Release Notes for McAfee® VirusScan®Enterprise 8.7i Patch 4
Thank you for using McAfee software. This document contains
important information about the current release. We strongly recommend
that you read the entire document.
About this release
- Patch Release: 08-26-2010
This release was developed for use with:
- VirusScan Enterprise: 8.7i
- Detection Definitions (DAT): 6037.0000
- Scan Engine: 5.4.00
Make sure you have installed the correct version of the product(s) in this list before using this release.
*This document makes references to the following products as VirusScan Modules:
- McAfee® VirusScan® Enterprise for Offline Virtual Images 1.0
- McAfee® VirusScan® Enterprise for Offline Virtual Images 2.0
- McAfee® VirusScan® Enterprise for use with SAP NetWeaver® platform 1.0
- McAfee® VirusScan® Enterprise for Storage 1.0
McAfee recommends this release for all environments. Patch 4 is considered a High Priority Release. See McAfee Support KnowledgeBase article KB51560 for information on ratings.
This Patch contains a variety of improvements. McAfee has spent a
significant amount of time finding, fixing, and testing the fixes in
this release. Please review the Known and Resolved issues lists for
additional information on the individual issues. Refer to online
KnowledgeBase article KB65944 at http://knowledge.mcafee.com for the
most current information regarding this release.
This document supplements the product Release Notes in the release
package and details fixes included in VirusScan Enterprise 8.7i Patch 4.
This release of the software includes the following improvements.
- Changes were made to the way Run-Time DATs are handled
during an update. These changes help the scanners reinitialize and
reload the newer DAT files. When multiple scanners are using the
Run-Time DAT files and an update occurs, the first available system
scanner creates a new Run-Time DAT file with a unique name. As other
scanners free up their current threads, they then switch over to the
newer Run-Time DAT files.
Note: With this new
implementation, only system level scanners can update the Run-Time
DATs. If only user level scanners are enabled on a system, the Run-Time
DATs are not updated on that system, which can impact the memory usage
improvements provided by the Run-Time DATs.
Previous releases of the software include the following improvements.
- Changes were made to the service startup sequence to have less impact on the system during startup.
were made to the way that the CommonShell scanner interacts with file
I/O. This improves performance with on-access scanners within the
- VirusScan Enterprise 8.7i Patch 2 and
later now has the ability to report compliance to the newer versions of
Windows Security Center.
- The VirusScan
Enterprise 8.7i extension has improved support for ePolicy Orchestrator
4.5 with Firefox 3.0 and Internet Explorer 8.0.
modifications were made to the way that the VirusScan Enterprise system
tray icon interacts with the new functionality of McAfee Agent 4.5.
- The file extension .txt was added to the SmoothWritesExtension registry value to increase performance in handling text files.
- Russian language support was added to the VirusScan Enterprise user interface, NAP file, and extension.
NOTE: See items #3 and #4 under Known issues for further information about this topic.
VirusScan Reports extension now has updated queries to show the status
of Artemis settings for the on-access, on-demand, and email scanners.
The Artemis status requires VirusScan Enterprise 8.5i Patch 8 or
VirusScan Enterprise 8.7i Patch 1 and later to be installed on the
client systems, in order to correctly populate the reports. Refer to
McAfee Support KnowledgeBase article KB53732 for further information on
- The Artemis level settings
of the On-Access Scanner is now modifiable via the properties UI, and
the equivalent VirusScan 8.7i NAP and extension included in the Patch
NOTE: Because this setting is new with this
release of the VirusScan 8.7i NAP and extension, there is no preserved
setting upon check-in of the management package. The ePolicy
Orchestrator administrator must update that setting in the policies to
match the current Artemis policy.
modifications were made to the way VirusScan Enterprise interacts with
the operating system on startup, suspend, and shutdown. These
modifications resolve and improve performance issues.
DAT files are compressed to conserve network bandwidth. Now, changes
were made to decompress the DATs during the AutoUpdate process and
leave them in that state, so that scanners do not have to decompress
them during initialization of the scan.
on-demand scanner now uses Windows Priority Control setting for the
scan process. This lets the operating system set the amount of CPU time
that the on-demand scanner receives at any point in the scan process.
The System Utilization setting in the On-Demand Scan Properties maps to
Windows Priority Control as:
on-access, on-demand, email, and script scanners now use a runtime copy
of the DATs. This change has reduced the memory consumption of affected
scanners by having the DATs in a readily available state for the scan
engine to load.
NOTE: In some scenarios, the Run-Time DATs are not available. See item #1 under Known issues. Refer to McAfee Support KnowledgeBase article KB65459 for further information on Run-Time DATs.
Enterprise functions that request the current version of DATs no longer
need to initialize the scan engine to do so. This prevents excessive
CPU spikes during ePolicy Orchestrator properties collection, as well
as other functions that poll the DATs.
- The on-access scanner memory scan function (Processes on enable) has been modified significantly to make it more comprehensive.
NOTE: The improved functionality can cause a performance impact to the system. See item #2 under Known issues.
a web browser opens a site that is script-intensive, scanning the
scripts adds to the delay of loading the page. This Patch contains new
functionality for ScriptScan whitelisting. If the website is a trusted
Intranet and/or frequently visited, the new implementation now allows
for the exclusion of that site from script scanning.
NOTE: Refer to McAfee Support KnowledgeBase article KB65382 for further information.
installation packages for patches and reposts were upgraded so that the
installation log name, created in the McAfeeLogs folder, has a
dynamically generated name based on the current date and time of the
installation. This helps save logs that might have been overwritten
with the previous “backup previous log only” method.
