7 Replies Latest reply: Feb 28, 2013 10:31 AM by kink80 RSS

    McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.

    kink80

      I am trying to apply patch 5 for VSE 8.7i to one of my Windows 2003 servers that was running VSE 8.7i Patch 3. When I tried to do an "Update Now" on the server, after checking in Patch 5 into the Current Branch of the ePO Master Repository, it looked like it was going to install successfully however  I had the following in my Application Event log:

       

      Event Type: Error
      Event Source: McLogEvent
      Event Category: None
      Event ID: 5004
      Date:  2/7/2013
      Time:  8:32:48 AM
      User:  NT AUTHORITY\SYSTEM
      Computer: XXXXXXXXX
      Description:
      Could not contact Filter Driver.
      Error = 0x7f : The specified procedure could not be found.

       

      When I looked in the McAfee Agent log I see this:

       

      2013-02-07 08:33:05 I #4600 Manage New plugin <VSEMAS870000> found

      2013-02-07 08:33:05 I #4600 Sched >>--CSchedule::RegisterProduct

      2013-02-07 08:33:06 I #6084 Sched >>--CSchedule::ModifyTask

      2013-02-07 08:33:08 I #5592 Sched Plugin DLL for VSEMAS870000 has been registered

      2013-02-07 08:33:08 W #5592 Sched Plugin checking: error  -1011, SoftwareID = VIRUSCAN8700

       

      2013-02-07 08:50:44 I #3300 Manage Enforcing policies

      2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for VIRUSCAN8700

      2013-02-07 08:50:45 I #3300 Manage CManage::EnforcePolicies() - Failed - "VIRUSCAN8700" (error = -1000).

      2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for EPOAGENT3000META

      2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for EPOAGENT3000

      2013-02-07 08:50:45 i #3300 Manage Enforcing Policies for McAfee Agent

       

      I then removed VSE from this server via Add and Remove Programs and I received no errors and it appeared like it was successfully removed. As I could not find anything in C:\Program Files\McAfee\VirusScan Enterprise. I then re-installed VSE 8.7.0.570 with an ePO Product deployment task. Which again seemed to succeed. It then ran the DAT update successfully then ran the HotFix Update and I saw;

       

      2013-02-07 10:23:05 I #5804 UpdEvents Generating update event:EventId=2401:Severity=4:ProductId=VIRUSCAN8700:Locale=0000:UpdateType=Hot Fix:UpdateError=0:NewVersion=5:DateTime=

      2013-02-07 10:23:10 I #5804 UpdEvents Generating update event:EventId=2401:Severity=4:ProductId=VIRUSCAN8700:Locale=0000:UpdateType=Ext raDAT:UpdateError=0:NewVersion=2012.1128.1826.10:DateTime=

       

      A little further down in the McAfee Agent log i spotted this again:

       

      2013-02-07 10:25:39 i #3300 Manage Enforcing Policies for VIRUSCAN8700

      2013-02-07 10:25:40 I #1208 Sched >>--CSchedule::ModifyTask

      2013-02-07 10:25:40 E #1208 Sched <<--CSchedule::ModifyTask hr=0x80000017 : Task is being modified

      2013-02-07 10:25:40 I #5660 Sched >>--CSchedule::DeleteTask

      2013-02-07 10:25:40 E #5660 Sched <<--CSchedule::DeleteTask hr=0x80000017 : Task is being modified

      2013-02-07 10:25:40 I #472 Sched >>--CSchedule::GetTask

      2013-02-07 10:25:40 I #3300 Manage CManage::EnforcePolicies() - Failed - "VIRUSCAN8700" (error = -1000).

      2013-02-07 10:25:40 i #3300 Manage Enforcing Policies for EPOAGENT3000META

      2013-02-07 10:25:40 i #3300 Manage Enforcing Policies for EPOAGENT3000

       

      And this in the Application Event log:

       

      Event Type: Error
      Event Source: McLogEvent
      Event Category: None
      Event ID: 5004
      Date:  2/7/2013
      Time:  10:27:55 AM
      User:  NT AUTHORITY\SYSTEM
      Computer: XXXXXXXX
      Description:
      Could not contact Filter Driver.
      Error = 0x7f : The specified procedure could not be found.

       

       

      So I am back at square one has anyone seen this before? Any ideas as to how to solve this?  Thanks in advance.

