System Requirements:
- Windows 2000 SP4 + BITS 2.0
- Windows XP SP2
- McAfee Virus Scan Enterprise 8.0i
The Problem:
This is one of those irritations that could (and should) have been sorted immediately, but lingered for months with a really very simple solution.
When you are using a suitably equipped version of Windows and happen to have McAfee Virus Scan Enterprise 8.0i (Confirmed on Patch 11 and 15, but should apply to any patch version and 8.5i) installed, your computer(s) fail to receive automatic updates through the AUClient Windows Automatic Updates service. In addition, if you attempt to access Windows Update or Microsoft Update, the update detection fails with error code 0x80072EFD.
All contemporary fixes / Microsoft suggestions to fix this fail to resolve the problem.
The Fix:
This is well and truly McAfee’s responsibility, it isn’t their fault – but it is what you get when you blur the line between an anti-virus product and a firewall.
I could argue the point that some foresight in providing some foresight in the product on this, or some reference to the issue on their knowledge base would have been useful, particularly as this ‘issue’ impacts users connecting both to the web based WU/MU and any corporate SUS system.
McAfee Virus Scan has a non-default option to inhibit port 80 downloads from non-approved executives. If through group policy, custom installation script, or distribution agreement (as with local authority school distributions of Network Associates McAfee AV) this policy has been enabled, then the Automatic Updates service is prevented from connecting to the Internet and downloading catalogue information.
Internet Explorer sessions to SUS/WU/MU are impacted because as of version 5 server connections they now rely upon the Automatic Updates service and the Background Intelligent Transfer Service (BITS) to make use of Windows Update.
To fix the error you have two options:
- Disable to McAfee Access Protection Policy
- Add the Service Host process wrapper used by the AU/BITS services to the approved connections list
Disable the Access Protection Policy
- Open Virus Scan Console as an Administrator
- Right click Access Protection
- Choose Properties
- Remove the check mark next to “Prevent Downloads from the World Wide Web”
- Click OK
Approve the AU/BITS service to perform port 80 downloads
Both the Automatic Updates service and BITS service run as part of the Service Host Process wrapper service (as do many other system services), therefore you must allow the Service Host download permission to resolve this problem without fully disabling the McAfee policy.
As an administrator you should consider this carefully and ensure that if nothing else McAfee is patched and receiving updates properly. If your systems are not adequately protected, they may be vulnerable to exploitation by the plethora of Service Host process resident malware applications and viri, which can potentially embed themselves into a Service Host process. As a direct consequence of disabling this policy any such code will by default receive port 80 (the only port by default) download access.
Disabling through the Interface
- In the Access Protection configuration in Virus Scan Console, highlight “Prevent Downloads from the World Wide Web” and click the edit button
- Add ‘svchost.exe’ (without the ‘ ) to the exceptions list
- Click OK
Disabling through the registry
The fastest way to sort it is to distribute the registry change through group policy (or similar). The information below is correct for VSE 8.0i Patch 15.
HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\Shared Components\On Access Scanner\BehaviourBlocking
REG_SZ: PortBlockWhiteList_3
Value: (see below for overview of the required change)McAfee Vanilla Install Settings:
outlook.exe,msimn.exe,iexplore.exe,mozilla.exe,netscp.exe,opera.exe,thunderbird.exe,msn6.exe,neo20.exe,mobsync.exe,waol.exe,nlnotes.exeRequired Change based upon Vanilla Install:
outlook.exe,msimn.exe,iexplore.exe,mozilla.exe,netscp.exe,opera.exe,thunderbird.exe,msn6.exe,neo20.exe,mobsync.exe,waol.exe,nlnotes.exe,svchost.exe
