feature=APDriver

[11:53:21:484] - parseFeature: Feature APDriver enabled

[11:53:21:484] - parseDriver:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - GetDriverService mfeapfk.sys

[11:53:21:484] - GetMD5ForFile mfeapfk.sys

[11:53:21:484] - parseDriver: exit=1

[11:53:21:484] - parseCore:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - ParseFileName:

[11:53:21:484] - action = pa_validate

[11:53:21:484] - <Filename> has attribute source

[11:53:21:484] - ParseFileName: filename=mfeapfa.dll

[11:53:21:484] - GetMD5ForFile mfeapfa.dll

[11:53:21:484] - parseCore: exit=1

[11:53:21:484] - parseFeature: exit=1

[11:53:21:484] - action = pa_validate

[11:53:21:484] - parseCoreInstall: exit=1

[11:53:21:484] - action = pa_validate

[11:53:21:484] - ParseXMLFile: exit=1

[11:53:21:484] - ***ParseXMLFile()***

[11:53:21:484] - action = pa_stopservices

[11:53:21:484] - ParseXMLFile: Found node <CoreInstall>

[11:53:21:484] - ParseXMLFile: Found <CoreInstall> element!

[11:53:21:500] - MD5 for document is 133d201b3434d3fc4e7df23d60f13eeb

[11:53:21:500] - ParseXMLFile: Found node <Signature>

[11:53:21:500] - ParseXMLFile: Found <Signature> element!

[11:53:21:500] - parseSignature:

[11:53:21:500] - parseSignedInfo:

[11:53:21:500] - parseReference:

[11:53:21:500] - parseDigestValue:

[11:53:21:500] - parseDigestValue: exit=0

[11:53:21:500] - parseReference: exit=1

[11:53:21:500] - parseSignedInfo: exit=1

[11:53:21:500] - parseSignatureValue:

[11:53:21:500] - parseSignatureValue: exit=1

[11:53:21:500] - parseSignature: exit=1

[11:53:21:500] - parseCoreInstall:

[11:53:21:500] - action = pa_preprocess

[11:53:21:500] - action = pa_preprocess

[11:53:21:500] - parseCoreInstall: exit=1

[11:53:21:500] - parseCoreInstall:

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - parseFeature:

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - parseFeature: Feature=firecore

[11:53:21:500] - parseFeature: Feature firecore enabled

[11:53:21:500] - parseService:

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - <Filename> has attribute source

[11:53:21:500] - Searching for Macros in $COREPATH.

[11:53:21:500] - MACRO found: COREPATH

[11:53:21:500] - Expanded $COREPATH to: C:\Program Files\Common Files\McAfee\SystemCore\

[11:53:21:500] - GetServiceReferenceCount: service mfefire has a 0 references

[11:53:21:500] - parseService: exit=1[11:53:21:500] - parseFeature: exit=1

[11:53:21:500] - parseFeature:

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - parseFeature: Feature=firecore

[11:53:21:500] - parseFeature: Feature firecore enabled

[11:53:21:500] - parseFeature: exit=1

[11:53:21:500] - parseFeature:

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - parseFeature: Feature=APDriver

[11:53:21:500] - parseFeature: Feature APDriver enabled

[11:53:21:500] - parseFeature: exit=1

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - parseCoreInstall: exit=1

[11:53:21:500] - action = pa_stopservices

[11:53:21:500] - ParseXMLFile: exit=1

[11:53:21:500] - ***ParseXMLFile()***

[11:53:21:500] - action = pa_install

[11:53:21:500] - ParseXMLFile: Found node <CoreInstall>

[11:53:21:500] - ParseXMLFile: Found <CoreInstall> element!

[11:53:21:500] - MD5 for document is 133d201b3434d3fc4e7df23d60f13eeb

[11:53:21:500] - ParseXMLFile: Found node <Signature>

[11:53:21:500] - ParseXMLFile: Found <Signature> element!

