Mcshield.exe

[netadminTO]

Hi!

We have just impletemented ePO 3.0 and have created site with all computers. A few PC's on our network all of a sudden have mcshield.exe using up 100% of the processer with no breaks - even removing Virus Scan 7.0 and manually reinstalling it still causes the same problem.

Any ideas? GREATLY APPRECIATED!

 

[f3rrar1az]

Check some of the old threads in this message board. Several people have posted about this before, my fix for this has been to uninstall old epoagent on the client and reinstall new agent if you recenlty deployed EPO 3.X. Other threads have other suggestions.

good luck.

 

[netbudhg]

Hello Netbudhg here,

We have had similar events on client machines (win2k) and the following was the main cause:
We discovered that the upgrade from epo2 to epo3 caused the 100% utilisation of the CPU. By stopping ALL services related to the Virusscan software and then ALL services related to epo3 on the client machine (especially the Framework service!!) and then reinstalling the Virusscan software before the epo client - solves this problem as all possible corrupt db and log files are removed. Also see the following text copied from the NAI site - let me know how it went (mailto:netbudhg@hotmail.com)

McShield utilizes 100% CPU due to missing ePO McShield exclusion or corrupt ePO .EVT files
Solution ID : NAI33568 Last Modified : 4MAR 2004

Goal and/or Problem Description
McShield utilizes 100% CPU due to missing ePO McShield exclusion or corrupt ePO .EVT files
100% CPU on McShield
100% CPU occurs at machine start-up
McAfee ePO Agent is installed
VirusScan - McShield Exclusion for ePO Agent in missing
McAfee ePO Agent EVT files are corrupt


--------------------------------------------------------------------------------

Problem Environment
McAfee VirusScan Enterprise 7.0
McAfee VirusScan Multiplatform 4.5.1
McAfee ePolicy Orchestrator 3.0
McAfee ePolicy Orchestrator 2.5.1
Microsoft Windows 9x
Microsoft Windows NT
Microsoft Windows XP
Microsoft Windows 2000


--------------------------------------------------------------------------------

Changes affecting this problem
Change information is not available for this solution

--------------------------------------------------------------------------------

Cause of this problem
The cause of this issue can be twofold: the ePolicy Orchestrator agent folder may not be excluded (or the exclusion is wrong); or, the ePO Agent *.EVT files have become corrupt, in which case the Filter Driver that VirusScan loads still accesses these files but does not process them for scanning. This access by the VirusScan Filter Driver is as designed so that all files are touched but those defined in the McShield Exclusion are never scanned for viruses.


--------------------------------------------------------------------------------


Solution 1:
In the ePO Agent folder, locate the *.EVT files and delete them.

For ePolicy Orchestrator 2.5.x, the default location for such files is in the folder: 'X:\ePOAgent\AgentDB\Event\'.

Stopping the ePO Agent service will also stop the 100% CPU, confirming that this is the root cause.

For ePolicy Orchestrator 2.5.1, stop the 'NAI ePolicy Orchestrator Agent' service.

For ePolicy Orchestrator 3.0, stop the 'McAfee Framework Service'.

NOTE: The *.EVT files hold information that is passed back to the ePolicy Orchestrator server. This includes virus alerts incurred on the machine and product component information. The only way to identify which .EVT file is causing the problem would be to use a 3rd-party tool such as FILEMON, if only one were to be deleted. Corrupt data in an .EVT file would be passed back to the ePO server and would need to be deleted to overcome that problem.

--------------------------------------------------------------------------------