Home
%3CLINGO-SUB%20id%3D%22lingo-sub-374567%22%20slang%3D%22en-US%22%3EHigh%20Impact%20Issue%3A%20Servers%20may%20become%20unresponsive%20due%20to%20multiple%20issues%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-374567%22%20slang%3D%22en-US%22%3E%0A%20%26lt%3Bmeta%20http-equiv%3D%22Content-Type%22%20content%3D%22text%2Fhtml%3B%20charset%3DUTF-8%22%20%2F%26gt%3B%3CSTRONG%3E%20First%20published%20on%20TECHNET%20on%20Mar%2031%2C%202010%20%3C%2FSTRONG%3E%20%3CBR%20%2F%3E%3CP%3EHi%20all.%20Today%20I%20would%20like%20to%20bring%20to%20your%20attention%20an%20issue%20we%20have%20been%20seeing%20lately%20that%20very%20well%20may%20effect%20those%20of%20you%20in%20a%20corporate%20environment.%20McAfee%20has%20recently%20released%20information%20about%20this%20issue%20on%20their%20%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB65820%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20web%20site%20%3C%2FA%3E%20.%3C%2FP%3E%0A%20%20%3CP%3EThe%20issue%20is%20that%20one%20or%20multiple%20servers%20may%20become%20unresponsive%20or%20start%20failing%20in%20any%20of%20their%20installed%20roles.%20Some%20of%20the%20possible%20symptoms%20are%3A%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CUL%3E%0A%20%20%20%3CLI%3E%C2%B7%20Slow%20file%20access%3C%2FLI%3E%0A%20%20%20%3CLI%3E%C2%B7%20Slow%20read%2Fwrites%20from%20an%20application%3C%2FLI%3E%0A%20%20%20%3CLI%3E%C2%B7%20Server%20unresponsive%2Fhangs%3C%2FLI%3E%0A%20%20%20%3CLI%3E%C2%B7%20Slow%20SQL%20Server%20performance%3C%2FLI%3E%0A%20%20%20%3CLI%3E%C2%B7%20IIS%20Hangs%3C%2FLI%3E%0A%20%20%20%3CLI%3E%C2%B7%20Inability%20to%20connect%20remotely%20via%20RDP%3C%2FLI%3E%0A%20%20%3C%2FUL%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CP%3EFurther%20investigation%20may%20reveal%20that%20any%20number%20of%20processes%20are%20running%20high%20CPU%20or%20memory%2C%20or%20all%20combined%20are%20depleting%20the%20system%20of%20resources.%20It%20may%20not%20be%20evident%20what%20is%20causing%20the%20issue%3B%20just%20that%20many%20processes%20combined%20are%20most%20likely%20involved.%3C%2FP%3E%0A%20%20%3CP%3EThis%20can%20occur%20if%20%3CB%3E%20McAfee%20Access%20Protection%20%3C%2FB%3E%20and%20%3CB%3E%20Buffer%20Overflow%20Protection%20%3C%2FB%3E%20are%20installed.%20There%20is%20a%20known%20issue%20where%20severe%20performance%20degradation%20may%20occur%20during%20the%20scanning%20or%20monitoring%20of%20the%20following%20processes%3A%3C%2FP%3E%0A%20%20%3CP%3Eiexplore.exe%20%3CBR%20%2F%3E%20msimn.exe%20%3CBR%20%2F%3E%20svchost.exe%20%3CBR%20%2F%3E%20explorer.exe%20%3CBR%20%2F%3E%20mapisp32.exe%20%3CBR%20%2F%3E%20ftp.exe%20%3CBR%20%2F%3E%20services.exe%20%3CBR%20%2F%3E%20frameworkservice.exe%20%3CBR%20%2F%3E%20lsass.exe%20%3CBR%20%2F%3E%20inetinfo.exe%20%3CBR%20%2F%3E%20outlook.exe%20%3CBR%20%2F%3E%20wmplayer.exe%20%3CBR%20%2F%3E%20mplayer2.exe%20%3CBR%20%2F%3E%20rpcss.exe%20%3CBR%20%2F%3E%20msmsgs.exe%20%3CBR%20%2F%3E%20winword.exe%20%3CBR%20%2F%3E%20excel.exe%20%3CBR%20%2F%3E%20mstask.exe%20%3CBR%20%2F%3E%20powerpnt.exe%20%3CBR%20%2F%3E%20msaccess.exe%20%3CBR%20%2F%3E%20visio32.exe%20%3CBR%20%2F%3E%20wuauclt.exe%20%3CBR%20%2F%3E%20sqlservr.exe%20%3CBR%20%2F%3E%20dllhost.exe%20%3CBR%20%2F%3E%20VSEBOTest.exe%20%3CBR%20%2F%3E%20w3wp.exe%20%3CBR%20%2F%3E%20EventParser.exe%20%3CBR%20%2F%3E%20NaiMServ.exe%20%3CBR%20%2F%3E%20SrvMon.exe%20%3CBR%20%2F%3E%20naPrdMgr.exe%3C%2FP%3E%0A%20%20%3CP%3EDisabling%20the%20services%20does%20not%20actually%20remove%20the%20drivers%2C%20so%20you%20may%20see%20the%20issue%20even%20if%20you%20turn%20off%20the%20suspect%20functionality.%20The%20two%20drivers%20involved%20are%3A%3C%2FP%3E%0A%20%20%3CP%3Ea.%20%3CB%3EMFEAPFK.SYS%20%3C%2FB%3E%20McAfee%2C%20Inc.%20Access%20Protection%20Filter%20Driver%3C%2FP%3E%0A%20%20%3CP%3Eb.%20%3CB%3EMFEBOPK.SYS%20%3C%2FB%3E%20McAfee%2C%20Inc.%20Buffer%20Overflow%20Protection%20Driver%3C%2FP%3E%0A%20%20%3CP%3EDue%20to%20the%20overhead%20placed%20on%20some%20applications%20by%20%3CB%3E%20McAfee%20Access%20Protection%20%3C%2FB%3E%20and%20%3CB%3E%20Buffer%20Overflow%20Protection%20%3C%2FB%3E%20%2C%20McAfee%20recommends%20disabling%20and%20removing%26nbsp%3B%20these%20to%20resolve%20performance%20issues.