[11:53:21:500] - parseSignature:

[11:53:21:500] - parseSignedInfo:

[11:53:21:500] - parseReference:

[11:53:21:500] - parseDigestValue:

[11:53:21:500] - parseDigestValue: exit=0

[11:53:21:500] - parseReference: exit=1

[11:53:21:500] - parseSignedInfo: exit=1

[11:53:21:500] - parseSignatureValue:

[11:53:21:500] - parseSignatureValue: exit=1

[11:53:21:500] - parseSignature: exit=1

[11:53:21:500] - parseCoreInstall:

[11:53:21:500] - action = pa_preprocess

[11:53:21:500] - action = pa_preprocess

[11:53:21:500] - parseCoreInstall: exit=1

[11:53:21:500] - parseCoreInstall:

[11:53:21:500] - action = pa_upgrade

[11:53:21:500] - UpgradeBase here

[11:53:21:500] - GetDriverDest mfetdik.sys

[11:53:21:500] - CheckForTdiVersionSwitch: Legacy tdi driver not present

[11:53:21:515] - GetServiceReferenceCount: service mfevtp has a 3 references

[11:53:21:515] - UpgradeBase using existing install path for VTP service C:\WINDOWS\system32\mfevtps.exe

[11:53:21:546] - GetDriverService mfetdi2k.sys

[11:53:21:546] - GetServiceReferenceCount: service mfetdi2k has a 3 references

[11:53:21:546] - GetDriverDest mfetdi2k.sys

[11:53:21:562] - Skipping copy to C:\WINDOWS\system32\drivers\mfetdi2k.sys since existing file is newer.

[11:53:21:562] - GetDriverService mfehidk.sys

[11:53:21:562] - GetDriverDest mfehidk.sys

[11:53:21:640] - GetServiceReferenceCount: service mfehidk has a 3 references

[11:53:21:656] - GetFileReferenceCount: C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll, check_for_dirty_references=0

[11:53:21:656] - FileReferenceCount: C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll=3

[11:53:21:656] - InstallFile mfehidk_messages.dll C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll

[11:53:21:671] - Skipping copy to C:\Program Files\Common Files\McAfee\SystemCore\mfehidk_messages.dll since existing file is newer.

[11:53:21:671] - StartService: mfevtp

[11:53:21:671] - Lockdown: Setting DACL for service mfevtp

[11:53:21:703] - Lockdown: Using 'normal' DACL

[11:53:21:703] - Lockdown: Setting ALLOW permissions for service DACL

[11:53:21:734] - LockDown: DACL successfully set

[11:53:21:734] - mfevtp service reports RUNNING

[11:53:21:734] - Attempting to start dependent services

[11:53:21:734] - MfeEnumDependentServices:

[11:53:21:781] - MfeEnumDependentServices: McShield depends on mfevtp

[11:53:22:109] - MfeEnumDependentServices: Found 1 dependent services on mfevtp

[11:53:22:109] - StartService: found 1 dependent services

[11:53:22:109] - Attempting to start dependent service McShield

[11:53:22:109] - StartService: McShield

[11:53:22:109] - Lockdown: Setting DACL for service McShield

[11:53:22:125] - Lockdown: Using 'normal' DACL

[11:53:22:125] - Lockdown: Setting ALLOW permissions for service DACL

[11:53:22:187] - LockDown: DACL successfully set

[11:53:22:187] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:296] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:406] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:515] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:625] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:734] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:843] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

[11:53:22:953] - waiting on McShield service to report RUNNING or STOPPED (current state 3)

etc....

 

Help is appreciated

 

regards

Dave

  • alexn Veteran 722 posts since
    Aug 9, 2012
    Currently Being Moderated
    1. Feb 6, 2013 1:39 PM (in response to mcdave)
    Re: mcshield service hangs in stopped status

    In my openion, run McAfee profiler and catch all processes which are taking too much resources, or what causing mcshield to freez up your systems, once found put these processes in Low and High risk exclusions.

     

    Use Pstools to stop mcshield and other services, and restart them if you want.


    Post Timings: 6.00 AM to 3.00PM PDT
  • xenon1 Newcomer 25 posts since
    Nov 9, 2009
    Currently Being Moderated
    2. Feb 6, 2013 2:30 PM (in response to alexn)
    Re: mcshield service hangs in stopped status

    In an Enterprise Environment you can turn off the Acess-Protection Rule of the Virusscan by Policy. After that you will be able to stop the process.

    Use the ProcExp.exe (sysinternals) to narrow the problem.  Watch the Threads and Handles - CPU Load?

    I have never seen the log above, but i am not so deep into the produkt HIPS. sorry.

  • xenon1 Newcomer 25 posts since
    Nov 9, 2009
    Currently Being Moderated
    4. Feb 7, 2013 4:50 AM (in response to mcdave)
    Re: mcshield service hangs in stopped status

    Some help hints:

     

    - the amount of private bytes on your mcshield  is too high. on my system with VSE8.8-Patch2 its only 90MB

    - perhaps it remains in an DAT-Update process.... look into the "McScript.log"

     

    McProfiler  - search for the newest Version.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points