Homepage - One or multiple servers may become unresponsive or start failing in any of their installed roles

One or multiple servers may become unresponsive or start failing in any of their installed roles

14/04/2010 20:29

Our new blog has been launched today.

Hi all. Today I would like to bring to your attention an issue we have been seeing lately that very well may effect those of you in a corporate environment. McAfee has recently released information about this issue on their web site.

The issue is that one or multiple servers may become unresponsive or start failing in any of their installed roles. Some of the possible symptoms are:

· Slow file access
· Slow read/writes from an application
· Server unresponsive/hangs
· Slow SQL Server performance
· IIS Hangs
· Inability to connect remotely via RDP

Further investigation may reveal that any number of processes are running high CPU or memory, or all combined are depleting the system of resources. It may not be evident what is causing the issue; just that many processes combined are most likely involved.

This can occur if McAfee Access Protection and Buffer Overflow Protection are installed. There is a known issue where severe performance degradation may occur during the scanning or monitoring of the following processes:

iexplore.exe
msimn.exe
svchost.exe
explorer.exe
mapisp32.exe
ftp.exe
services.exe
frameworkservice.exe
lsass.exe
inetinfo.exe
outlook.exe
wmplayer.exe
mplayer2.exe
rpcss.exe
msmsgs.exe
winword.exe
excel.exe
mstask.exe
powerpnt.exe
msaccess.exe
visio32.exe
wuauclt.exe
sqlservr.exe
dllhost.exe
VSEBOTest.exe
w3wp.exe
EventParser.exe
NaiMServ.exe
SrvMon.exe
naPrdMgr.exe

Disabling the services does not actually remove the drivers, so you may see the issue even if you turn off the suspect functionality. The two drivers involved are:

a. MFEAPFK.SYS McAfee, Inc. Access Protection Filter Driver

b. MFEBOPK.SYS McAfee, Inc. Buffer Overflow Protection Driver

Due to the overhead placed on some applications by McAfee Access Protection and Buffer Overflow Protection, McAfee recommends disabling and removing these to resolve performance issues. This hotfix will remove the filter drivers and disable the associated services.

For more info, please see the following articles on McAfee’s web site:

List of Processes Protected by Buffer Overflow Protection

https://kc.mcafee.com/corporate/index?page=content&id=KB58007

Access Protection and Buffer Overflow Protection drivers remain loaded when disabled

https://kc.mcafee.com/corporate/index?page=content&id=KB65820

VirusScan Enterprise and Buffer Overflow Protection (Master Article)

https://kc.mcafee.com/corporate/index?page=content&id=KB67733

RSS feed.

Back

Contact

Rohit.B.Rana

rohit.b.rana@gmail.com

Blog

register and unrigister dll

25/08/2011 12:06

Back in my developer days when I was building DLLs and OCXs, I was constantly registering and unregistering DLLs using the command line (find me a dev who isn't a command line junkie - I still have two prompts open as I type this). As time's gone on, I submitted to using Windows Explorer more and...

VMMap - A Peek Inside Virtual Memory

16/04/2010 18:13

Today I would like to do a quick walkthrough of the VMMap tool from Windows Sysinternals. This tool gives us a neat summary of a process’ virtual and physical memory usage. It shows a graphical summary as well as a detailed report of a given process’ memory usage pattern. VMMap breaks down the...

Disabled performance counters and Exctrlst.exe

16/04/2010 18:06

a brief discussion of a very useful tool. You may have had the need to run a Performance Monitor log at one time or another, but noticed that a needed counter was missing from the list. This can occur if the counter has been disabled intentionally, or if the counter has been disabled by the...

Troubleshooting Event ID 333 Errors

16/04/2010 17:54

As system memory increases, and applications and roles of the server become more important, access to the disk becomes more competitive between applications and the operating system. As a result, you can start to see the Event ID 333 logged, and you are likely seeing other performance issues...

Memory Management - Demystifying /3GB

16/04/2010 17:49

As promised - here's the long awaited post on the infamous /3GB switch. At least once a week we have this discussion with a Systems Administrator somewhere who has this set in the boot.ini file on all of the servers but doesn't know why. Maybe someone added it to the...

Memory Management 101

16/04/2010 17:46

Memory Management issues make up a considerable portion of the support incidents that we handle. At some point during the support incident we invariably engage in a discussion of Memory Management, Memory Tuning, the use of the infamous...

Memory Management - Understanding Pool Resources

16/04/2010 17:33

First of all - what are Pool Resources? When a machine boots up, the Memory Manager creates two dynamically sized memory pools that kernel-mode components use to allocate system memory. These two pools are known as the Paged Pool and NonPaged Pool. Each of these pools start at an...

One or multiple servers may become unresponsive or start failing in any of their installed roles

14/04/2010 20:29

Our new blog has been launched today. Hi all. Today I would like to bring to your attention an issue we have been seeing lately that very well may effect those of you in a corporate environment. McAfee has recently released information about this issue on their web site. The...