4 Replies Latest reply: Apr 18, 2013 10:59 PM by charmag RSS

    Exception in McShield.Exe kill file server

    charmag

      Since 11 april 2013 in event log start appear McLogEvent 5019 (windows server 2008 R2). After this event occur file server stay inaccessible. When try reboot server hang on shutdown window and only hard reset take influence.

       

      McLogEvent 5019:

      Exception in McShield.Exe!

      Exception details follow :

      VSCORE.14.3.0.464

      Exception Code       : 0X00000000C0000005

      Exception Address    : 0X0000000012285255

      Exception Parameters : 2

      Param 1 = 0000000000000000

      Param 2 = 0X000000001C2B00A8

       

      More information :

      ScanRequest : NTName is \Device\HarddiskVolumeShadowCopy240\....Path to file ......\O2_zuev.rar.

       

      We had version 8.8.0.777. Now Im update VSE to 8.8.0.975. Behaviour still same:

       

      Exception in McShield.Exe!

      Exception details follow :

      VSCORE.15.0.0.476

      Exception Code       : 0X00000000C0000005

      Exception Address    : 0X0000000012285255

      Exception Parameters : 2

      Param 1 = 0000000000000000

      Param 2 = 0X00000000117700A8

       

      More information :

      ScanRequest : NTName is \Device\HarddiskVolume7\....Path to file ......\amol2013.rar.

       

      Error occur always on rar archives.

      How to fix?


        • 1. Re: Exception in McShield.Exe kill file server
          Attila Polinger

          Hi,

           

          just a notion: the .RAR format could be unsupported (= verynew) for Virusscan to handle, or it could be damaged/manipulated so unrar process fails. This further results in memory corruption so only hard reset resolves the lockup.

          I wonder if these files are generated by an application or sent by someone else.. is there a chance to change the format to .ZIP instead?

           

          Otherwise I only see a quick resolution in excluding .RAR from scanning altogether (in Default policy, since the same thing can  happen if you just exclude it in Low/High Risk policy per process).

           

          Attila

          • 2. Re: Exception in McShield.Exe kill file server
            charmag

            It is very big file-server with millions files. RAR archives appearing and deleting every day by hundred users, there is no chance convert it to ZIP.

             

            As workaround Im already mark RAR as excepted file extansion in On-access protection.

            I can't understand why it crush mcafee process which crush whole server?

            As I can see Exception Address always same, may be its bug.

            • 3. Re: Exception in McShield.Exe kill file server
              wwarren

              I suggest working with Support on this issue.

               

              The 5019 event is a crash. McShield shouldn't crash - that tells you something bad is happening.

              If you're getting 5051 events as well, then that gives context for the crash - that it's in response to timeout conditions being met. McShield should timeout, but when it does you want to make sure you understand why...

               

              If this is not from timeouts, you must engage Support.

              • 4. Re: Exception in McShield.Exe kill file server
                charmag

                No 5051 event. In event log only 5019 and

                Application Error ID 1000:

                Faulting application name: mcshield.exe, version: 15.0.0.476, time stamp: 0x505ba28b

                Faulting module name: mscan64a.dll, version: 5.400.0.1158, time stamp: 0x4a70618b

                Exception code: 0xc0000005

                Fault offset: 0x0000000000285255

                Faulting process id: 0x19ac

                Faulting application start time: 0x01ce3b41ccff17b3

                Faulting application path: C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe

                Faulting module path: C:\Program Files (x86)\Common Files\McAfee\Engine\x64\mscan64a.dll

                Report Id: 4ada3251-a7e3-11e2-b360-0017a4770092

                 

                Is support must be purchased for engage?