Loading...

Knowledge Center


McShield stops working or the system performance is degraded with VirusScan 8.8 Patch 7 and Threat Intelligence Exchange Module installed
Technical Articles ID:   KB87510
Last Modified:  1/23/2019

Environment

McAfee Threat Intelligence Exchange Module (TIEm) 1.0.1.140
McAfee VirusScan Enterprise (VSE) 8.8 Patch 7

Problem

A system with VSE and TIEm for VSE 1.0.1.140 experiences infrequent performance issues such as hangs or freeze-like symptoms, which requires a hard reboot to recover the affected system.

Preceding the hang, you observe that the McShield service has stopped working entirely (crashed).

The Windows application event log might contain events similar to the following:
 
ERROR  McLogEvent  None  5019  SYSTEM Exception in McShield.Exe! 
Exception details follow :  VSCORE.15.4.0.649  Exception Code  : 0X00000000C0000005 
Exception Address  : 0X00000000737FAA5F  Exception Parameters : 2  Param 1 = 0000000000000000 
Param 2 = 0XFFFFFFFFFFFFFFFE    More information : None
 
Capturing a full dump or a kernel dump might be comparatively difficult, because an affected system usually would not accept any keyboard input after hanging. Attaching a debugger (such as ProcDump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx) to the crashing process (McShield in this case) could yield a process dump, which can then be further examined.

The stack of the McShield process upon crash will look similar to the following:
 
STACK_TEXT:
00000000 116afa60 00000000 737fc59f : 00000000 00491360 00000000 116afbd8 00000000 0012f720 00000000 00000400 : ftl!FileFilterCreate+0x310f
00000000 116afb00 00000001 3f6e65d9 : 00000000 00000400 00000000 000004f0 00000000 00000000 000007fe fdbe13d2 : ftl!FileFilterCreate+0x4c4f
00000000 116afb90 000007fe f36bea81 : 00000000 000004f0 00000000 00000000 01d1abf5 094d33d5 01d1abf5 094d33d5 : mcshield+0x165d9
00000000 116afc10 000007fe f36be209 : 00000000 116afd58 00000000 00000000 00000000 003f4240 00000000 00000000 : TieVe+0x2ea81
00000000 116afcd0 000007fe f36be5e4 : 00000000 0f35bf00 00000000 116afd58 00000000 00000000 00000000 104719d0 : TieVe+0x2e209
00000000 116afd20 000007fe f35c3fef : 00000000 116afd58 00000000 00000000 00000000 00000000 00000000 00000000 : TieVe+0x2e5e4
00000000 116afd80 000007fe f35c4196 : 000007fe f3661db0 00000000 00000000 00000000 00000000 00000000 00000000 : msvcr110!beginthreadex+0x107
00000000 116afdb0 00000000 776f59bd : 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 : msvcr110!endthreadex+0x192
00000000 116afde0 00000000 7792a2e1 : 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 : kernel32!BaseThreadInitThunk+0xd
00000000 116afe10 00000000 00000000 : 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 : ntdll!RtlUserThreadStart+0x1d

System Change

Installed TIEm for VSE 1.0.1.140.

Cause

This issue may occur in instances where there are no file extension based exclusions and the TIEm for VSE attempts to verify whether a file should be excluded (based on file extension) creating a loop-like condition.

Solution

This issue is resolved in TIEm for VSE 1.0.2 and VSE 8.8 Patch 8.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.