MOM 2005 and McAfee 8.0i VirusScan

  • Article

MOM 2005 agent runs it’s scripts in an out-of-service (MOMService.exe) process called MOMHost.exe. When you are running McAfee 8.0i AV agent, there appears to be a problem. The ScriptProxy.dll component of the McAfee agent causes a slow memory hog in the MOMHost.exe process responsible for running MOM Scripts. By default MOM does not allow more then 100MB for this process to take up on a computer (editable in registry). The effect is that every 2-4 days your process will restart (depending on number of scripts/MPs in place). This in turn leads to such errors:

**

Severity: Error

Maintenance Mode: False

Domain: DOMAINNAME

Computer: SERVERNAME

Time Last Modified: 2006-06-22 20:41:09

Resolution State: New

Time in State: 2006-06-22 18:41:09

Problem State: 0

Repeat Count: 0

Name: The rule response failed to execute

Source: Microsoft Operations Manager

Description: The response processor failed to execute a response. The response returned the error message: The remote procedure call failed.

This is because restarting that process kills all scripts without any notice. This could be improved to let the scripts finish (allowing for some timeout) before killing the process. Failing scripts can result in many things:

  • Your reports do not show consistent information (e.g. Exchange MP send mail script fails – reporting a lack in Exchange Availability)
  • You get alerts that are reporting some service availability problem, but are in fact due to the failure of script run (e.g. for the above example receiving Exchange servers would report “Error: Mail flow message not received”)

There was a time, when McAfee claimed that it fixed problems with Patch 11, but it came out not to be true. See article KB47302 on https://knowledgemap.nai.com/: Installing the current VirusScan Patch 11 does not resolve this issue.

The solution is to unregister the ScriptProxy.DLL or install a Patch from McAfee AND disable the script scanning component in EPO.

It took me some time to figure out all this, so maybe this post will speed up things for some of you. Our KB articles were updated not long ago to reflect this, but are not always 100% clear (See: https://support.microsoft.com/kb/891605/en-us, https://support.microsoft.com/kb/890736/en-us).