Technical Articles
High memory usage with MFEVTPS.EXE
| Technical Articles ID: | KB73018 | |
| Last Modified: | November 17, 2011 |
Environment
McAfee Host Intrusion Prevention 8.0
McAfee Host Intrusion Prevention 7.0
McAfee VirusScan Enterprise 8.8
McAfee VirusScan Enterprise 8.7i
Microsoft Windows XP
McAfee Host Intrusion Prevention 7.0
McAfee VirusScan Enterprise 8.8
McAfee VirusScan Enterprise 8.7i
Microsoft Windows XP
Summary
This issue is likely to affect multiple McAfee products. These will be added as information becomes available.
Problem
VirusScan Enterprise and Host Intrusion Prevention
MFEVTPS.exe uses an increasing amount of memory. This issue occurs despite having installed Hotfix 660014, which was released to address a specific high memory usage issue with MFEVTPS.exe. The same symptoms still occur due to a Microsoft update to CRYPT32.DLL.
MFEVTPS.exe uses an increasing amount of memory. This issue occurs despite having installed Hotfix 660014, which was released to address a specific high memory usage issue with MFEVTPS.exe. The same symptoms still occur due to a Microsoft update to CRYPT32.DLL.
System Change
Applied a recent Microsoft update to CRYPT32.DLL.
Cause
The root cause is confirmed to be an issue with CRYPT32.DLL that is being exposed by the McAfee utilization of cryptographic APIs, after updating to the CRYPT32.DLL version described in Microsoft KnowledgeBase article KB2607712: http://support.microsoft.com/kb/2607712.
NOTE: To date McAfee has observed this symptom only on Windows XP systems.
NOTE: To date McAfee has observed this symptom only on Windows XP systems.
Solution
Microsoft has a solution available for this issue. See: http://support.microsoft.com/kb/2641690.
McAfee also strongly advises you to install Patch 1 or later for VirusScan Enterprise 8.8.
To download McAfee products, updates, and documentation, visit the Downloads page at http://www.mcafee.com/us/downloads/downloads.aspx.
For instructions on downloading, see: KB56057.
For instructions on downloading, see: KB56057.
Workaround
Restart the affected computer(s).
NOTE: The MFEVTP service (mfevtps.exe) is not a service that can readily be stopped and started to reset memory usage to original levels. This is the reason for the computer restart.
NOTE: The MFEVTP service (mfevtps.exe) is not a service that can readily be stopped and started to reset memory usage to original levels. This is the reason for the computer restart.
Related Information
As part of our investigation into this issue, McAfee built a test harness tool to invoke cryptographic APIs, and observed the same memory increase in the test tool. This occurred without the presence of any McAfee code. Therefore, McAfee engaged Microsoft to investigate this issue. Root cause has been confirmed by Microsoft to be a bug in Crypt32.dll.
The rate of memory increase is entirely dependent on system utilization and the requirement for McAfee to invoke cryptographic APIs to validate and verify system calls being made that utilize McAfee code. Internal testing has shown a reboot might be required after about five days because mfevtps.exe memory usage reaches a level that noticeably impacts system performance (more than 1 GB).
The rate of memory increase is entirely dependent on system utilization and the requirement for McAfee to invoke cryptographic APIs to validate and verify system calls being made that utilize McAfee code. Internal testing has shown a reboot might be required after about five days because mfevtps.exe memory usage reaches a level that noticeably impacts system performance (more than 1 GB).
Rate this Page
Please take a moment to complete this form to help us better serve you.