Cluster Shared Volumes (CSV) in redirected access mode after installing McAfee VSE 8.7 Patch 5 or 8.8 Patch 1

There is an issue with Cluster Shared Volumes and McAfee VirusScan Enterprise that I wanted to pass along.  When installing McAfee VSE 8.7 Patch 5 or 8.8 Patch 1, the CSV drives will go into redirected mode and will not go out of it.

The reason for this is that the McAfee filter driver (mfehidk.sys) is using decimal points in the altitude to help in identifying upgrade scenarios for their product.  The Cluster CSV filter only accepts whole numbers and puts the drives in redirected access mode when it sees this decimal value.

When seeing this, if you run FLTMC from an administrative command prompt, you may see something similar too:

C:> fltmc

Filter Name    Num Instances      Altitude    Frame
CSVFilter            2            404900        0
mfehidk                           329998.99   <Legacy>
mfehidk              2            321300.00     0

If you were to generate a Cluster Log, you would see the below identifying that it cannot read the altitude value properly.

INFO [DCM] FsFilterCanUseDirectIO is called for \?Volume{188c44f1-9cd0-11df-926b-a4ca2baf36ff}
ERR  mscs::FilterSnooper::CanUseDirectIO: BadFormat(5917)’ because of ‘non-digit found’
INFO [DCM] PostOnline. CanUseDirectIO for C2V1 => false

McAfee has released the following document giving a temporary workaround.

Cluster Shared Volumes (CSV) status becomes Online (Redirected access)

Microsoft is aware of the problem and currently working on a fix.  When this fix is available, this will be updated and a new KB Article will be created with the fix.

John Marlin
Senior Support Escalation Engineer
Microsoft Enterprise Platforms Support