High Impact Issue: Servers may become unresponsive due to multiple issues

High Impact Issue: Servers may become unresponsive due to multiple issues

  • Comments 2
  • Likes

Hi all. Today I would like to bring to your attention an issue we have been seeing lately that very well may effect those of you in a corporate environment. McAfee has recently released information about this issue on their web site.

The issue is that one or multiple servers may become unresponsive or start failing in any of their installed roles. Some of the possible symptoms are:

 

  • · Slow file access
  • · Slow read/writes from an application
  • · Server unresponsive/hangs
  • · Slow SQL Server performance
  • · IIS Hangs
  • · Inability to connect remotely via RDP

 

Further investigation may reveal that any number of processes are running high CPU or memory, or all combined are depleting the system of resources. It may not be evident what is causing the issue; just that many processes combined are most likely involved.

This can occur if McAfee Access Protection and Buffer Overflow Protection are installed. There is a known issue where severe performance degradation may occur during the scanning or monitoring of the following processes:

iexplore.exe
msimn.exe
svchost.exe 
explorer.exe 
mapisp32.exe 
ftp.exe
services.exe 
frameworkservice.exe 
lsass.exe 
inetinfo.exe 
outlook.exe 
wmplayer.exe 
mplayer2.exe 
rpcss.exe 
msmsgs.exe 
winword.exe 
excel.exe 
mstask.exe 
powerpnt.exe 
msaccess.exe 
visio32.exe 
wuauclt.exe 
sqlservr.exe 
dllhost.exe 
VSEBOTest.exe 
w3wp.exe 
EventParser.exe 
NaiMServ.exe 
SrvMon.exe
naPrdMgr.exe

Disabling the services does not actually remove the drivers, so you may see the issue even if you turn off the suspect functionality. The two drivers involved are:

a. MFEAPFK.SYS McAfee, Inc. Access Protection Filter Driver

b. MFEBOPK.SYS McAfee, Inc. Buffer Overflow Protection Driver

Due to the overhead placed on some applications by McAfee Access Protection and Buffer Overflow Protection, McAfee recommends disabling and removing  these to resolve performance issues. This hotfix will remove the filter drivers and disable the associated services.

For more info, please see the following articles on McAfee’s web site:

List of Processes Protected by Buffer Overflow Protection

https://kc.mcafee.com/corporate/index?page=content&id=KB58007

Access Protection and Buffer Overflow Protection drivers remain loaded when disabled

https://kc.mcafee.com/corporate/index?page=content&id=KB65820

VirusScan Enterprise and Buffer Overflow Protection (Master Article)

https://kc.mcafee.com/corporate/index?page=content&id=KB67733

 

Tim Newton with special contribution by John Dickson

Share this post :


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Sorry Tim, I don't think anybody else noticed that this was an April Fool's joke.  You might want to put that at the bottom of the article next time ;-)

  • Hi,

    It would be helpful to determine how we found that this was an issue  (debugging tools, procexp,etc).  This way, if there are other av/other programs, we'd be able to isolate and fix.

    Thanks for the info!

    G.