just a notion: the .RAR format could be unsupported (= verynew) for Virusscan to handle, or it could be damaged/manipulated so unrar process fails. This further results in memory corruption so only hard reset resolves the lockup.
I wonder if these files are generated by an application or sent by someone else.. is there a chance to change the format to .ZIP instead?
Otherwise I only see a quick resolution in excluding .RAR from scanning altogether (in Default policy, since the same thing can happen if you just exclude it in Low/High Risk policy per process).
It is very big file-server with millions files. RAR archives appearing and deleting every day by hundred users, there is no chance convert it to ZIP.
As workaround Im already mark RAR as excepted file extansion in On-access protection.
I can't understand why it crush mcafee process which crush whole server?
As I can see Exception Address always same, may be its bug.
I suggest working with Support on this issue.
The 5019 event is a crash. McShield shouldn't crash - that tells you something bad is happening.
If you're getting 5051 events as well, then that gives context for the crash - that it's in response to timeout conditions being met. McShield should timeout, but when it does you want to make sure you understand why...
If this is not from timeouts, you must engage Support.
No 5051 event. In event log only 5019 and
Application Error ID 1000:
Faulting application name: mcshield.exe, version: 18.104.22.1686, time stamp: 0x505ba28b
Faulting module name: mscan64a.dll, version: 5.400.0.1158, time stamp: 0x4a70618b
Exception code: 0xc0000005
Fault offset: 0x0000000000285255
Faulting process id: 0x19ac
Faulting application start time: 0x01ce3b41ccff17b3
Faulting application path: C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
Faulting module path: C:\Program Files (x86)\Common Files\McAfee\Engine\x64\mscan64a.dll
Report Id: 4ada3251-a7e3-11e2-b360-0017a4770092
Is support must be purchased for engage?