Thoughts from the EPS Windows Server Performance Team
Useful Microsoft Blogs
Hi all. Today I would like to bring to your attention an issue we have been seeing lately that very well may effect those of you in a corporate environment. McAfee has recently released information about this issue on their web site.
The issue is that one or multiple servers may become unresponsive or start failing in any of their installed roles. Some of the possible symptoms are:
Further investigation may reveal that any number of processes are running high CPU or memory, or all combined are depleting the system of resources. It may not be evident what is causing the issue; just that many processes combined are most likely involved.
This can occur if McAfee Access Protection and Buffer Overflow Protection are installed. There is a known issue where severe performance degradation may occur during the scanning or monitoring of the following processes:
iexplore.exe msimn.exe svchost.exe explorer.exe mapisp32.exe ftp.exe services.exe frameworkservice.exe lsass.exe inetinfo.exe outlook.exe wmplayer.exe mplayer2.exe rpcss.exe msmsgs.exe winword.exe excel.exe mstask.exe powerpnt.exe msaccess.exe visio32.exe wuauclt.exe sqlservr.exe dllhost.exe VSEBOTest.exe w3wp.exe EventParser.exe NaiMServ.exe SrvMon.exe naPrdMgr.exe
Disabling the services does not actually remove the drivers, so you may see the issue even if you turn off the suspect functionality. The two drivers involved are:
a. MFEAPFK.SYS McAfee, Inc. Access Protection Filter Driver
b. MFEBOPK.SYS McAfee, Inc. Buffer Overflow Protection Driver
Due to the overhead placed on some applications by McAfee Access Protection and Buffer Overflow Protection, McAfee recommends disabling and removing these to resolve performance issues. This hotfix will remove the filter drivers and disable the associated services.
For more info, please see the following articles on McAfee’s web site:
List of Processes Protected by Buffer Overflow Protection
Access Protection and Buffer Overflow Protection drivers remain loaded when disabled
VirusScan Enterprise and Buffer Overflow Protection (Master Article)
Tim Newton with special contribution by John Dickson
Sorry Tim, I don't think anybody else noticed that this was an April Fool's joke. You might want to put that at the bottom of the article next time ;-)
It would be helpful to determine how we found that this was an issue (debugging tools, procexp,etc). This way, if there are other av/other programs, we'd be able to isolate and fix.
Thanks for the info!