Here is a list of known issues that we were aware of at production time.
- Issue: In some situations, the product switches over to using the normal copy of the DAT files, instead of the Run-Time DATs:
the McAfee AntiSpyware Enterprise module is installed after VirusScan
Enterprise 8.7i Patch 3 is on the system, some of the new registry
settings, which are new for the runtime functionality, were changed
back. This resolves itself with a restart of the McTaskManager service
or with a reboot.
- If one of the scanners is busy on a
large file when the AutoUpdate process posts the revised copy of the
DATs, the process of refreshing the runtime copy of the DATs times out.
All scanners use the normal DATs until the next successful update.
- The VirusScan Modules* will not use the Run-Time DAT functionality until they receive their next Patch.
With the improved functionality of the on-access scanner memory scan,
lower and middle ranged systems might see a performance impact at
startup and after a successful AutoUpdate of the engine or DATs.
Currently the Process on enable option is enabled by default on the
shipping version of VirusScan Enterprise 8.7i. McAfee recommends that
in a managed environment, disable this option prior to deployment of
the Patch, until the impact of memory scanning can be determined for
your environment. It is not possible to maintain both the more
comprehensive scanning that comes with Patch 1 and later, and the
former level of scanning. Therefore, only the more comprehensive scan
NOTE FOR CURRENT AND NEW USERS:
- The Patch installation does not modify current settings to disable the Process on enable option.
VirusScan 8.7i NAP and extension that are included with the Patch do
change the McAfee Default policy, but do not modify the My Default
policy, or any custom policy settings that were made prior to the
check-in of the new NAP/extension.
- The VirusScan Enterprise 8.7i Repost with Patch now installs with the Process on enable option disabled, unless the Maximum Security option is selected during the installation.
With the introduction of support for Russian, you might need to remove
the previous version of the extension from ePolicy Orchestrator before
adding the new extension. If you do not, some of the interface might be
displayed in the original language.
McAfee Agent 4.0 Patch 2 and later includes support for displaying
status and logs in Russian. Older versions display this information in
English by default.
VirusScan Enterprise 8.7i Patch 2 and later include the new interface
for reporting status to Windows Security Center, uninstalling the Patch
removes this function -- without reintroducing the older expired
function. This means that Windows Security Center does not report
VirusScan Enterprise 8.7i being installed until Patch 2 or later is
Issue: When you remove the McAfee AntiSpyware Module, the status in Windows Security Center is not updated.
In deployments of VirusScan Enterprise 8.7i Patch 2 and later with
McAfee Agent 4.5, the VirusScan tray plug-in does not appear until
after a restart of the McAfee system tray icon. If VirusScan is
uninstalled, the VirusScan tray plug-in is still visible until a
Issue: This Patch adds
needed support for McAfee VirusScan Enterprise for Offline Virtual
Images 2.0, and should not be removed unless the VirusScan Module is
Issue: The Patch installer
included an MSI deferred action to resolve an issue that occurred when
attempting to uninstall the Patch on some newer operating systems. The
deferred.mfe file updated the cached MSI of the currently installed
VirusScan Enterprise 8.7i product. If the Patch is included in a McAfee
Installation Designer customized package, the deferred.mfe file was not
included, and therefore the Patch might not be able to be uninstalled
in some newer operating systems.
If you installed this release interactively and cancelled the
installation on a system where a previous Patch was installed, after
the rollback was complete, the previous Patch might no longer report to
ePolicy Orchestrator or appear in the About VirusScan Enterprise window.
Installing the Patch and specifying a log file path using the Microsoft
Installer (MSI) switch “/L” did not log to the specified path. A log
file capturing full data was logged to the folder “McAfeeLogs” under
the Temp folder.
Issue: If Host Intrusion
Prevention 6.x or later was installed and disabled prior to installing
VirusScan Enterprise, it was necessary to re-enable Host Intrusion
Prevention and disable it again, in order for VirusScan Buffer Overflow
Protection to be properly enabled.
Uninstalling VirusScan Enterprise Patches is possible for computers
running Windows Installer v3.x or later. This technology is not fully
integrated for Windows 2000 operating systems, so there is no option to
remove the Patch in Add/Remove programs. See Removing the Patch for instructions on removal via command-line options.
Issue: Patches for VirusScan Enterprise 8.7i can only be uninstalled via Add/Remove programs, not via ePolicy Orchestrator.
Due to changes made to the VirusScan Enterprise 8.7 Repost 3 MSI,
VirsuScan Enterprise 8.7 patches will not install with McAfee
Installation Designer without an additional configuration step. See McAfee Installation Designer patch configuration under Installation instructions for instructions on adding a patch to a custom installation package.
The resolved issues are divided into subsections per Patch, showing when each fix was added to the compilation.
Patch 4 resolved issues
- Issue: Applications were not being
monitored by VirusScan Enterprise Buffer Overflow Protection, which
could cause a performance penalty when the Buffer Overflow Protection
feature was enabled for other processes. (Reference: 508049)
Resolution: Changes were made in the way some APIs are
monitored for the VirusScan Enterprise Buffer Overflow Protection
implementation, so that processes not being monitored by VirusScan
Enterprise Buffer Overflow Protection can be excluded from evaluation
earlier and with less of a performance impact.
