A couple of days after I had updated a series of products within the McAfee EPO, I started getting complaints from users about slow access times over the WAN. After running a technically intensive test (ping) I determined that their complaints were well founded. In an earlier time I would hop on the router and do who knows what to find the offending party, but I’ve been spoiled these last couple of years by having inaccessible (by me) outsourced routers with our MPLS setup. Not knowing what was causing the issue I tried toggling some Internet services, investigated file shares, e-mail usage, etc. before taking a ‘what the heck approach’ and stopped the EPO Server service. The instant I stopped it, the bandwidth issue cleared up. Started it up, and it comes back.
Thinking that the issue lied with the EPO program itself, I figured the best approach would be to try and upgrade myself out of this issue by moving from EPO 4.0 to EPO 4.5. This was an event all to it’s own and required a bit of work to get past a database upgrade issue. After I was done the system came back up and…same issue, the WAN pipe gets completely clogged (apart from our class of service specs of course). I tried following some bandwidth minimization strategies put forward by McAfee but they weren’t really a good fit for the issue we were having. I wasn’t getting anywhere with the logs in trying to determine what the huge chunk of data was that being sent into the server, so I fired up network monitor on the off chance that some XML file was being sent in clear text and that it would allow me to determine what the data was.
When I got into the captured data I began scanning some packets, and while none of them were plain text, I did notice that there was a huge disparity in which machines were communicating with the server. It was so large that it appeared that two PCs, one at each of our remote locations were the sole users of the servers over that brief time. These PCs were also communicating over port 8085 which is the agent communication port for the EPO server. I opened the services on the trouble units, stopped the McAfee Framework service and the bandwidth issue cleared up immediately. I started the services back up and although it took a variable amount of time the bandwidth issue would spring back up.
I’m going to try and redo the agents on the affected system to see if I can clear this issue up…..
UPDATE: Forcing a reinstall of the agent through EPO cleared the issue up on the affected systems.
UPDATE 2: Not so fast! It appears that for whatever reason my two problem PCs were not applying the second patch for McAfee VirusScan 8.7. If I had to guess they were constantly trying to download the patch, leading to my bandwidth issue. The problem now seems permanently cleared up after manually applying the patch to the systems. The misdiagnosis from the earlier update was caused by a very long lag time from when the agent was installed to when it checked in with the EPO.