Fix: McAfee ePo Error “Server Policy Invalid”


The following entries were found in the C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_servername.log file on my Windows 2003 server:

20090709133245 I #1972 InetMgr Adding site ePO_mysite to failover list.
20090709133245 I #1972 InetMgr After calling UploadFileResponse()
20090709133245 i #1972 Agent Package uploaded to ePO Server successfully
20090709133245 i #1972 Agent Agent communication session closed
20090709133245 i #1972 Agent Agent received POLICY package from ePO server
20090709133245 I #1972 Agent Started processing a package..
20090709133245 I #1972 Agent Processing PropsResponse package
20090709133245 I #1972 Agent Looking for new sitelist from server
20090709133245 i #1972 Agent New Site List file was received
20090709133245 I #1972 Agent Looking for new event filter from server
20090709133245 I #1972 Agent Looking for new policy from server
20090709133245 I #1972 IPLock writeLock – providing write lock
20090709133245 E #1972 Xml Error trace:
20090709133245 E #1972 MgRcSvX [Merge server.xml]->
20090709133245 E #1972 Xml [useExistingFile,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Server.xml]->
20090709133245 E #1972 Xml [ReadBufferFromFileNoExp,C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Server.xml]->
20090709133245 E #1972 Xml Couldn’t convert to Unicode
20090709133245 I #1972 IPLock writeUnLock – unlocking the write lock successful
20090709133245 e #1972 Agent New server policy was NOT successfully merged
20090709133245 i #1972 Agent Enforcing newly downloaded policies
20090709133245 I #1972 Agent Agent Enforce Policy Interface called
20090709133245 i #1988 Agent Agent Started Enforcing policies
20090709133245 I #1988 Agent Thread signal occurred
20090709133245 I #1988 Manage Enforcing policies
20090709133245 i #1972 Agent Agent will connect to the ePO Server in 60 minutes and 0 seconds.
20090709133245 I #1988 IPLock writeLock – providing write lock
20090709133245 i #1988 Manage Compiling policies
20090709133245 I #1988 Manage CPolicyFile::InitializePolicyFiles() – Server policy invalid
20090709133245 I #1988 Manage Compiling Policies FAILED, result=-3
20090709133245 I #1988 IPLock writeUnLock – unlocking the write lock successful
20090709133245 I #1988 Agent Agent policy enforcement failed, result=-3
20090709133245 i #1988 Agent Agent finished Enforcing policies
20090709133245 i #1988 Agent Next policy enforcement in 5 minutes
20090709133300 i #1988 Agent Agent Started Enforcing policies
20090709133300 I #1988 Agent Thread signal occurred
20090709133300 I #1988 Manage Enforcing policies
20090709133300 I #1988 IPLock writeLock – providing write lock
20090709133300 i #1988 Manage Compiling policies
20090709133300 I #1988 Manage CPolicyFile::InitializePolicyFiles() – Server policy invalid
20090709133300 I #1988 Manage Compiling Policies FAILED, result=-3

The Solution

1. Stop the McAfee Framework Service

2. In the C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework directory delete the following two files:

server.xml
compiled.xml

3. Restart the McAfee Framework Service

4. Perform Agent wakeup per KB52707 by executing

C:\Program Files\Common Framework\cmdagent.exe /C

This command checks for new policies/tasks

See McAfee KB60422 for additional details

Fix: Windows 2008 server is displayed as Windows Vista in McAfee EPO agent console


One of my newly deployed Windows 2008 servers was being identified in the McAfee EPO 4.0 admin console as a Windows Vista machine. This was curious to me, since I had created this Windows 2008 server from the same media as it’s predecessors, and had installed all the same versions of software onto it, such as the Common Management Agent 3.6 patch 3, aka FramePkg.exe.

The instructions I received from McAfee Technical support said to copy the sitelist.xml file from the EPO server’s \Program Files\McAfee\ePolicy Orchestrator\DB directory, and paste it into the C:\Documents and Settings\All Users\Application data\McAfee\Common Framework directory on the Windows 2008 server.

First of all, in Windows 2008 C:\Documents and Settings is hidden by default, so in Windows Explorer I had to select Organize – Folder and Search Options – View – Show hidden files and folders in order to even see C:\Documents and Settings.

When I clicked on the C:\Documents and Settings directory, I immediately received the following error, despite being logged in with my domain admin credentials:

C:\Documents and Settings is not accessible. Access is denied.

I noticed the local administators group, which domain admins is a member of, did not have explicit permissions assigned to the directory, so I attempted to assign them, but was once again denied access. I checked ownership, and saw SYSTEM was the owner, so I tried to take ownership of the directory, but was denied. Only after logging in as the local administrator was I able to take ownership, and assign myself rights to the file system.

After much googling I was able to determine the cause of this problem. In Windows Server 2008 (and Windows Vista) the familiar old XP file/directory structure has been replaced. C:\Documents and Settings no longer physically exists, but has been replaced by junction points which are used for backwards compatibility with legacy applications.

These junction points are like shortcuts to the actual data locations, and are not meant to be navigated by the system administrator. The ACLs are set to ““Everyone Deny Read”. Applications must have permissions in order to call out and traverse a specific path.

To make a long story short, instead of placing the sitelist.xml file in the C:\Documents and Settings\All Users\Application data\McAfee\Common Framework directory on the Windows 2008 server, I had to put it in the C:\ProgramData\McAfee\Common Framework directory instead.

I then restarted the McAfee Framework service on the Windows 2008 server. I waited about an hour (not sure if this is necessary, but I was busy), then verified the correct operating system was properly detected on the EPO admin console.