- Issue: VirusScan Task Manager could
encounter access violation and crash on exit. Threads were not properly
synchronizing on exit, resulting in access violation. (Reference:
Resolution: Threads are now being properly synchronized, providing serialized access to common data on exit.
- Issue: Tasks created by ePolicy Orchestrator were not stopping when set to only run for a specified time. (Reference: 531674)
The VirusScan Management Plug-in now uses the correct function call to
terminate the task on 64-bit platforms. The fix provided in this Patch
improves the fix provided in Hotfix 537674, which was released
- Issue: An issue can arise during an
upgrade from VirusScan Enterprise 8.5i to VirusScan Enterprise 8.7i
where the preserved tasks are deleted after the first reboot.
Resolution: The McAfee Task Manager service no longer attempts to index the tasks during shutdown, which caused the task to be deleted.
The OutlookScan feature could fail to release an instance of the scan
engine that was loaded via EngineServer.exe. This could lead to
symptoms of EngineServer.exe using large amounts of memory, until the
service was restarted. (Reference: 539488)
Resolution: The Outlook UI library now properly releases the engine instance on exit of Outlook.
VirusScan events received by ePolicy Orchestrator may fail to be
processed by the Event Parser. Unexpected characters in the event
caused an error to be logged by the Event Parser, and the event to
remain in the events folder on the server. (Reference: 539709)
Resolution: The CommonShell library has been updated to
replace invalid characters to be changed to a question mark in order to
be successfully received by ePolicy Orchestrator.
- Issue: Users were unable to save an Alert Policy change if all options were disabled. (Reference: 539933)
User can now save policies after deselecting all components that
generate alerts. Users also can use the checkboxes and drop-down
options on the Additional Alerting Options tab after deselecting all
components that generate alerts.
- Issue: Certain German cookies were causing on-demand scans to appear to hang during the Cookie Scan. (Reference: 542698)
The commonshell library better handles reparse points that are being
checked while walking through profiles folders for cookies.
- Issue: The On-Delivery Email Scan Policies Report tab was missing descriptive text for dialog boxes. (Reference: 544855)
Resolution: 'Maximum log file size:' and 'MB' descriptive text has been added to the On Delivery Email Scan Policies Report tab.
When using McAfee Installation Designer to configure the Artemis
setting for email scanning, the value was being read and written to the
regular location under HKLM registry key. (Reference: 547056)
Resolution: The value is now correctly read and written
to the temporary MID key under HKCU. This allows the value to be
correctly saved when McAfee Installation Designer generates the
settings for custom packages.
- Issue: No event XML files were being generated for event IDs 1087 and 1088. (Reference: 547867)
Resolution: XML files will now be created for event IDs 1087 and 1088 and will be seen in the AgentEvents folder.
In certain circumstances, the extra460575.rul that controls the Access
Protection rule "Prevent Termination of McAfee Processes" was
incorrectly placed on 32-bit systems and improperly removed on 64-bit
systems. (Reference: 549354)
Resolution: The MSP Patch installer now checks for the existence of the file and corrects any invalid states.
Invoking an on-demand scan on a folder that is a part of a Symbolic or
Junction Link results in an indefinite on-demand scan
estimation/scanning time. (Reference: 551494)
Resolution: On-demand scan estimation function now handles Symbolic and Junction Links properly.
VirusScan Task Manager could leave runaway threads when exiting. The
runaway threads created high CPU situations that could make servers
unresponsive. (Reference: 552611)
Resolution: This issue has been corrected by ensuring no runaway threads are left behind on exit.
Artemis sensitivity level pull-down menu for the default on-demand full
scan was diabled (grayed out) periodically. (Reference: 552834)
Resolution: Artemis sensitivity level pull-down menu is now always enabled and not grayed out in the On-Demand Full Scan properties.
A CE bugcheck (blue screen) could occur when the On-Access Scanner
service was stopped on a system that was still handling I/O requests.
Resolution: The system core drivers now properly sequence the events during the unload operation to prevent this issue.
- Issue: Password for the console user interface was not preserved with a Patch update. (Reference: 557805)
Resolution: The MSP Installer now properly flags the registry keys to preserve the user interface password value.
The Access Protection rule 'Prevent Windows Process spoofing' was
incorrectly including directory locations not valid for the operating
system. (Reference: 558361)
Resolution: The VSCAN.BOF file was updated to correctly map directory locations to excluded processes.
The On-Access Scanner exclusion list was adding an additional backslash
when entering excluded items to the list. (Reference: 562246)
Resolution: A user interface for Extensions and
Exclusions Filter Library configuration (ftcfg.dll) logic has been
added to determine whether the string variable is a drive letter or
- Issue: The Access Protection and Buffer
Overflow Protection rules contained errors, causing the installation of
other McAfee Products that contained newer shared components would fail
to install. (Reference: 565254)
Resolution: The VSCAN.BOF file no longer causes the
Access Protection rule "Prevent modification of McAfee files and
settings" to be triggered during installation of McAfee products.
- Issue: The ePolicy Orchestrator Low-Risk
and High-Risk Policy exclusion page required an extended amount of time
to render when many exclusions were listed. (Reference: 567297)
Resolution: The Low-Risk and High-Risk Policy page now renders properly and in a timely manner.
On low resource systems, VirusScan Enterprise 8.7i encountered a
timeout when registering with the Windows Action Center and failed to
report its status in time. This caused the Windows Action Center to
show AntiVirus Software as disabled. (Reference: 567396)
Resolution: VirusScan Task Manager now allows enough
time to register with the Windows Action Center before reporting its
first status, and resends the status if needed.
