6 Replies Latest reply on Jun 29, 2016 7:10 AM by bandit61

    Folderrights missing for user/group macmnsvc

    bandit61

      Hi,

       

      after upgrading more than 300 system from agent 5.0.2.132 to 5.0.2.188, we found some server not taking the right policy

      or disable access protection or acces scan. After further investigation we found, that mcafee is adding a user to the

      following directories:

       

      C:\ProgramData\McAfee\Agent\logs

      C:\ProgramData\McAfee\Agent\msgbus

      C:\ProgramData\McAfee\Agent\DB


      with full access rights. The systems failing this update, either have this user/right on the folder or not, interesting is,

      that you can't add a file or directory even if you are local admin, what you can when the update was successful.

      With missing rights on that level, it is impossible to uninstall or install the agent (doesn't matter which version,

      nor with /forceuninstall on cmd-level). Weird is that you can't find this user/group locally nor in active directory.

       

      Attached you find a printscreen of a w10-pc, a w7-pc and logs, which proof the missing rights on the mentioned

      folder-level. We had to restore several server, to get the things running again, but I would know what McAfee is

      doing in the background.

        • 1. Re: Folderrights missing for user/group macmnsvc
          bandit61

          Found the reason for failing system:

           

          -) using the connect to computer-button in the taskbar of the virusscan console,

          for a short time a windows appear, saying waiting to start mcafee framework

           

          -) after that access protection, on-delivery email scanner and on-access scanner

          are disabled on the remote system and the uninstall of the agent will fail.

           

          -) looking into the UpdaterUI_Sxx.log of these system, you'll find the following

          lines at the end, date and time may be different:

           

          2016-02-08 13:48:10    I    #4944    msgbus    Ok, i/o thread terminated, now continuing...

          2016-02-08 13:48:10    I    #4944    msgbus    Subscriber released

          2016-02-08 13:48:10    I    #4944    msgbus    Subscriber Destroys

          2016-02-08 13:48:10    I    #4944    msgbus    Message bus release...

          2016-02-08 13:48:10    I    #4944    msgbus    message bus destroying

          2016-02-08 13:48:10    I    #4944    msgbus    local broker Releases

          2016-02-08 13:48:10    I    #4944    msgbus    Name pipe server destroys

          2016-02-08 13:48:10    I    #4944    msgbus    local broker destroyed

          2016-02-08 13:48:10    I    #4944    msgbus    named pipe connection manager destroying...

          2016-02-08 13:48:10    I    #4944    msgbus    named pipe connection manager cleared

          2016-02-08 13:48:10    I    #4944    loop_worker    Loop worker destroys

           

          Has someone seen such a behavior before or knows how to fix the "loop worker"?

          • 2. Re: Folderrights missing for user/group macmnsvc
            bandit61

            Have logged with support, service request number: 4-13898141461.

            • 3. Re: Folderrights missing for user/group macmnsvc
              Corsar

              Did you get an answer of your SR?

               

              FF

              corsar

              • 4. Re: Folderrights missing for user/group macmnsvc
                cdobol

                Did you get an answer to this?  We have seen the same thing on a server or two here.

                • 5. Re: Folderrights missing for user/group macmnsvc
                  tkinkead

                  Honestly, try Agent 5.0.3.316.  It's resolved several odd, one-off issues on our side.

                  • 6. Re: Folderrights missing for user/group macmnsvc
                    bandit61

                    Yes, try this one:

                    shutdown /r /o  selected safeboot with networking

                     

                    removed all mf*... - entries under HKLM\System\CurrentControlSet\Control\SafeBoot\Network

                     

                    remove all mf*... - entries under C:\Windows\system32\drivers

                     

                    shutdown /r /o  selected safeboot with networking

                     

                    removed all mcafee directories

                     

                    if not poosible reboot in safe mode again, this time should work

                     

                    removed all mf.. entries under HKLM\System\CurrentControlSet\Services

                     

                    removed all mf.. entries under HKLM\System\CurrentControlSet002\Services

                     

                    checked all mf.. entries under HKLM\System\CurrentControlSet001\Services

                     

                    removed all Mcafee and Network Associates under HKLM\Software and under HKLM\Software\WoW6432Node

                     

                    reboot and install agent and VSE again