%20%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB65820%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EThis%20hotfix%20%3C%2FA%3E%20will%20remove%20the%20filter%20drivers%20and%20disable%20the%20associated%20services.%3C%2FP%3E%0A%20%20%3CP%3EFor%20more%20info%2C%20please%20see%20the%20following%20articles%20on%20McAfee%E2%80%99s%20web%20site%3A%3C%2FP%3E%0A%20%20%3CP%3EList%20of%20Processes%20Protected%20by%20Buffer%20Overflow%20Protection%3C%2FP%3E%0A%20%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB58007%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB58007%20%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3EAccess%20Protection%20and%20Buffer%20Overflow%20Protection%20drivers%20remain%20loaded%20when%20disabled%3C%2FP%3E%0A%20%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB65820%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB65820%20%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3EVirusScan%20Enterprise%20and%20Buffer%20Overflow%20Protection%20(Master%20Article)%3C%2FP%3E%0A%20%20%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB67733%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%20https%3A%2F%2Fkc.mcafee.com%2Fcorporate%2Findex%3Fpage%3Dcontent%26amp%3Bid%3DKB67733%20%3C%2FA%3E%3C%2FP%3E%0A%20%20%3CP%3E%3C%2FP%3E%0A%20%20%3CP%3E%3CA%20href%3D%22http%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2007%2F05%2F04%2Ftim-newton-s-bio.aspx%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3ETim%20Newton%20%3C%2FA%3E%20with%20special%20contribution%20by%20John%20Dickson%3C%2FP%3E%0A%20%20%3CTABLE%3E%0A%20%20%20%3CTBODY%3E%3CTR%3E%0A%20%20%20%20%3CTD%3EShare%20this%20post%20%3A%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CA%20href%3D%22http%3A%2F%2Fsocial.microsoft.com%2Fen-us%2Faction%2Fcreate%2Fs%2FE%2F%3Furl%3Dhttp%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2010%2F03%2F30%2Fhigh-impact-issue-servers-may-become-unresponsive-due-to-multiple-issues.aspx%26amp%3Bttl%3DMcAfee%20Issue%22%20title%3D%22Post%20it%20to%20Social!%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CP%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FA%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CA%20href%3D%22http%3A%2F%2Fsocial.msdn.microsoft.com%2Fen-us%2Faction%2Fcreate%2Fs%2FE%2F%3Furl%3Dhttp%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2010%2F03%2F30%2Fhigh-impact-issue-servers-may-become-unresponsive-due-to-multiple-issues.aspx%26amp%3Bttl%3DMcAfee%20Issue%22%20title%3D%22Post%20it%20to%20MSDN!%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CP%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FA%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CA%20href%3D%22http%3A%2F%2Fsocial.technet.microsoft.com%2Fen-us%2Faction%2Fcreate%2Fs%2FE%2F%3Furl%3Dhttp%3A%2F%2Fblogs.technet.com%2Faskperf%2Farchive%2F2010%2F03%2F30%2Fhigh-impact-issue-servers-may-become-unresponsive-due-to-multiple-issues.aspx%26amp%3Bttl%3DMcAfee%20Issue%22%20title%3D%22Post%20it%20to%20Technet!%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CP%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FA%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F92537iB6B462C98DCAA87C%22%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F92538i57BEF5EEE1963B8C%22%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F92539i75A41BD4DBA78032%22%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F92540iA5F4C25F7472299C%22%20%2F%3E%3C%2FTD%3E%0A%20%20%20%20%3CTD%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F92541i5616DA432F10229A%22%20%2F%3E%3C%2FTD%3E%0A%20%20%20%3C%2FTR%3E%0A%20%20%3C%2FTBODY%3E%3C%2FTABLE%3E%0A%20%20%3CDIV%3E%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%20%3CBR%20%2F%3E%3C%2FDIV%3E%0A%20%0A%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-374567%22%20slang%3D%22en-US%22%3EFirst%20published%20on%20TECHNET%20on%20Mar%2031%2C%202010%20Hi%20all.%3C%2FLINGO-TEASER%3E
Microsoft
First published on TECHNET on Mar 31, 2010