- Issue: The driver was recording and
accumulating data about unimportant file activity, and it did not
promptly discard that data. (Reference: 568654)
Resolution: The driver was revised to immediately discard data about unimportant file activity.
On newer versions of Windows that have the notification options for
system tray icons, the VirusScan tray icon did not properly save the
current state set by the user.(Reference: 569156)
Resolution: Some obsolete code was removed from the VirusScan tray icon that was preventing the save of the state in newer platforms.
After installing McAfee HF539488 and opening multiple instances of
Microsoft Outlook, some users experienced an error message: "Email scan
protection is disabled. Restart Outlook and McAfee engine service".
Resolution: Multiple instances of Microsoft Outlook no longer triggers this error message.
If an I/O Request was received for a file system for which the VPB
reported a size of 0, the driver attempted to access the VPB even if
the pointer to it was NULL, resulting in a STOP 1E. (Reference: 577676)
Resolution: The driver was revised to unconditionally verify every pointer to be non-NULL, regardless of the specified size of the VPB.
Due to changes made in the "time to hibernate" is managed on a system
with Microsoft Windows 7, scan threads were not given enough time to
finish. On resume, those scan threads already reached their timeout
value, which caused McShield to respond with a crash. (Reference:
Resolution: The On-Access Scanner service now responds
to power management features by resetting the timeout value so that the
scan thread can finish as normal.
- Issue: Due to changes in the time to
hibernate a system in Microsoft Windows 7, a timing issue occured where
the request to pause the McShield service was not completed until after
the resume. This caused the On-Access Scanner service to pause coming
out of hibernate. (Reference: 578500)
Resolution: The On-Access Scanner service now no longer attempts to pause as part of the power management features.
If a custom Access Protection rule specified restrictions against a
specific process, the driver might block network access to other
processes. (Reference: 579228)
Resolution: The driver was updated to enforce rule restrictions only against the specific processes named in the rule.
MSI 4.5 prevents modifying VirusScan Enterprise 8.7i Patch 3 via
Add/Remove Programs. The feature state for the product was set to
"disabled" even though the component files were installed. (Reference:
Resolution: A new function runs prior to applying the Patch 4 that checks the state of the features and repairs the states as needed.
The repair function creates a registry value in
HKLM\Software\McAfee\DesktopProtection called PatchRepair_582208 = 1.
The Patch 4 installer does not complete its installation if this
registry value is not present.
- Issue: A timing
issue could occur where VirusScan Task Manager interferes with the
virus definition files (DAT) copy process during an update. This leads
to the DAT being locked, preventing the update from completing
successfully. (Reference: 610714)
Resolution: The VirusScan Task Manager will now defer actions related to DATS while the DAT update process is occurring.
Patch 3 resolved issues:
- Issue: Users would see Windows Security
Center notification pop-ups at regular intervals, stating that
VirusScan was disabled. (Reference: 529651)
Resolution: The VirusScan Enterprise Windows Security
Center reporting tool now only updates its status when the state of
VirusScan changes, rather than at regular intervals.
- Issue: The On-Access Scanner service failed to start after running Chkdsk at startup. (Reference: 450357)
Resolution: The Anti-Virus Filter driver no longer treats the disks as having been dismounted after the Chkdsk procedure is completed.
- Issue: Some VBScript types were not being properly scanned on Windows 2008 R2. (Reference: 505001)
Resolution: The ScriptScan application has been updated to account for changes in the Windows 2008 R2 platform.
- Issue: A 3B bugcheck (blue screen) could occur immediately after an unexpected device-removal. (Reference: 519656)
The Link driver has been revised to cease processing outstanding IO
requests immediately upon being notified that device removal has
- Issue: When an Access Protection warning
existed in McAfee Security Status window, the warning status clear
function caused a crash. (Reference: 517265)
Resolution: The VirusScan tray files now have updated logic to handle the Access Protection messages in the McAfee Security Status window.
When an On-Demand Scan task was created manually via console, but had
not yet run, the task started up at the next reboot. (Reference:
Resolution: The VirusScan task manager service prevented
an uninitialized variable, which caused the task to indicate that a
scan was in progress.
- Issue: On-Demand Scan tasks on Windows 2008 failed to authenticate to network shares with specified credentials. (Reference: 503155)
Resolution: The On-Demand Scanner now requests the necessary elevated privileges to authenticate on Windows 2008.
The On-Demand Scanner /LOG switch logged only part of the data from the
scan in the specified location, while the rest of the information was
still recorded in the default location. (Reference: 525694)
Resolution: When Scan32.exe is executed via command
line, it now reads from the default settings and overwrites, but does
not save, the setting based on what is specified with the command-line
- Issue: With VirusScan installed
alongside the McAfee Agent 4.5 in an unmanaged environment, the
VirusScan legacy tray icon did not load. (Reference: 523823)
Resolution: The VirusScan Statistics tray icon now
properly queries the McAfee Agent for version and managed/unmanaged
state before deciding to load it.
- Issue: Removing the current Patch from
the system did not replace the Patch_ registry data from the previous
Patch. (Reference: 523806)
Resolution: The Microsoft Patch (MSP) installer now reverts the Patch_ registry information to the previous version.
If VirusScan was set to show its tray settings with minimal options,
the McAfee Agent 4.5 tray icon did not display an item under Managed
Products. (Reference: 528792)
Resolution: The VirusScan Statistics tray plug-in now uses the legacy Help/About as a menu option when VirusScan is set to Show the system tray icon with minimal menu options.
