Data collection steps for troubleshooting VirusScan Enterprise issues
Technical Articles ID:
KB89433
Last Modified: 5/21/2020
Environment
McAfee VirusScan Enterprise (VSE) 8.8.x
For details of VSE supported environments, see KB51111.
Summary
This article provides basic information about how to collect data for troubleshooting the following VSE issues:
The following sections describe the data to collect for each type of issue.
Depending on the issue, you might need the following tools:
See the following sections for instructions to prepare and use the tools.
Solution
How to use AMTrace to collect logging data from AMCore:
- Prepare AMTrace:
- Download the zip package VSEDataCollect.zip from the Attachment section of this article.
- Extract the contents to the Desktop.
- Run AMTrace:
- Click Start, type cmd.exe in the Search bar, right-click cmd.exe from the list, and click Run as administrator.
- When you are ready to start a trace, use the command option below for the relevant data collection section:
NOTE: The following are the paths to the AMTrace.exe file locations:
- C:\Users\username\Desktop\VSEDataCollect\AMTracex86
- C:\Users\username\Desktop\VSEDataCollect\AMTracex64
AMTrace command options:
- To use the AMTrace onboot option, run the following command:
AMTrace.exe -b onboot -m 4GB
This command instructs the tool to begin a trace at the next boot.
NOTES:
- The "GB" is case sensitive. This example limits the log size to 4 GB. 10 MB is the minimum accepted value, and 2 GB is the default, if not specified.
- This option does not support the alternative logging modes described below.
- To use AMTrace with the now option, run the following command:
AMTrace.exe -b now -m 4GB
IMPORTANT: AMTrace now uses the rollover option by default.
This command instructs the tool to begin a trace immediately, and to limit the log size to 4 GB per .etl file. When the log reaches 4 GB, a new log is created. The system appends each log with a number, for example _1, _2, until you stop the trace, the user logs off, or you shut down the system.
NOTE: The "GB" is case sensitive.
- To use AMTrace without the rollover option:
Choose an appropriate logging method for the issue you want to record:
AMTrace.exe -b now -m 4GB -L stop
AMTrace.exe -b now -m 4GB -L circular
The stop mode creates a trace session that stops logging when it reaches the size limit.
The circular mode creates a trace session that logs to a single file. After reaching the maximum size, older events are overwritten.
NOTE: The "L" and "GB" are case sensitive.
- Stop the trace and save the log. Use the following command:
AMTrace -e
- When possible, AMTrace tries to automatically rename the resulting ETL files to include the start time and stop time of the logging in the file name. For example, amtrace_20200704.010203-010305.etl would indicate that logging began 2020-07-04 (July 4, 2020) at 1:02:03, and continued until 1:03:05.
If AMTrace is unable to rename the file when logging stops, it is still possible to rename the file manually with another AMTrace command:
AMTrace.exe --datestamp *.etl
This command accepts wildcards (* or ?). These wildcards reference multiple characters or a single character respectively. This command renames the specified file or files to include the start and stop times in the file name. It does not affect files that already have the datestamp added.
To confirm whether an AMTrace is in progress, run the following command to list any active traces:
AMTrace -q
Back to top
Solution
How to use Windows Performance Recorder (WPR):
Run wprui.exe:
- Click Start, type cmd.exe in the Search bar, right-click cmd.exe from the list, and click Run as administrator.
- Type wprui.exe and press Enter to start WPR.
NOTE: If the program does not run or is not found, you must first install it. WPR is part of the Windows Performance Toolkit, which is available from the Windows SDK or the Windows Assessment and Deployment Kit:
- Choose to use a Performance Scenario and other settings, as recommended in the following table:
Performance
Issue
|
Performance
Scenario
|
Detail
Level
|
Logging
Mode
|
Profiles to Include |
Number of
Iterations |
Slow boot or logon
|
Boot
|
See below
|
File
|
First-level Triage, CPU use, File I/O activity |
At least 1 |
High CPU use
|
General
|
See below
|
File
|
First-level Triage, CPU use, File I/O activity |
N/A |
Application is slow or unresponsive
|
General |
See below |
File |
First-level Triage, CPU use, File I/O activity |
N/A |
For Detail Level, use the Light setting first, to capture an overview of the problem. Technical Support recommends a capture of 30 seconds to two minutes. For a deeper analysis of the problem, use the Verbose setting and capture at least 30 seconds. Technical Support does not recommend using only the Verbose option. The Verbose option places extra strain on the system, which can change or mask the original problem you want to investigate. Thus, the Light setting is used to show the issue, while the Verbose setting is used to investigate the details.
