We have been seeing an issue for a while now with McAfee dat updates causing bigfix to show pending restart when one is not really needed.
McAfee sets C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\UpdateDir to be deleted on reboot every time definitions are updated. McAfee says this will be fixed with the new CMA agent, but we want to fix this problem in the meantime.
I found
this
BES KB article that says you can add custom setting named “_BESClient_ActionManager_PendingRestartExclusions” that will tell the agent to ignore certain folders when checking if a reboot is required.
Depending on when McAfee was installed, the common framework folder is either under “Network Associates”, or the “McAfee” folder of the commonappdata folder. I set this setting to “C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\UpdateDir;C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\UpdateDir;” and the clients still seem to be reporting back as pending restart.
Am I doing something wrong? I have checked the pendingfilerenames registry key to confirm that this is the only thing that is requesting a reboot. Has anyone gotten this setting to work correctly? Do I need to include the entire path, or would something like “\UpdateDir;” work?
By the way, i am aware of the “Restart Needed - Triggered by a BES Action” and “Restart Needed - Not Triggered by a BES Action” fixlets, but the problem is if an action is sent to a client while it is in the restart needed state caused by McAfee, then it will always report that it was triggered by an action even though the action doesn’t actually need a reboot.
You are correct that we have a solution to ignore registry values using this mechanism, but unfortunately, McAfee also includes newline characters in the registry value (and the way they do it appears to not supposed to be allowed in a reg_multi_sz, which you can see by trying to create the same value in regedit). Since we don’t have an ability to exclude this newline in BES 6.0 (will be in the next version though), this mechanism will not work.
One of our customers reported to us this McAfee bug and we helped create a Fixlet that will detect and remove the pending restart entries. The Fixlet should only become relevant if the “PendingFileRenameOperations” value in the registry contains ONLY the lines:
??\C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\UpdateDir
(you can add more lines if you want to modify the Fixlet…)
If any other lines are in the registry value, then it must need a restart for some other reason and it will not be relevant. If you apply the Fixlet, it will delete the registry value, which should make BigFix clear the “pending restart” flag.
Attached is the Fixlet that you can import (remember that you must be logged into the BES forum to download files).
Updating History on this… This issue can be resolved by installing Common Management Agent (CMA) 3.6.0 Patch 1. McAfee states CMA 3.6.0 Patch 1 will correct this issue but Patch 1 has not been released for download yet.
Just Letting those who use this custom fixlet patch a proper fix will be coming from the vender who Created the “Issue”. At that point I hope to update on the custom fixlet’s relevence.
While this thread is talking about McAfee and EPO, here’s one other suggestion. The fixlet “TIP: Optimize McAfee VirusScan Enterprise 7.0i/8.0i to Run with BES Clients” specifically looks for exclusions of “c:\Program Files\BigFix Enterprise\BES Client”. Though it doesn’t check for it, it’s also safe if “c:\Program Files\BigFix Enterprise” is excluded, as long as subdirs are as well.
So lines like…
“3|15|” & pathname of parent folder of regapp “besclient.exe” & “”
Could also be…
“3|15|” & pathname of parent folder of regapp “besclient.exe” & “”
or
“3|15|” & pathname of parent folder of parent folder of regapp “besclient.exe” & “”
I was thinking about this because the console is installed into “c:\Program Files\BigFix Enterprise\BES Console”. Is there any performance hit to the console if that directory isn’t excluded??
Also, for McAfee 8.5i, the exclusions would be as follows…
Under “HKEY_LOCAL_MACHINE\Software\McAfee\VSCore\On Access Scanner\McShield\Configuration”, look for a dword of “OnlyUseDefaultConfig”.
If OnlyUseDefaultConfig=1, only for exclusions under the subkey “Default”. If OnlyUseDefaultConfig=0, then look under “Default”, “High” and “Low” for exclusions.