- Issue: When a specific scan task had both Defer scan when using battery power and User may defer scheduled scans options set, the user was still prompted to defer the scan when on battery power. (Reference: 537126)
Resolution: The On-Demand Scan plug-in was changed so that the property option, User may defer scheduled scans, is not encountered first, so it doesn’t override the other selections.
- Issue: The user dialog box for the scan task option, User may defer scheduled scans, did not appear when VirusScan 8.7i was managed by the McAfee Agent 4.5. (Reference: 534348)
The VirusScan Statistics tray plug-in was updated to include this same
functionality from the VirusScan Statistics legacy tray icon.
- Issue: Using the %ProgramFiles% variable
to exclude folders and files did not translate all possibilities across
64-bit and 32-bit operating systems. To ensure you exclude any possible
“Program files” location (including “Program Files (x86)”), you had to
enter the exclusions two ways: 1) “%programfiles%” 2)
“%programfiles(x86)%” (Reference: 491796)
Resolution: The Access Protection Filter API now always
translates the %ProgramFiles% variable into all lowercase to prevent
the operating system from misinterpreting the intended location.
- Issue: Some access protection policies
were enforced by ePolicy Orchestrator when the Access Protection
feature was not installed to the system. (Reference: 503635)
Resolution: The VirusScan Management Plug-in now
recognizes when the Access Protection feature is installed or not and
enforces policies accordingly.
- Issue: The Task name entry for the
default "Full Scan" used the translation string name instead of the
translated name. (Reference: 505217)
Resolution: The Announcer library now uses the proper translation name instead of the string.
The Network Port Access Protection Rule window under the user-defined
access protection policies did not always display an OK or Cancel
button. (Reference: 517382)
Resolution: The VirusScan 8.7i extension has been updated to properly display the buttons.
The threat event 1119 event showed an incorrect Engine and DAT version
when an update failed or was cancelled. (Reference: 468233)
Resolution: The AutoUpdate application now reports the proper information for the event.
The process name involved in a Buffer Overflow detection did not show
in the ePolicy Orchestrator query "Top 10 Buffer Overflows Detected".
Resolution: VirusScan Reports extension was corrected to display the information under the proper column name.
- Issue: The query "Number of Detections by Tag" did not execute properly on ePolicy Orchestrator 4.5. (Reference: 460304)
Resolution: The VirusScan Reports extension now uses the proper column validation.
The Access Protection and Buffer Overflow rule file that was contained
in the VirusScan extension introduced an incorrectly defined variable
that prevented the McAfee Agent from calling back to the ePolicy
Orchestrator server if custom policies were made to the rules.
Resolution: The VirusScan Extension has been updated to
include a revised Access Protection and Buffer Overflow rule that does
not have this variable.
Patch 2 resolved issues:
- Issue: Processes that ended were still listed in Task Manager. (Reference: 482720)
Resolution: The link driver no longer retains the handles to processes that have closed.
On a system using large quantities of handles, particularly busy
servers, VirusScan would cache excessive amounts of data in non-paged
pool memory. (Reference: 492541)
Resolution: The link driver has been updated to reduce the amount of overhead in the data used for operations.
In high I/O environments where Access Protection is enabled, a
performance degradation symptom could be encountered, appearing as a
hang. Internal processing by VirusScan drivers occurred serially,
contributing to a bottleneck when large volumes of I/O were filtered.
Resolution: The link and mini-firewall drivers no longer
cause a sequential release of objects containing gathered information
on the I/O request. This should increase performance on multi-processor
- Issue: The setting in Email Scan for
Heuristic network check for suspicious files was not being updated
based on the user interface or policy changes. (Reference: 493594)
Resolution: The setting now updates the proper registry location to reflect the change in the user interface.
To support ePolicy Orchestrator’s Countermeasures functionality, the
properties collection was modified for the new data. The section title
was not named correctly to reflect the new functionality. (Reference:
Resolution: The section in the computer properties was updated to Countermeasures for ePolicy Orchestrator to use the data properly.
- Issue: On systems with Symantec's SVS Client software installed, the on-access scan features did not load. (Reference: 441670)
Resolution: The On-Access Scanner service now communicates with our filter drivers on systems where SVS Client software is installed.
The Patch installer registered ScriptScan libraries, even when the user
interface had the feature set as disabled. (Reference: 498347)
Resolution: The Patch installer no longer runs the ScriptScan registration function, in order to prevent the setting from being changed.
When Access Protection and Buffer Overflow were disabled in an attempt
to improve performance, the drivers were still loaded, although not
active, causing little change in performance. (Reference: 465506)
Resolution: Disabling the Access Protection and Buffer Overflow driver now yields the expected performance increase.
The on-access scanner did not properly time out when scanning large
archives. This could lead to the system failing to copy files.
Resolution: The on-access scanner service now successfully times out at the interval specified in the user interface.
- Issue: When the on-delivery Outlook scanner received emails to scan, some keyboard entries could be lost. (Reference: 480992)
The Outlook scanner now handles the on-delivery scan of an email with
Microsoft Outlook 2007, and caches the keys entered during that time.
- Issue: When VirusScan Enterprise 8.7i was installed on a system running Windows 2008, uninstall fails. (Reference: 496609)
Resolution: The Microsoft Patch (MSP) installer corrects a custom action that was preventing the re-enabling of Microsoft Windows Defender.
