Andrzej's "IT Thoughts" Weblog

Loose thoughts about IT management&operations

Blogs

MOM 2005 and McAfee 8.0i VirusScan

  • Comments 3
  • Likes

MOM 2005 agent runs it’s scripts in an out-of-service (MOMService.exe) process called MOMHost.exe. When you are running McAfee 8.0i AV agent, there appears to be a problem. The ScriptProxy.dll component of the McAfee agent causes a slow memory hog in the MOMHost.exe process responsible for running MOM Scripts. By default MOM does not allow more then 100MB for this process to take up on a computer (editable in registry). The effect is that every 2-4 days your process will restart (depending on number of scripts/MPs in place). This in turn leads to such errors:

Severity: Error

Maintenance Mode: False

Domain: DOMAINNAME

Computer: SERVERNAME

Time Last Modified: 2006-06-22 20:41:09

Resolution State: New

Time in State: 2006-06-22 18:41:09

Problem State: 0

Repeat Count: 0

Name: The rule response failed to execute

Source: Microsoft Operations Manager

Description: The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.

This is because restarting that process kills all scripts without any notice. This could be improved to let the scripts finish (allowing for some timeout) before killing the process. Failing scripts can result in many things:

  • Your reports do not show consistent information (e.g. Exchange MP send mail script fails – reporting a lack in Exchange Availability)
  • You get alerts that are reporting some service availability problem, but are in fact due to the failure of script run (e.g. for the above example receiving Exchange servers would report “Error: Mail flow message not received”)

There was a time, when McAfee claimed that it fixed problems with Patch 11, but it came out not to be true. See article KB47302 on http://knowledgemap.nai.com/: Installing the current VirusScan Patch 11 does not resolve this issue.

The solution is to unregister the ScriptProxy.DLL or install a Patch from McAfee AND disable the script scanning component in EPO.

It took me some time to figure out all this, so maybe this post will speed up things for some of you. Our KB articles were updated not long ago to reflect this, but are not always 100% clear (See: http://support.microsoft.com/kb/891605/en-us, http://support.microsoft.com/kb/890736/en-us).

Comments
  • MOM 2005 agent runs it’s scripts in an out-of-service (MOMService.exe) process called MOMHost.exe....

  • Mon collègue polonais Andrzej LIPKA a publié un article sur l’incompatibilité de MOM avec l’outil d’analyse...

  • It's also possible to install patch 14 and exclude the momhost process:

    3. ISSUE:

    The ScriptScan feature loaded into the memory space of any process that launched a script (VBScript or JScript).

    RESOLUTION:

    Processes can now be excluded from having ScriptScan provide protection to that process.

    The process name, without extension, can be added to the registry string "ExcludedProcesses," located at:

    HKLM\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\ScriptScan

    Additional process names can be added, separated by a "," comma.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment