McShield service keeps stopping and starting 1

[ZazuGreyBird]

Since last week some time the McShield service has been hanging, stopping and then restarting. It has caused a serious performance hit on my machine. I have removed it and reinstalled it several times, including a full manual uninstall and reinstall of both VirusScan Enterprise 8.0i and ePolicy Orchestrator Agent v. 3.5.0.513. My virus update is 4.0.4774. VirusScan says it has patch versions 1, 5, 7, 8, 9. I had Microsoft's Windefender running and removed it in case it was the problem, but that didn't help. The error in the System Events log is Event ID: 7034 and the Description is "The Network Associates McShield service terminated unexpectedly. It has done this 1 time(s).

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp."

After one of the reinstalls it appeared to be ok for a while. Then I install an update from MS and rebooted and it hasn't worked since. Any help would be greatly appreciated.

 

[paulhthomas]

when you right click the V shield int he sys tray does it give you a def date or is it blank?
Try running the latest SDAt in acse there's a difference in def dates somewhere. this causes this issue also.
have you tried removing the windows patch?

 

[ZazuGreyBird]

The Virus Definitions date is now May 31 2006. I don't remember what it was yesterday, but it was from last week some time. I remembered there being previous problems when McAfee Virus Definitions updates caused system incompatabilities, in one instance I remember it rendered some systems unbootable. I just wasn't sure that this was what was causing my problem.

The reason I tried removing Windefender was I thought it might have updated and cause an incompatability. Windefender currently has a problem with my ATI video software putting "Open Client to Monitor 2" on the context menus of applications.

Just to be sure I understand you, what do you mean by a "difference in def dates". (i.e. different from where?) Btw thanks for your reply. I am going to try to re-enable the McShield service and see if it is still broken.

 

[ZazuGreyBird]

Well, I just tried re-enabling the McShield service and it hung and stopped in less than 1 minute. The System error message is the same as before. The Application messages (all are McLogEvent) are as follows:

First Entry
Event ID: 5000
Description:

VirusScan Enterprise McShield service started - scanning for 193045 viruses.
Engine version : 4.4.00
.DAT version : 4774

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None

Second Entry
Event ID: 5051
Description:

A thread in process C:\Program Files\Network Associates\VirusScan\mcshield.exe took longer than 30000 ms to complete a request.
The process will be terminated. Thread id : 2212 (0x8a4)
Thread address : 0x7C90EB94
Thread message :

Build Aug 20 2004 04:46:11 / 11.29
Object being scanned = Process 448
by McShield.exe
20030(0)(0)
7001(0)(0)
7000(0)(0)
0(74088578)(0)
9999(74088546)(0)
0(0)(0)
0(0)(0)
0(0)(0)

Third Entry
vent ID: 5051
Description:

A thread in process C:\Program Files\Network Associates\VirusScan\mcshield.exe took longer than 30000 ms to complete a request.
The process will be terminated. Thread id : 1632 (0x660)
Thread address : 0x7C90EB94
Thread message :

Build Aug 20 2004 04:46:11 / 11.29
Object being scanned = Process 4
by McShield.exe
20039(0)(0)
20038(0)(9)
20039(0)(0)
20038(0)(25)
20039(0)(0)
20038(0)(9)
20039(0)(0)
20038(0)(7)

Fourth Entry
Event ID: 1008
Description:

The McShield service terminated unexpectedly.
Please review event 5019 or 5051 for details. The McShield service will be restarted in 5 seconds;

Fifth Entry
Event ID: 5000
Description:

VirusScan Enterprise McShield service started - scanning for 193045 viruses.
Engine version : 4.4.00
.DAT version : 4774

EXTRA.DAT name : None
Number of virus signatures in EXTRA.DAT : None
Names of viruses that EXTRA.DAT can detect : None

Sixth Entry
Event ID: 1008
Description:

The McShield service terminated unexpectedly.
Please review event 5019 or 5051 for details. The McShield service will be restarted in 10 seconds;

The time of the first entry was 8:35:33 and the time of the last entry was 8:36:42. I terminated the service as soon as it was apparent it was still crashing. Any ideas about this? Thanks!

 

[paulhthomas]

there's various registry keys where the def date is defined, sometimes that reg keys differ and mcshield service goes into spasm!

 

[paulhthomas]

ignore last comment, didn't realise you'd replied again

 

[paulhthomas]

which version of virus scan is this?

 

[ZazuGreyBird]

VirusScan Enterprise 8.0i. It says the scan engine is version 4400, if that helps. Re the registry keys you mentioned is there a parameter I could search for that would help me find all of them? (e.g. "definition date" or "date") Thanks again!

 

[paulhthomas]

Can't find anything anywhere about this. silly question perhaps....
did you reboot after removing vse and the agent?

 

[ZazuGreyBird]

Not a silly question at all. I'm pretty sure I rebooted every time I uninstalled and reinstalled using the automatic method. When I used the manual method (kb47372, then kb43214 remove part) I rebooted every time the instructions said to reboot. That amounted to 2 or 3 reboots just for vse alone. I found 2 locations where "defdate" exists in the registry: HKLM\SOFTWARE\Network Associates\TVD\Shared Components\VirusScan Engine\4.0.xx Value: szVirDefDate Data: 06/01/2006 and HKLM\SOFTWARE\Network Associates\TVD\VisurScan Enterprise\CurrentVersion\ Value: szVirDefDate Data: June 1 2006

As you might note, the defdate has updated again since yesterday. Last week it stayed the same, but now 2 updates in as many days. Hmmm. My virus update is now 4.0.4775. ePolicy says the update was installed yesterday at 1:42:13 PM. Maybe I should try the McShield service again.

 

[paulhthomas]

give it a go, it can't hurt

 

[ZazuGreyBird]

Well, I tried re-enabling the McShield service and it still didn't work. So I once more uninstalled, rebooted and installed it. This time, I unchecked the box to update virus signatures and waited. No problems at all. I rebooted so the services that didn't start on install would start and still no problems. Then I updated to the most current signatures, and blooey. Back where I started. I guess that means that there is some problem with the most recent signatures and that is probably why it isn't behaving properly. Oh. I forgot to say I did some malware scans before I re-enabled McShield. I ran Adaware, Spybot S&D, and a manual full scan with VirusScan. Nothing was found. And I ran Sysinternal's RootkitRevealer with nothing found there either. So it probably is a problem with the recent signature updates. If you think of anything else I could try let me know. In the mean time I'm without on-access scanning.

 

[jslinnha]

Hi ZazuGreyBird,

Did you find a solution for this ?

I seem to be having exactly the same problems - 90% of the time the mcshield service hangs upon waking my laptop from standby.

Does anyone else have any ideas ?

Thanks

J

 

[bugguy51]

If I recall correctly, there were several known issues re: coming out of standby or hibernate. These were supposed to be corrected in the (now deceased) Patch 12 for 8.0i, and are claimed to be corrected in Patch 13, which was released on the Support Portal around 7/4/06.

Has anyone tested Patch 13 yet to see if it, too, does more harm than good? I've D/L'ed it but haven't deployed it to my evaluation group yet.

Thanks!--The Bug Guy

 

[ZazuGreyBird]

Sorry, I haven't had any luck getting this solved yet. The problem is on a desktop machine, and I have disabled hibernate and standby. It just happens when I log in to the machine. Btw, I don't have patches 12 or 13. The only ones I have are 1, 7, and 8. I don't know why I don't have these patches, when this problem started I had patches 1, 5, 7, 8, and 9. I don't know why patches 5 and 9 didn't install when I reinstalled. I will have to see what is going on here and see if I can get the missing patches.