When VirusScan Enterprise 8.7i is installed on a system running Windows
2000, where the installation was customized using McAfee Installation
Designer, a subsequent patch update might fail to install. (Reference:
Resolution: The MSP installer modifies the cached MSI
for VirusScan Enterprise 8.7i, on Windows 2000, in order to correct the
source of failure.
- Issue: Silent installations might fail
on hard drives that are designated as dynamic. The on-access scanner
service fails to start, and the installation rolls back. (Reference:
Resolution: The Patch 1 Repost and later installation packages now install to a dynamic disk, silently.
Patch 1 resolved issues:
- Issue: An unauthenticated remote denial-of-service attack was discovered. (Reference: 470184)
Resolution: The product no longer allows the denial-of-service attack.
Under certain conditions, the Lotus Notes scanner of VirusScan
Enterprise can mistakenly deny access to the Lotus Notes internal
processes, if a note was being accessed more than once. (Reference:
Resolution: The Lotus Notes scanner has been adjusted to better handle re-entrance scanning of the same note.
Silent installs may fail on hard drives that are designated as dynamic.
The on-access scanner service fails to start, and the installation will
roll back. (Reference: 443669)
Resolution: The patch 1 and later install packages will now install to a dynamic disk, silently.
Sporadic crashes were seen on multi-processor systems, with the Lotus
Notes scanner file ncdaemon.exe, during startup and general use of
Lotus Notes. (Reference: 442337)
Resolution: The Lotus Notes scanner has been corrected
to prevent a race condition where different scanner threads were
starting and stopping out of sequence.
- Issue: A 8E bugcheck (blue screen)
sometimes occurred when VirusScan Enterprise 8.7i was installed along
with Checkpoint VPN-1 SecureClient. (Reference: 438771)
Resolution: The link driver was updated to avoid probing kernel memory unnecessarily.
For this fix to prevent the above issue, the files need to be placed on
the system during the installation of VirusScan Enterprise, before the
services start. The repost of VirusScan Enterprise 8.7i with Patch 1
will be needed to see the resolution.
- Issue: A flaw in the caching algorithm sometimes caused files in removable media to not be scanned. (Reference: 443104)
Resolution: The Anti-Virus Filter driver was updated to clear the cache of removable media upon attaching to the system.
The on-access scanner contained a flaw in the scan on close logic. This
could cause a file to be queued up for scanning a second time.
Resolution: The Anti-Virus Filter driver no longer queues these unnecessary scan requests.
During an upgrade from a customized VirusScan Enterprise 8.5i to
VirusScan Enterprise 8.7i, An issue sometimes occurred where the
configuration tool did not properly backup and restore the registry
information. The installation was left in a state where some of the
product information still showed as the older version. (Reference:
Resolution: The McAfee Installation Designer
configuration applicator has been changed to be more comprehensive in
backing up and in version checking during the upgrade, in order to
prevent failures by other McAfee product installations that require
NOTE: For this fix to prevent the above issue, the
files need to be placed on the system during the installation of
VirusScan Enterprise, before the services start. The repost of
VirusScan Enterprise 8.7i with Patch 1 will be needed to see the
- Issue: On Microsoft Windows Vista SP1 or
2008 server, sharing violations could occur when working with remote
files while network drive scanning was enabled. This resulted in being
denied access to files, or being unable to modify or save a file.
Resolution: The Anti-Virus Filter driver has been
updated to better handle potential sharing violations that could occur
and avoid conflicts.
- Issue: Prolonged use of the VirusScan
Console was causing delays in loading subsequent loading of the Console
window. (Reference: 456831)
Resolution: The VirusScan Console plug-in was corrected to properly clean up the .tmp files it creates at load time.
Access Protection rules were being triggered during creation of a
VirusScan customized installation package via McAfee Installation
Designer. This could lead to a crash of the McAfee Installation
Designer tool. (Reference: 435728)
Resolution: The VirusScan Email Scan library
appropriately handles the new Sensitivity level setting when it is
displayed in the McAfee Installation Designer window.
- Issue: Certain detections with multiple
infections or clean actions were logging the action two times. One
entry was made during the middle of the process, and the other during
the final resolution. (Reference: 404787)
Resolution: The Common Shell scanner has been updated to report only the final resolution of the detection.
- Issue: A 8E bugcheck (blue screen) might occur during the “Memory for Rootkits” portion of an on-demand scan. (Reference: 445490)
Resolution: The code analysis driver now uses a more robust method of querying the system for driver object data.
Access Protection block rules that were created for USB devices
sometimes did not handle removing and reinserting the device multiple
times. (Reference: 457415)
Resolution: The Access Protection, Anti-Virus Filter, and Link drivers have been updated to better handle reinserting the device.
- Issue: The on-access scanner was not properly utilizing the Scan files opened for Backup option. (Reference: 457416)
Resolution: The Anti-Virus Filter driver has been rectified to properly interpret the flag being sent from the on-access scanner.
In an ePolicy Orchestrator managed environment, the agent’s Collect and
Send Properties function could cause the McAfee Product Manager service
to spike its CPU utilization for extended periods of time. (Reference:
Resolution: The VirusScan Management Plug-in has been
updated to call for the scan engine and DAT files via a new API call,
rather than initializing the engine to retrieve the information. This
lessens the CPU time involved during the agent Collect and Send
- Issue: With certain Access Protection
rules enabled, VirusScan Enterprise was failing to return information
to the Checkpoint SecureClient software. (Reference: 444667)
Resolution: The binaries for Checkpoint integration have been updated to properly request information from VirusScan Enterprise.
