McAfee ePO 5.3.x, 5.9.x
McAfee MOVE MultiPlatform 4.5.1, 4.61

Issue:

Infected Files are no deleted by McAfee MOVE

error:

​U.1428.2852: May 15 2018:11:09:24.531:   ERROR: svc_socket.c: 2028: IP: Failed to send SMART FILE response ( \Device\HarddiskVolume3\McAfee\ePO\591\EPO591L.zip ) (  ) err ( 10053 )

U.1428.2652: May 15 2018:11:10:09.531:   ERROR: svc_socket.c:  274: socket send failed(err: WSAECONNABORTED = 10053), Client has closed the connection (may be due to Timeout).

U.1428.2652: May 15 2018:11:10:09.531:   ERROR: avs_server.c: 1130: write_scan_resp_based_on_protocol failed: 10053

U.1428.2652: May 15 2018:11:10:09.531:   ERROR: avs_server.c: 1406: avs_write_scan_response failed. err: 10053

U.1428.2652: May 15 2018:11:10:09.531:   ERROR: svc_socket.c: 2028: IP: Failed to send SMART FILE response ( \Device\HarddiskVolume3\McAfee\ePO\591\EPO591L.zip ) (  ) err ( 10053 )

U.1428.2612: May 15 2018:11:10:31.844:   ERROR: avs_server.c:  915: [SCAN FLOW] Failed to calculate cksum of file: [\\?\X:\McAfee\MOVE AV Server\scanfiles\2284\shay - Copy.txt], err: [13], err_text: [Permission denied]. 

U.1428.2612: May 15 2018:11:10:31.844:   ERROR: svc_socket.c: 1802: IP: Failed to get file: \Device\HarddiskVolume2\Users\shay.a\Desktop\shay - Copy.txt, err: -1

U.1428.3980: May 15 2018:11:10:44.906:   ERROR: avs_server.c:  915: [SCAN FLOW] Failed to calculate cksum of file: [\\?\X:\McAfee\MOVE AV Server\scanfiles\2468\shay - Copy - Copy.txt], err: [13], err_text: [Permission denied]. 

U.1428.3980: May 15 2018:11:10:44.906:   ERROR: svc_socket.c: 1802: IP: Failed to get file: \Device\HarddiskVolume2\Users\shay.a\Desktop\shay - Copy - Copy.txt, err: -1

U.1428.1240: May 15 2018:11:10:48.406:   ERROR: avs_server.c:  915: [SCAN FLOW] Failed to calculate cksum of file: [\\?\X:\McAfee\MOVE AV Server\scanfiles\2548\$RG4Y2O9.txt], err: [13], err_text: [Permission denied]. 

U.1428.1240: May 15 2018:11:10:48.406:   ERROR: svc_socket.c: 1802: IP: Failed to get file: \Device\HarddiskVolume2\$Recycle.Bin\S-1-5-21-854873570-2405677725-3658187990-1382\$RG4Y2O9.txt, err: -1

U.1428.1132: May 15 2018:11:10:54.532:   ERROR: svc_socket.c:  274: socket send failed(err: WSAECONNABORTED = 10053), Client has closed the connection (may be due to Timeout).

U.1428.1132: May 15 2018:11:10:54.532:   ERROR: avs_server.c: 1130: write_scan_resp_based_on_protocol failed: 10053

U.1428.1132: May 15 2018:11:10:54.532:   ERROR: avs_server.c: 1406: avs_write_scan_response failed. err: 10053

U.1428.1132: May 15 2018:11:10:54.532:   ERROR: svc_socket.c: 2028: IP: Failed to send SMART FILE response ( \Device\HarddiskVolume3\McAfee\ePO\591\EPO591L.zip ) (  ) err ( 10053 )
​
Solutions:

Exclude the process "mvserver.exe" from Virus Scan scan on the Scan Server(SVM)

1 Log on to McAfee ePO as an administrator.
2 Select Menu | Policy | Policy Catalog, select VirusScan Enterprise 8.8 from the Product drop-down list, then select On-Access Low-Risk Processes Policies from the Category drop-down list.
3 Duplicate the On-Access Low-Risk Processes Policies policy.
4 Open the duplicate On-Access Low-Risk Processes Policies policy and configure these options. • Settings for — Select Server. • From the Low-Risk Processes tab, add mvserver.exe to the Low-Risk Processes list. • From the Scan Items tab, next to Scan files, disable When writing to disk and When reading from disk.
5 Click Save and assign the policy to the SVMs.
6 Select Menu | Policy | Policy Catalog, select VirusScan Enterprise 8.8 from the Product drop-down list, then select On-Access Default Processes Policies from the Category drop-down list. 
7 Duplicate the On-Access Default Processes Policies policy.
8 Open the duplicate On-Access Default Processes Policies policy and configure these options. • Settings for — Select Server. • From the Low-Risk Processes tab, next to Process Settings, select Configure different scanning policies for high-risk, low-risk, and default processes.
9 Click Save and assign the policy to the SVMs.

Problem:

McAfee icon missing

System with Netop installed and Install/Upgrade to McAfee Agent 5.x cause the McAfee tray icon disappear.

Solution:

you may try to reset only the Vision LSP:

If you are using Windows 7 on 64 bit:

-> In the folder C:\Program Files (x86)\Common Files\Netop on Student 
-> PCs
there are 2 files called InstallLSP32.exe and InstallLSP64.exe which can be run in a command prompt. They can uninstall an LSP based on both catalog ID (which is different on each machine) but also GUID, which is the same for machines with the same Version of Vision.

