In air-gapped environments with isolated connectivity, DAT or
AMCore content updates fail. Symptoms can include the following:
- Systems fall out of compliance if they've not been updated for prolonged periods.
- The content version reported across the affected systems is usually the same. This means that the systems fail to update the content on the same day.
The
masvc_<system name>
.log located in the Agent log directory (
...\ProgramData\McAfee\Agent\logs) records the invocation of any update task with statements similar to the following:
<timestamp> masvc(1336.1380) Updater.Info: Invoking mue as, [C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe -script C:\ProgramData\McAfee\Agent\update\UpdateMain.McS -id 14336 -localeid 0409 -logfile C:\ProgramData\McAfee\Agent\logs\McScript -parent FRAMEWORK -initiator 0 -ipcid ma.service.updater.uiprovider.CMAAGENT3000.0.0 -installdir C:\Program Files\McAfee\Agent\\x86\ -taskid {1b296a8e-4212-11ea-3234-a3c75bdddb29} (null) ].
<timestamp> masvc(1336.1380) Updater.Info: Updater engine is spawned successfully.
...
<timestamp> masvc(1336.1380) compatservice.Info: is_compat_running: 1, is_compat_required: 1
<timestamp> masvc(1336.1380) msgbus.Info: QueryFullProcessImageName C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe
<timestamp> masvc(1336.1380) msgbus.Info: verify code signature returns <-2146762486>, GetLastError <-2146762486>.
<timestamp> masvc(1336.1380) msgbus.Warning: Allowing <C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe(11924)> limited access onto msgbus
...
The
McScript.log located in the Agent log directory (
...\ProgramData\McAfee\Agent\logs), which tracks the update process, records statements similar to the following:
<time and date> I #22504 ScrptExe Running "C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe" /LPCPUID=AMCORE__2000:8980_3429152929:0001
<time and date> I #22504 ScrptExe Running "C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe" /LPCPUID=AMCORE__2000:8980_3429152929:0001
<time and date> I #22504 ScrptExe Did not match searched path
<time and date> I #22504 ScrptExe Executing "C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe" /LPCPUID=AMCORE__2000:8980_3429152929:0001
<time and date> I #22504 ScrptExe Executing "C:\Program Files\Common Files\McAfee\Engine\AMCoreUpdater\amupdate.exe" /LPCPUID=AMCORE__2000:8980_3429152929:0001 /INITEVENT=NOTIFY_INIT_{BE8DA76F-04E1-4A87-B836-7D7C80147DA9} /DEINITEVENT=NOTIFY_DEINIT_{547A6F47-DA98-48B7-A55C-4541D9B1605F}
...
<time and date> I #22504 UpdatePlugin Initializing update plugin: AMCORE__2000:8980_3429152929:0001
<time and date> I #22504 UpdatePlugin Creating instance of LPC updater callback interface
<time and date> I #22504 UpdatePlugin Successfully created updater callback LPC interface
...
<time and date> E #22504 UpdatePlugin LPCException occurred in MfeUpdatePluginWrapper::setProductInfo()
<time and date> I #22504 ScrptExe Failed to set the product information. Setting SetMcShieldClientdll to FALSE
...
<time and date> E #22504 ScrptExe [DeinitSignalApp]->
<time and date> E #22504 ScrptExe Could not deinitialize the process with id - AMCORE__2000:8980_3429152929:0001 as no such process exists
<time and date> I #22504 ScrptExe Executing section: [LatestAlreadyInstalled]
<time and date> I #22504 ScrptMgr Product(s) running the latest AMCore.
The content update process finishes reporting that no new content can be found. So, the content remains on the currently installed version. Also, if you trace an update attempt with a tool like Process Monitor, you can observe that
amupdate.exe repeatedly tries to access
MsgBus related files (for example,
C:\ProgramData\McAfee\Agent\DB\msgbus.db or
C:\ProgramData\McAfee\Agent\keystore\agentpubkey.bin).
A reboot doesn't correct the problem. Exploit Prevention content might still update successfully.