Attempting to start an on-demand scan via the VirusScan tray icon could
result in an error on Microsoft Windows Vista. (Reference: 446950)
Resolution: The VirusScan tray icon correctly calls the on-demand scanner on User Access Controlled operating systems.
Creating a McAfee Installation Designer change package for VirusScan
Enterprise and the AntiSpyware Enterprise Module, sometimes failed to
upgrade the evaluations to licensed versions, for both products.
Resolution: McAfee Installation Designer configuration
applicator upgrades the licenses of VirusScan Enterprise and the
AntiSpyware Enterprise Module when they are both evaluations.
- Issue: The VirusScan Console On-Delivery Email Scanner entry was not worded correctly in German. (Reference: 438931)
Resolution: The VirusScan Resource file updates the displayed text to the correct wording in German.
- Issue: One of the ScriptScan “McLogEvent” entries was always recorded in English. (Reference: 431071)
Resolution: The Announcer library was updated to remove the extra notification.
In some cases, VirusScan Enterprise was not properly displaying Patch
information about itself and currently installed VirusScan Modules*.
Resolution: The VirusScan Management Plug-in has been
updated to gather the current information about Patch levels of its
installed VirusScan Modules*.
- Issue: When there were HotFixes or
Patches available for the VirusScan Modules*, they were not being
downloaded to the clients. (Reference: 445494)
Resolution: The AutoUpdate binary was modified to check
for the existence of the VirusScan Module* licenses when deciding which
HotFixes or Patches to install.
- Issue: Script errors were seen when
attempting to view the Japanese text, of the product description
window, in ePolicy Orchestrator 3.6.x. (Reference: 434203)
Resolution: The VirusScan 8.7i NAP file has been updated to display the Japanese page in its proper Unicode format (UTF-8).
The alert options for Network Appliance Filer and ICAP scanners were
visible on the workstation ePolicy Orchestrator policies. (Reference:
Resolution: The VirusScan 8.7i NAP and extension have
been updated to remove the alert options for alert options for Network
Appliance Filer and ICAP scanners, from the workstation policy, as
those scanners are server specific.
- Issue: Some ePolicy Orchestrator operational events were not being generated for the VirusScan Modules*. (Reference: 434423)
The VirusScan Reports extension updates the current VirusScan
Enterprise Event IDs (1329 – 1339) to be used for the VirusScan
- Issue: The on-demand scan log file
validation checked for invalid file characters, including the "<"
and ">" characters. (Reference: 433776)
Resolution: The VirusScan 8.7i extension validation for
the path name of the on-demand scanner log file now allows the "<"
and ">" characters, which are needed for ePolicy Orchestrator macro
- Issue: The alert options for the
VirusScan Modules* would not gray out when inheritance was enforced on
the parent policy. (Reference: 434231)
Resolution: The VirusScan 8.7i NAP now properly enforces inheritance on the VirusScan Module alert options.
Events generated by the VirusScan Enterprise for Offline Virtual Images
1.0 software were not being generated in ePO reports. (Reference:
Resolution: The McAfee Announcer library changed properties of the events to support current reporting in ePolicy Orchestrator 3.6.1.
Scanning events generated by VirusScan Enterprise 8.7i were not
populating the Task Name with proper information. (Reference: 453515)
Resolution: The McAfee Announcer library now populates the Task Name with the scanner that generated the event.
The Access Protection includes and exclude fields permitted a limited
number of characters in the extension interface. (Reference:
Resolution: The VirusScan 8.7i extension updates the
maximum limit of the include and exclude fields, to be consistent with
the point-product interface.
- Issue: Scanner exclusions that were
entered in ePolicy Orchestrator with a preceding blank space did not
show up correctly when they were enforced on the client. (Reference:
Resolution: The VirusScan 8.5i extension has been
updated to strip any preceding blank spaces from exclusions when they
are entered in ePolicy Orchestrator.
- Issue: VirusScan Enterprise added some
new events that were not included in the default event filter, which
was provided by ePolicy Orchestrator. (Reference: 462927)
Resolution: The VirusScan Reports extension updates the current list to allow filtering of these events.
This release consists of a package called VSE87P3.zip, which contains the following files:
||Package catalog file|
||This text file|
||ePolicy Orchestrator detection script for VirusScan Enterprise|
||Installer for this release|
||Initialization file for SETUP.EXE|
||Microsoft Installer Patch file|
||ePolicy Orchestrator 3.6.x NAP for VirusScan Enterprise|
||ePolicy Orchestrator 3.6.x Reports for VirusScan Enterprise|
||ePolicy Orchestrator 4.x extension for VirusScan Enterprise|
||ePolicy Orchestrator 4.x Reports for VirusScan Enterprise|
The following files are new with this Patch release:
- To use this release, you must have VirusScan Enterprise
8.7i software installed on the computer you intend to update with this
- For a list of supported environments for VirusScan
Enterprise 8.7i on Microsoft Windows, see McAfee Support KnowledgeBase
- This release does not work with earlier versions of VirusScan software.
- A reboot is needed to fully load the system drivers into memory. The package installation does not force the reboot.
- Extract the Patch files from VSE87P4.zip to a temporary folder on your hard drive.
- Double-click the file SETUP.EXE inside the temporary folder created in Step 1.
