0 Replies Latest reply on Jul 28, 2016 9:08 AM by serbarria

    Agent Epo 5.0.2 se reinstala

    serbarria

      Hola,

      Me gustaria comentarles un problema que tengo con unos agente en unos servidores windows 2003 server.

       

      Hace un tiempo que tenemos instalados estos agentes reportados a la EPO, con VirusScann8.8.

       

      Cada cierto tiempo el agente se reinicia y nos llegan alarmar de que el servicio mcshield.exe se encuentra detenido, por lo que me puse a indagar en el visor y aparece que el agente se esta desisntalando e instalando. No sabemos que puede estar pasando y me gustaria que nos ayudaran a ver que puede estar pasando.

       

      Adjunto logs del visor que encontramos, justo en el momento que esto sucede. Muchas Gracias.

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:1040
      Date:28-07-2016
      Time:9:01:37
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Beginning a Windows Installer transaction: {dea2d287-b3f7-4828-8332-3cf31ed15ed7}. Client Process Id: 33776.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

       

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:McLogEvent
      Event Category:None
      Event ID:257
      Date:28-07-2016
      Time:9:02:00
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Bloqueado por regla de protección de acceso.  La regla Protección común estándar:Impedir la modificación de los archivos y las opciones de McAfee Common Management Agent ha bloqueado el acceso al objeto HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\MCAFEEFRAMEWORK\.

       

       

      ______________________________________________________________________

       

      Event Type:Information
      Event Source:McLogEvent
      Event Category:None
      Event ID:5000
      Date:28-07-2016
      Time:9:03:06
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      McShield service started.

      Engine version : 5800.7501

      DAT version : 8238.0000

       

      Number of signatures in EXTRA.DAT : Ninguno

      Names of threats that EXTRA.DAT can detect : Ninguno

       

      ______________________________________________________________________

       

       

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:11724
      Date:28-07-2016
      Time:9:03:14
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Producto: McAfee Agent -- Removal completed successfully.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

      Data:

      0000: 7b 44 45 41 32 44 32 38   {DEA2D28

      0008: 37 2d 42 33 46 37 2d 34   7-B3F7-4

      0010: 38 32 38 2d 38 33 33 32   828-8332

      0018: 2d 33 43 46 33 31 45 44   -3CF31ED

      0020: 31 35 45 44 37 7d         15ED7}

       

      ______________________________________________________________________

       

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:1034
      Date:28-07-2016
      Time:9:03:14
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Windows Installer removed the product. Product Name: McAfee Agent. Product Version: 5.00.2025. Product Language: 1034. Removal success or error status: 0.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

      Data:

      0000: 7b 44 45 41 32 44 32 38   {DEA2D28

      0008: 37 2d 42 33 46 37 2d 34   7-B3F7-4

      0010: 38 32 38 2d 38 33 33 32   828-8332

      0018: 2d 33 43 46 33 31 45 44   -3CF31ED

      0020: 31 35 45 44 37 7d         15ED7}

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:1042
      Date:28-07-2016
      Time:9:03:14
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Ending a Windows Installer transaction: {dea2d287-b3f7-4828-8332-3cf31ed15ed7}. Client Process Id: 33776.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:1040
      Date:28-07-2016
      Time:9:03:14
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Beginning a Windows Installer transaction: C:\WINDOWS\TEMP\mfe80BA.tmp\MFEagent.msi. Client Process Id: 39672.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:McLogEvent
      Event Category:None
      Event ID:257
      Date:28-07-2016
      Time:9:03:29
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      El análisis de C:\WINDOWS\Temp\ma80E7.tmp\x64\mfestwa.dll ha tardado demasiado tiempo en completarse y se está cancelando.  La versión de motor de análisis utilizada es 5800.7501 versión DAT 8238.0000.

       

      ______________________________________________________________________

       

      Event Type:Information
      Event Source:McLogEvent
      Event Category:None
      Event ID:257
      Date:28-07-2016
      Time:9:03:29
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      El análisis de C:\WINDOWS\Temp\ma80E7.tmp\x86\mfestwa.dll ha tardado demasiado tiempo en completarse y se está cancelando.  La versión de motor de análisis utilizada es 5800.7501 versión DAT 8238.0000.

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:McLogEvent
      Event Category:None
      Event ID:5000
      Date:28-07-2016
      Time:9:04:06
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      McShield service started.

      Engine version : 5800.7501

      DAT version : 8238.0000

       

      Number of signatures in EXTRA.DAT : Ninguno

      Names of threats that EXTRA.DAT can detect : Ninguno

      ______________________________________________________________________

       

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:11707
      Date:28-07-2016
      Time:9:04:34
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Producto: McAfee Agent -- La operación de instalación finalizó satisfactoriamente.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

      Data:

      0000: 7b 64 65 61 32 64 32 38   {dea2d28

      0008: 37 2d 62 33 66 37 2d 34   7-b3f7-4

      0010: 38 32 38 2d 38 33 33 32   828-8332

      0018: 2d 33 63 66 33 31 65 64   -3cf31ed

      0020: 31 35 65 64 37 7d         15ed7}

       

      ______________________________________________________________________

       

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:1033
      Date:28-07-2016
      Time:9:04:34
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Windows Installer installed the product. Product Name: McAfee Agent. Product Version: 5.00.2025. Product Language: 1034. Installation success or error status: 0.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

      Data:

      0000: 7b 64 65 61 32 64 32 38   {dea2d28

      0008: 37 2d 62 33 66 37 2d 34   7-b3f7-4

      0010: 38 32 38 2d 38 33 33 32   828-8332

      0018: 2d 33 63 66 33 31 65 64   -3cf31ed

      0020: 31 35 65 64 37 7d         15ed7}

       

      ______________________________________________________________________

      Event Type:Information
      Event Source:MsiInstaller
      Event Category:None
      Event ID:1042
      Date:28-07-2016
      Time:9:04:34
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      Ending a Windows Installer transaction: C:\WINDOWS\TEMP\mfe80BA.tmp\MFEagent.msi. Client Process Id: 39672.

       

       

      For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

       

      ______________________________________________________________________

       

      Event Type:Information
      Event Source:McLogEvent
      Event Category:None
      Event ID:5000
      Date:28-07-2016
      Time:9:15:44
      User:NT AUTHORITY\SYSTEM
      Computer:VMINTRAWEB

      Description:

      McShield service started.

      Engine version : 5800.7501

      DAT version : 8239.0000

       

      Number of signatures in EXTRA.DAT : Ninguno

      Names of threats that EXTRA.DAT can detect : Ninguno

       

      ______________________________________________________________________

       

       

       

       

      Muchas Gracias,