So the command for removing the Vision LSP is (this should be run as
Administrator):

InstallLSP32.exe -r {27BA0290-3F20-4838-81AA-C41A0A76D7FC}
Then
InstallLSP64.exe -r {27BA0290-3F20-4838-81AA-C41A0A76D7FC}

(note that you need to be located in the path C:\Program Files (x86)\Common Files\Netop in cmd)

The outcome is this:

c:\Program Files (x86)\Common Files\Netop>InstallLSP32.exe -r {27BA0290-3F20-4838-81AA-C41A0A76D7FC}

The following LSP entries will be removed:
LSP Hidden ID: 1011 Name Netop VisionLSP LSP Layer ID: 1012 Name Netop VisionLSP over [MSAFD Tcpip [TCP/IP]] LSP Layer ID: 1013 Name Netop VisionLSP over [MSAFD Tcpip [UDP/IP]]

c:\Program Files (x86)\Common Files\Netop>InstallLSP64.exe -r {27BA0290-3F20-4838-81AA-C41A0A76D7FC}

The following LSP entries will be removed:
LSP Hidden ID: 1014 Name Netop VisionLSP LSP Layer ID: 1015 Name Netop VisionLSP over [MSAFD Tcpip [TCP/IP]] LSP Layer ID: 1016 Name Netop VisionLSP over [MSAFD Tcpip [UDP/IP]]

c:\Program Files (x86)\Common Files\Netop>

After running the command, please restart the student machine.

If you are running Windows 7 on 32 bit, please only run this command as Administrator and after that restart the student machine:
InstallLSP32.exe -r {27BA0290-3F20-4838-81AA-C41A0A76D7FC}

2. you may try to reset all of the LSP components on the system by opening a CMD window, both Mcafee and Vision's should function properly, after this.

netsh winsock reset

And restart the computer.


Thank to Or Amar for helping with the solution.

Problem:

Replication to SuperAgent Distributed Repository fails - error code 5 (Access is Denied)
McAfee Agent 5.x

Solution 1:

-Deselect self protection on the super agent from the ePO server in General policy
-Log in to the system who's super agent
-Open repository folder, in the folder there is a file sitestat.xml
-Stop all McAfee Agent Services (McAfee Agent Service, McAfee Agent Common Services, McAfee Agent Backwards Compatibility)
-After you stop the services you will see that the file "sitestat.xml" is disappear(if not delete it)
-Start the services

Now try to replicate the super agent repository.

Solution 2:

When Accept connections only from the ePO server is selected in General policy, replication from SuperAgent might fail in a cluster ePolicy Orchestrator environment

-Deselect Accept connections only from the ePO server in General policy, then perform agent-to-server communication and replicate SuperAgent

​


Note:
I solve this issue with McAfee ePO 5.3.0, McAfee Agent 5.0.2.188

Problem:

Encryption laptop Dell LATITUDE, the computer boot with an error "fatal error [0xEE020006] getting disk info"

McAfee Drive Encryption(McAfee MDE) 7.x
McAfee Agent 4.8.x/5.x

Solution:

changed the BIOS Settings SATA Operation from RAID to AHCI

Problem:

McAfee Drive Encryption 7.1.x (MDE)
On preboot getting a blank screen without the option the write user/password.

Workaround:

Go to BIOS Boot option don't change anything and continue to the preboot.

Solution:

In the BIOS Configuration Disable the Fast Boot Option.

Note:

The problem & solution were tested on HP Folio 9470m Elitebook.

Error:
Event ID: 34413, Scanner service error, unable to register with the hypervisor

Problem:

When MOVE AV creates an ePO event for a new malware detection or scan timeout,
the event recieved in ePO but the Threat Target Host Name field in ePO contains 
the Virtual Machine(VM) instead of the computer name.

Solution:

First verify that the username/password for vCenter has the Administrator role.
From the ePO Server, open a browser and connect to the vCenter server using the IP Address on the port provided (HTTPS or HTTP).
Log on to the vCenter server using this web browser connection to test the username and password.
If this login works successfully, follow the steps to update the SVA policy in ePO to reapply the username and password in the ePO Server MOVE Agentless SVA ePO policy.

Second Launch the ePO console.
Click Menu, Policy, Policy Catalog.
From the Product drop-down list, select MOVE AV Agentless X.X.X.
From the Category drop-down list, select SVA.
Click New Policy or modify the existing SVA policy.
On Policy Settings page, select Authentication and complete the following:
Under Protocol, select https or http, depending on the protocol the server uses to receive client requests.
Under Hypervisor/vCenter Server, type the IP address of the vCenter server, or of the hypervisor that the SVA resides on.
Under User, type the user name to connect with the server, then select Set Password.
Under Password, type the password associated with the user. 
 
Save the SVA policy.
Re-open the SVA policy, type your password and press ENTER to test connection settings.

Now Run an EICAR virus test to verify if the problem is resolved

Must to have:

VCenter
Vshield
ePO

Let Get Started :

Install the extension in ePO

Deploy the SVA system (ovf file) in ESX

run the SVA server and follow the instruction(name, ip, domain, etc)

if you succeeded you will see the SVA system in ePO.

FINISH!