Hi all. Today I would like to bring to your attention an issue we have been seeing lately that very well may effect those of you in a corporate environment. McAfee has recently released information about this issue on their web site .

The issue is that one or multiple servers may become unresponsive or start failing in any of their installed roles. Some of the possible symptoms are:

  • · Slow file access
  • · Slow read/writes from an application
  • · Server unresponsive/hangs
  • · Slow SQL Server performance
  • · IIS Hangs
  • · Inability to connect remotely via RDP

Further investigation may reveal that any number of processes are running high CPU or memory, or all combined are depleting the system of resources. It may not be evident what is causing the issue; just that many processes combined are most likely involved.

This can occur if McAfee Access Protection and Buffer Overflow Protection are installed. There is a known issue where severe performance degradation may occur during the scanning or monitoring of the following processes:

iexplore.exe
msimn.exe
svchost.exe
explorer.exe
mapisp32.exe
ftp.exe
services.exe
frameworkservice.exe
lsass.exe
inetinfo.exe
outlook.exe
wmplayer.exe
mplayer2.exe
rpcss.exe
msmsgs.exe
winword.exe
excel.exe
mstask.exe
powerpnt.exe
msaccess.exe
visio32.exe
wuauclt.exe
sqlservr.exe
dllhost.exe
VSEBOTest.exe
w3wp.exe
EventParser.exe
NaiMServ.exe
SrvMon.exe
naPrdMgr.exe

Disabling the services does not actually remove the drivers, so you may see the issue even if you turn off the suspect functionality. The two drivers involved are:

a. MFEAPFK.SYS McAfee, Inc. Access Protection Filter Driver

b. MFEBOPK.SYS McAfee, Inc. Buffer Overflow Protection Driver

Due to the overhead placed on some applications by McAfee Access Protection and Buffer Overflow Protection , McAfee recommends disabling and removing  these to resolve performance issues. This hotfix will remove the filter drivers and disable the associated services.

For more info, please see the following articles on McAfee’s web site:

List of Processes Protected by Buffer Overflow Protection

https://kc.mcafee.com/corporate/index?page=content&id=KB58007

Access Protection and Buffer Overflow Protection drivers remain loaded when disabled

https://kc.mcafee.com/corporate/index?page=content&id=KB65820

VirusScan Enterprise and Buffer Overflow Protection (Master Article)

https://kc.mcafee.com/corporate/index?page=content&id=KB67733

Tim Newton with special contribution by John Dickson

Share this post :






<br/>