- Follow the instructions of the installation wizard.
Installation steps via ePolicy Orchestrator 3.6.x
- On the computer where the ePolicy Orchestrator 3.x console
resides, extract the Patch files and folders from VSE87P4.zip to a
temporary folder on your hard drive.
- Open the ePolicy Orchestrator 3.x console and add the package from the temporary folder created in Step 1 to your repository.
NOTE: Refer to Checking in Package in the ePolicy Orchestrator 3.x online Help, or Checking in PKGCATALOG.Z product packages
to the master repository in the ePolicy Orchestrator 3.6 online Help,
for instructions on adding a package to the repository. The package
type for this Patch is “Products or Updates.”
The next time an agent update task runs, the VirusScan Enterprise client automatically downloads and installs the Patch.
- In the ePolicy Orchestrator console, add the VSE870.NAP file using the Check in NAP wizard.
- Repeat the check-in process for the VSE870REPORTS.NAP reports extension.
NOTE: Once the NAPs are updated, the version can be verified in the ePolicy Orchestrator console (see Patch Inventory for version information).
Installation steps via ePolicy Orchestrator 4.x
- On the computer where the ePolicy Orchestrator 4.x console
resides, extract the Patch files and folders from VSE87P4.zip to a
temporary folder on your hard drive.
- Open the ePolicy Orchestrator 4.x console and add the package from the temporary folder created in Step 1 to your repository.
NOTE: Refer to Checking in Packages Manually
in the ePolicy Orchestrator 4.x online Help, for instructions on adding
a package to the repository. The package type for this Patch is
“Products or Updates.”
The next time an agent update task runs, the VirusScan Enterprise client automatically downloads and installs the Patch.
- From the top menu of the ePolicy Orchestrator console, click Configuration.
- From the menu tabs, click Extensions, then click Install Extensions in the lower left of the window.
- Click Browse and locate the VIRUSCAN8700(195).zip extension update from the temporary folder created in Step 1.
- Click OK to begin the extension update.
- Repeat the check-in process for the VIRUSCANREPORTS(154).zip reports extension.
NOTE: Once the extensions are updated, the version can be verified in the ePolicy Orchestrator Extensions list (see Patch Inventory for version information).
McAfee Installation Designer patch configuration
When creating a custom installation, using McAfee Installation Designer
and VirusScan Enterprise 8.7 Repost 3, the configuration requires
additional steps to properly include the patch to the custom
- Create a registry file with the following registy settings.
the registry file listed above into the "Registry Settings" option
page. This applies the file before attempting to launch the patch
- Finish creating the McAfee Installation Designer custom installation package and deploy.
Always reboot prior to validating that a Patch has been installed successfully.
- Open the VirusScan Console and select About from the Help
menu. The About VirusScan Enterprise window, Installed Patches,
- After property information has been collected
by the ePolicy Orchestrator agent, the client system displays that
Patch 4 is installed as the “Hotfix” version within the agent
"About..." section. If the value HotfixVersions appears, it is a
temporary value and is removed after a full property collection from
the client is performed.
- Confirm that the expected files
are installed by checking the version number of individual files. File
versions should match the list of files in Patch Inventory, above.
NOTE: Patch releases are not displayed or do not report that
the Patch is installed if an error occurred during installation, or if
a file did not install correctly.
Hotfix and Patch reporting
There is Hotfix/Patch information in the ePolicy Orchestrator
properties for each computer. On the ePolicy Orchestrator Properties
tab for each computer, the VirusScan 8.7i General branch displays two
- Patch – Displays the current Patch installed.
- Fixes - Displays any number of Hotfixes listed in the registry.
A check is involved to verify that the Hotfix/Patch matches the
entry in the registry to the private build description of the binary.
If the two don’t match, the Patch or Hotfix does not appear.
NOTE: Currently there are no reports or compliance checks that use this information.
Removing the Patch
Windows Installer 3.x and later now support the rolling back of Patches. This can be done one of two ways.
- For Windows XP, Windows 2003, Windows Vista, Windows 2008,
and Windows 7 operating systems, the Patch can be removed manually via
Add/Remove Programs if the user has administrative rights to the local
- For all operating systems that support Windows Installer 3.x, a command-line option can be used to remove the Patch silently.
- The GUID information used here changes from one Patch to
another. Always use the information in the Release Notes for the Patch
that you are removing.
- Because the Patch is removed via
MSIEXEC, the functions inside setup.exe, which normally prevent reboots
from occurring during silent processes, are not executed. In order to
prevent a possible automatic reboot from occurring after a Patch
removal, simply add the REBOOT=R parameter to the command-line option
- Patch removal is an MSI reinstall function. When a
Patch is removed, all features affected by the Patch are reset to
installation defaults. Any features not modified by the Patch are left
with their current settings.
- Update VirusScan Enterprise after removing the Patch to ensure that the latest versions of the engine and DAT files are run.
Copyright © 2010 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any
language in any form or by any means without the written permission of
McAfee, Inc., or its suppliers or affiliate companies.
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD,
INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE EXCHANGE),
MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE,
SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN, WEBSHIELD are registered
trademarks or trademarks of McAfee, Inc. and/or its affiliates in the
US and/or other countries. McAfee Red in connection with security is
distinctive of McAfee brand products. All other registered and
unregistered trademarks herein are the sole property of their
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT
CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS FORTH THE
GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF
YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT
THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED
SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT
CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE
SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN
THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY
RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.