Back to top
Solution
How to use Process Monitor:
- Prepare Process Monitor:
- Download Process Monitor from: https://technet.microsoft.com/en-us/library/bb896645.aspx.
- Extract Procmon.exe to the Desktop.
- Run Process Monitor. When you are ready to start Process Monitor, use the option below that the relevant data collection section needs:
- To enable the Process Monitor boot logging option, if needed by the relevant data collection section:
- Open the Process Monitor console.
- Click Options.
- Click Enable Boot Logging.
- Click OK on the pop-up window. The next time a reboot occurs, a boot trace log is created.
- To save the log, run Process Monitor again and click File, Save (select All Events and use the native PML format).
- To immediately start Process Monitor:
- Run Procmon.exe. This command starts to automatically capture process information.
- To stop Process Monitor, press Ctrl+E or click File and deselect Capture Events. Press Ctrl+E again to resume data collection.
- To save the log, click File, Save. Select All Events and use the native PML format.
Back to top
Solution
Slow boot or startup
Perform the steps in this section if the symptoms are any of the following:
- Slow boot or startup
- Slow logon
Data collection steps for AMTrace and Process Monitor:
- Start AMTrace with the onboot option.
- Start Process Monitor and enable the boot logging option.
- Reboot the system.
- Reproduce the issue.
- Log on to the system.
- Stop AMTrace and save the log.
- Open Process Monitor and save the boot log.
Data collection steps for Windows Performance Recorder:
- Run WPR.
- Configure the Boot Performance Scenario.
- Start the capture.
- Reboot the system.
- Reproduce the issue.
- Log on to the system.
- Allow the WPR: Boot Trace to finish.
- Capture the saved ETL files.
Back to top
Solution
Slow performance (reproducible)
Perform the steps in this section if the symptoms are reproducible and are any of the following:
- Slow application startup
- Slow application performance
- Slow system performance
Data collection steps for AMTrace and Process Monitor:
- Start Process Monitor.
- Start AMTrace with the now option.
- Reproduce the issue.
- Stop AMTrace and save the log.
- Stop Process Monitor and save the log.
Data collection steps for Windows Performance Recorder:
- Run WPR.
- Configure the General Performance Scenario.
- Start the trace.
- Reproduce the issue.
- Stop the trace.
- Capture the saved file.
Back to top
Solution
Slow performance (random)
Perform the steps in this section if the symptoms occur randomly and are any of the following:
- Slow application startup
- Slow application performance
- Slow system performance
Data collection steps for AMTrace:
- Start AMTrace with the rollover option.
- When the issue occurs, stop AMTrace and save the log.
Data collection steps for Windows Performance Recorder:
- Run WPR.
- Configure the General Performance Scenario with Memory as the Logging Mode.
- Start the trace.
- Reproduce the issue.
- Save the trace as soon as possible after reproducing the issue.
- Capture the saved file.
Back to top
Solution
System or application becomes unresponsive
Perform the steps in this section if the symptoms are any of the following:
- System becomes unresponsive or deadlock occurs
- Application becomes unresponsive (not responding and does not recover)
Data collection steps:
-
Configure the system to create a full memory.dmp. See KB56023.
- Configure the system to allow for a keyboard crash. See https://msdn.microsoft.com/en-us/library/windows/hardware/ff545499%28v=vs.85%29.aspx.
- Create the dump file when the issue occurs. In general, the longer you can wait before you generate the dump file, the more help it provides with identifying the hang condition in the dump.
Back to top
Solution
VSE fails to install
Verify the following:
- To verify the requirements for McAfee Agent deployment from the ePolicy Orchestrator (ePO) server, see KB56386.
- To review the supported versions of McAfee Agent and ePO, see KB51111.
Data collection when a local installation fails:
NOTE: Make sure that you collect the data during a local installation of VSE.
- Download and unzip the standalone package from the Product Downloads site at: https://secure.mcafee.com/apps/downloads/my-products/login.aspx?region=us.
- Start Process Monitor.
- Start AMTrace with the rollover option.
- Re-create the issue by running the local installation (setupVSE.exe) as administrator, and select the single module you are troubleshooting.
- Stop AMTrace and save the log.
- Stop Process Monitor and save the log.
- Collect a Minimum Escalation Requirements (MER) file. Run as Administrator.
Data collection when deployment through ePO fails:
If the product installs locally without errors, but you see the issue when you deploy using ePO, use these steps to investigate an ePO deployment installation issue:
- Enable McAfee Agent debug logging. For detailed steps to enable McAfee Agent debug logging, see KB82170.
- Replicate the issue.
- Collect a Minimum Escalation Requirements (MER) file. Run as Administrator.
Previous Document ID
70085
|