I asked McAfee how to get our custom sitelist.xml file into the new FramePkg.exe file for deployment, and he said that shouldn’t be necessary. If we experience another case like this where the client OS is misidentified for some reason, they will work with us to determine the cause of the problem, rather than have us apply the band-aid fix after the fact.

Reinstalling the McAfee Common Management Agent Framework (framepkg.exe) without a reboot


Normally reinstalling the McAfee Common Management Agent (CMA) requires a reboot in order for the server to be properly displayed in the EPO management interface.  Here’s how to perform the reinstall, minus the reboot requirement. 

1.  Connect to the Windows server console by logging directly onto the server, or by connecting via RDP by running mstsc.exe /console
 
2.  Open the VirusShield Console.  
 
3.  Double click Access Protection.  Uncheck:
  • Prevent McAfee Services from being stopped
  • Enable Access Protection.  
Click OK.
 
4.  Launch a command prompt with administrative credentials
 
5.  Change to the installation directory by typing

cd C:\Program Files\McAfee\Common Files 

6.  Perform the uninstall by typing
 
FrmInst.exe /Remove=agent
 
7.  Launch Regedit
 
8.  Delete the following registry keys
 
HKEY_Local_Machine\Software\Network Associates\ePolicy Orchestrator
 
HKEY_Local_Machine\Software\Network Associates\TVD\Shared Components\Framework
 
9. Run FramePkg.exe to reinstall the CMA and Framework Service
 
For additional information, see McAfee KB57061

Howto Fix: McAfee VirusScan 8.5i McAfee Common Framework returned error fffff95b


The reason you are likely receiving the McAfee Common Framework returned error fffff95b message is because the FrameworkManifest.xml file has become corrupt. To resolve this error, you need to copy the FrameworkManifest.xml from a working computer. If you do not have access to a working computer, you need to uninstall, reboot, and reinstall the McAfee VirusScan 8.5i software.

Additional symptoms of the fffff95b error:

  • DAT files will not auto-update
  • The McAfee Framework service will not stay running

How to copy the FrameworkManifest.xml file from a working computer

Perform the following from the problematic computer:

  1. Click Start > Programs > McAfee > VirusScan Console.
  2. Right-click Access Protection, then select Properties.
  3. Select Common Standard Protection.
  4. Select Prevent modification of McAfee files and settings and disable this option.
  5. Click OK.
  6. Rename the C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\FrameworkManifest.xml file to FrameworkManifest.xml.bad
  7. Copy the C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\FrameworkManifest.xml file from a working computer into the same directory on the problematic computer.
  8. Click Start > Programs > McAfee > VirusScan Console.
  9. Right-click Access Protection, then select Properties.
  10. Select Common Standard Protection.
  11. Select Prevent modification of McAfee files and settings and enable this option.
  12. Click OK.
  13. Click Start > Run and type Services.msc
  14. Right click the McAfee Framework Service and select Start
  15. Click Start > Programs > McAfee > VirusScan Console.
  16. Right click AutoUpdate and select Start.
  17. Wait a few minutes for the update to occur.
  18. Select Help > About VirusScan Enterprise and verify the DAT Created On Date has been updated.

For more information see McAfee KB54520

Fix: Cannot Telnet from computer running McAfee VirusScan due to port blocking rules


I’ve been trying to troubleshoot an email server problem all day, and one of the tests I’ve been performing is trying to connect to port 25 of the mail server through Telnet.  Every time I tried I get connection refused messages, and the connection would drop. 

My work computer is running McAfee VirusScan Enterprise 8.5.0i and Windows XP SP2.  I verified the Windows XP firewall was disabled and not blocking my connection.
 
Next I looked at the McAfee VirusScan log file by clicking Start -> Programs -> McAfee -> VirusScan Console.  From the menu I selected Task -> View Log
 
I quickly noticed the following message:
 
Blocked by port blocking rule C:\WINDOWS\system32\telnet.exe Anti-virus Standard Protection:Prevent mass mailing worms from sending mail 192.168.1.83
 
Obviously McAfee was blocking my attempt to Telnet.  In order to unblock Telnet I did the following:
 
  1. Started McAfee VirusScan Console
  2. Double clicked Access Protection
  3. Highlighted the Anti-Virus Standard Protection category from the left column
  4. Highlighted the Prevent mass mailing worms from sending mail rule in the right column
  5.  

  6. Pressed Edit
  7. Under Processes to Exclude, I put my cursor at the end of the list of processes, which was winpm-32.exe in my case.  I typed a comma following winpm-32, exe, and then added a space and telnet.exe to the list
  8.  I pressed OK twice, exited VirusScan Console, and was able to Telnet to my mail server.
 
For more information, see McAfee KB42354
 

McAfee consumer products uninstaller tool


McAfee has an uninstaller tool, MCPR.exe, that it recommends running after removing one of their Windows products through Add/Remove programs.  This tool runs on Windows 2000, XP, and Vista.  See document 107083 for details.

Affected Suites:

Total Protection
Internet Security Suite
PC Protection Plus
VirusScan Plus
Wireless Protection

Affected Products:

AntiSpyware
Data Backup
Personal Firewall
Privacy Service
QuickClean
SecurityCenter
SiteAdvisor
Anti-Spam
SpamKiller
VirusScan
Wireless Protection

Running the McAfee Consumer Product Removal tool (MCPR.exe) removes all 2005, 2006, 2007, and 2008 versions of McAfee consumer products.