        • 1. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
          kink80

          All of the drivers listed below are present in C:\WINDOWS\system32\drivers

          • mfeavfk.sys,
          • mfeapfk.sys
          • mfebopk.sys
          • mfehidk.sys
          • mfetdik.sys

           

          If I look in the Device Manager and Show Hidden Devices  I have three McAfee Inc. Devices that show a Yellow Exclamation along with several ones that do not have the yellow exclamation. But it seems there are multiple mfeavk drivers each with a unique number after mfeavk (i.e. mfeavk23, mfeavk30).

          • 2. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
            alexn

            Reason could be 

             

            Path to mfeapfk, mfeavfk, and mfebopk which live under HKLM\SYSTEM\CurrentControlSet\Services\, with the full path to the driver - e.g.c:\windows\system32\drivers\mfeapfk.sys. Registry Patyh is not updated and your drivers are in Drivers folder but cant connect with Mcshield.

             

             

            Please follow these steps to resolve this.

             

            Solution 1

            Verify that the following filter driver files are present in C:\Windows\System32\Drivers

             

            • mfeavfk.sys
            • mfeapfk.sys
            • mfebopk.sys
            • mfehidk.sys
            • mfetdik.sys
            If the filter driver files are not present, then uninstall and reinstall them:

             

            1. Click Start, Run, type cmd, and then click OK.
            2. From the command prompt, navigate to: C:\Program Files\McAfee\VirusScan Enterprise.
            3. To uninstall the driver, type the following and press ENTER:

              mfehidin -u mfeavfk.sys mfeapfk.sys mfebopk.sys mfehidk.sys mfetdik.sys

            4. To reinstall the driver, type the following and press ENTER:

              mfehidin.exe -i mfeavfk.sys mfeapfk.sys mfebopk.sys mfehidk.sys mfetdik.sys
            If the filter driver files are present, ensure they are enabled in Device Manager:

             

            1. From the desktop, right-click My Computer and select Properties.
            2. Click the Hardware tab.
            3. Click Device Manager.
            4. Select View, Show Hidden devices.
            5. Expand Non-Plug and Play Drivers.
            6. For every McAfee Inc. entry, right-click the entry, select Properties, and from the drop-down menu, select Enable.
            7. When prompted Do you want to restart your computer now? click No.
            8. When all McAfee Inc. entries have been processed, close the Device Manager and restart your computer.

            Solution 2

            If the filter driver files are present and enabled, but the error (Event id : 5004) is still generated, uninstall and reinstall VSE.

             

            If this does not resolve the issue, it is likely that a third-party product is present that is not compatible with VSE. Upgrade to the latest version of VSE and apply the latest patch.

             

            If you dont see any luck after doing this, then go for latest VSE 8.8 P2.

            • 3. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
              kink80

              Thank for the reply. I did see this KB and did alter the registry to point to the full path to the drivers (i.e. C:\Windows\system32\drivers). This did not resolve my issue. I have removed VSE 8.7 once again and all of the drivers are gone from the Drivers directory. I still see numerous McAfee Inc. devices in the Device Manager 3 of which have the yellow exclamation. I think I will try a reboot and then try to re-install VSE 8.7 again. If that does not work I will put  a call into McAfee support.

              • 4. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
                alexn

                Also Make sure that you dont have 3rd party AV programe on your server, and also update to to the current version of VSE 8.8 patch 2.

                After reboot recheck your Device Manager for any Mcafee inc exclamation mark.

                • 5. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
                  kink80

                  There is no 3rd party AV on this server. It has been running McAfee VSE 8.7i Patch 3 for a long time. This issue manifested when I tried to patch the system to VSE 8.7i Patch 5. Yes I was planning on checking the Device Manager after the restart. Thanks.

                  • 6. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
                    David.G

                    Any luck resolving this as I have the exact same issue. Followed the same trouble shooting process and got the the final same point of everything looking good except for those 3 !!! on the hidden drivers.

                     

                    Any help would be much appreciated. SR taking for ever to progress....

                     

                    Thanks!

                    • 7. Re: McLogEvent 5004 Could not contact Filter Driver. The specified procedure could not be found.
                      kink80

                      I ended up just installing VSE 8.8 P2 on the server and everything was good again. We were planning on upgrading this serve at some point to 8.8 so that was the logical choice for me.