Problems with MOM and McAfee VirusScan Enterprise 8.0i – specifically ScriptScan.dll.

If you are getting a lot of failed scripts with MOM 2005 and are also running McAfee VirusScan Enterprise 8.0i then it is a well known problem that has been buzzing about for a while.

Typical is “The remote procedure call failed” error with event 21245.
KB article 890736 – 14 April 2006
http://support.microsoft.com/kb/890736/en-us

The KB states

Patch 11 for McAfee VirusScan Enterprise 8.0i corrects the problem discussed in this Microsoft Knowledge Base article. For more information, visit the McAfee support Web site: http://knowledgemap.nai.com (http://knowledgemap.nai.com) 

Note On the McAfee support Web site, search for Solution ID kb40049 for more information about Patch 11. Also, if you currently experience the problem that is described in the Microsoft Knowledge Base article 891605, “Event 21246 is logged on an agent computer, and you receive an error message in the Microsoft Operations Manager (MOM) 2005 Operator Console,” McAfee Solution ID kb40067 describes the same problem. McAfee VirusScan Enterprise 8.0i does not fix the memory leak that is referenced by these articles. Also, McAfee Solution ID kb47302 describes an issue that is related. 

Actually finding the stuff on the Network Associates web site is another matter!

Patch 11 does not cure the problem and on their web site they admit that due to the architecture of 8.0i there will never be a fix! Although later on in the same article they claim that patch 13 fixes it!

Claiming patch 12 fixes it
http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=KB40049&sliceId=SAL_Public&dialogID=2123018&stateId=0%200%202121540

Coming clean
http://knowledge.mcafee.com/SupportSite/search.do?cmd=displayKC&docType=kc&externalId=KB40067&sliceId=SAL_Public&dialogID=2123018&stateId=0%200%202121540

Actual message:-
“McAfee is aware of an issue where the loaded module for ScriptScan, ScriptProxy.dll, can leak pageable memory.Because of the ScriptScan architecture, the leak cannot be addressed in VirusScan Enterprise 8.0i. Therefore, if this issue is experienced under mission critical conditions, such as on a server, it may be necessary to unregister the ScriptScan module.

The fix for this is now available in Patch 13, which can be downloaded from the Service Portal.”

On this site they also explain that this component was for client workstations to help with Outlook and IE exploits and was never designed for servers. Organisations should not be running Outlook and IE on servers anyway. This assures organisations who are a bit worried about turning it off. 

From the notes in that article:-

“When installed to a server, McAfee recommends that ScriptScan be disabled. Jscript and VBScript protection is intended for use with Microsoft Internet Explorer and Microsoft Outlook, which generally are not used on server platforms. Additionally, ScriptScan is not designed for high-throughput requirements of servers. Despite having On-Access Scanner protection, there is some risk in disabling ScriptScan. The On-Access Scanner detects malicious script attacks when the script, or it’s activity, accesses the file system. However, not all scripts must interact with the file system to become a hindrance or modify system settings. ScriptScan would block those malicious scripts from executing.”

If you are seeing a lot of 21245 errors then you need to unregistered the dll.
KB 890736 tells you how to do this manually but supposedly Patch 11 onwards allows you to do it from the VirusScan console. I have not tried this as the ePolicy Orchestrator that I saw was not up to this level.

 To work around this problem, you must unregister the ScriptProxy.dll component. To do this, follow these steps. Important When you unregister the ScriptProxy.dll component, McAfee VirusScan software does not check any scripts for viruses.

1. Use an account that has domain administrator permissions to log on to the Windows Server 2003-based domain controller.
2. Click Start, click Run, type cmd, and then click OK.
3. At the command prompt, locate the %ProgramFiles%\Network Associates\VirusScan folder.
4. At the command prompt, type regsvr32 /u scriptproxy.dll.
5. You must restart the MOM service to apply the changes. To do this, follow these steps:

a. Click Start, point to Administrative Tools, and then click Services.
b. In the Services snap-in, right-click MOM, and then click Restart.
c. Close the Services snap-in.

Note If unregistring the Scriptproxy.dll component does not work around this issue, disable the McAfee ScriptScan by using the McAfee Configuration Console.

Also a problem with MOM 2000 and McAfee

9015 and 9014 events in MOM 2000
KB article 891604 – 14 April 2006
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B891604

Advertisements
%d bloggers like this: