Skip to main content
Question

McAfee ePO client upgrade weirdness

  • April 27, 2016
  • 11 replies
  • 34 views
AVmcclint
Forum|alt.badge.img+21

We are finally upgrading our McAfee ePO server so we can run the version that's compatible with El Capitan. I was able to get the install.sh from the server and manually installed it on some test 10.10.5 Macs without problems. In a Policy I'm using a script that automatically determines whether the -i or -u switches need to be used and it works great. However I did notice a few minor errors at the end so I commented those lines out and decided to run it again on the same Mac to see if it treats it as an upgrade (to the same version). I flushed the log on the policy and ran it again via Self Service and it almost immediately erred. The error indicated that the file can't be found to copy the install.sh to /Library/Application Support/McAfee/ This is very unusual because I just used that exact same policy to install it 5 minutes earlier. I rebooted and still got the same error. I decided to manually copy the .pkg file that contains the install.sh to the desktop and run it from there to see what happens. EXACT same problem! Now I know this pkg is good because I just used it this Mac and a couple others. I'm starting to think something in McAfee is blocking the installation of the pkg so I run the uninstall.sh script and remove everything. but I notice that /Library/Application Support/McAfee/ is still in place. I tried deleting it but the OS won't let me! I went into terminal and tried sudo rm -Rf on that folder and I get "permission denied"! The permissions are 775. WTF? I restart the computer and then I'm finally able to delete that folder.

What I've concluded is that this new version of McAfee (10.1.0) does something to protect the /Library/Application Support/McAfee/ folder so much that not even root can do anything with it until you completely uninstall AND restart the computer. At first I thought this was SIP gone haywire but then I remembered that this was a Yosemite Mac.

This makes me wonder how future upgrades or even re-installations are going to work since the install.sh goes into that folder, but once we're running the new version, that folder is protected from EVERYTHING. Clean installations work and upgrades from 2.3.0 work, but doing anything that equates to re-installing this new version fails every time.

Does anyone know how this is supposed to work on the new version?

    11 replies

    T
    Forum|alt.badge.img+9
    • timlarsen
    • Valued Contributor
    • April 27, 2016

    We haven't gone through this process yet with the latest version, but will be doing so at some point. Any interesting errors in the log files located in private/var/McAfee/agent/logs ?

    AVmcclint
    Forum|alt.badge.img+21
    • AVmcclint
    • Author
    • Esteemed Contributor
    • April 27, 2016

    There is no /private/var/McAfee/ directory. There's nothing in /Library/Logs/ either. The only McAfee related log is /private/var/McAfeeSecurity.log and it doesn't have any entries that correspond to the time I tried to delete that folder. It seems to only have entries that correspond to the startup of the agent.

    B
    Forum|alt.badge.img+5
    • bainter
    • Contributor
    • April 27, 2016

    I began limited deployment of the 5.0.2.xxx version of the McAfee Agent and it was working great (as much as one can get excited about McAfee), the different modules were getting downloaded/installed finally. Then sporadic little issues started rolling in--longer than "normal" delays at login, lots of log entries and multiple processes each exceeding 30% bogging down the Macs. Uninstall and everything is normal. I heard the 5.0.2.xxx agent is considered unstable for Windows (blue screen) at our site so they're getting rolled back to 5.0.1.xxx.

    jconte
    Forum|alt.badge.img+12
    • jconte
    • Valued Contributor
    • April 27, 2016

    Here is what I am doing to install McAfee, it has worked all the way through El Cap. I drop the script and pkg into folders, uninstall the existing client and then install the new one. Hope this helps.

    !/bin/bash

    This script installs the McAfee Client (VSM980-RTW-1791.pkg) then uninstalls the old McAfee Agent and reinstalls the new EPO Agent (install98.sh)

    Created by Jeffrey Conte 5-22-2013

    Modified by Jeff Conte on 10/20/2015 to uninstall any previous McAfee Agents (testing to see if the uninstall exists first)

    This will uninstall any previously installed McAfee agents

    if [ -e /Library/McAfee/cma/uninstall.sh ] then /Library/McAfee/cma/uninstall.sh
    fi

    This will install the upgraded Virus Protection and updated McAfee Agent

    installer -package /Library/CompanyName/Packages/VSM980-RTW-1791.pkg -target /
    /Library/McAfee/cma/uninstall.sh
    /Library/CompanyName/bin/install98.sh -i

    AVmcclint
    Forum|alt.badge.img+21
    • AVmcclint
    • Author
    • Esteemed Contributor
    • April 27, 2016

    I think you're using a completely different version than we are.

    AVmcclint
    Forum|alt.badge.img+21
    • AVmcclint
    • Author
    • Esteemed Contributor
    • May 2, 2016

    I just discovered that there may be a .plist that is blocking access to /Library/Application Support/McAfee/ under the new version. I found /usr/local/.McAfee/3/com.mcafee.ssm.appprotection.plist and among other things it has this section:

    <key>SpecialFolders</key>
    <array>
        <string>/usr/sbin</string>
        <string>/System/Library</string>
        <string>/bin</string>
        <string>/sbin</string>
        <string>/usr/bin</string>
        <string>/usr/libexec</string>
        <string>/Applications/Utilities/</string>
        <string>/Library/McAfee</string>
        <string>/usr/local/McAfee</string>
        <string>/Applications/McAfee Endpoint Protection for Mac.app</string>
        <string>/Applications/AppPro Profile Generator.app</string>
        <string>/Library/Application Support/McAfee</string>
        <string>/Library/Frameworks/VirusScanPreferences.framework</string>
        <string>/Applications/McAfee VDisk.app</string>
        <string>/Library/Frameworks/McAfeeVDisk.framework</string>
        <string>/Applications/McAfeeSecurityUninstaller.app</string>
    </array>

    My guess is that as long as the new McAfee software is running the folders listed in this section are protected. It is still a mystery for how future upgrades will be done with this in place.

    J
    Forum|alt.badge.img+14
    • Josh_Smith
    • Contributor
    • May 2, 2016

    @AVmcclint I've been successfully testing a package that drops the install.sh to a temp location and then installs/upgrades/reinstalls the McAfee agent based on the current condition of the client.

    I think you stated you were doing something similar, with the notable exception that you were putting the install.sh in /Library/Application Support/McAfee , is that right? Would moving install.sh to another directory solve your issue?

    ImAMacGuy
    Forum|alt.badge.img+23
    • ImAMacGuy
    • Esteemed Contributor
    • May 2, 2016

    @Josh.Smith would you be willing / able to share the script that you used that includes the new/upgrade/reinstall logic?

    J
    Forum|alt.badge.img+14
    • Josh_Smith
    • Contributor
    • May 2, 2016

    @jwojda This is what I came up with....working well so far in limited testing: McAfeeAgentInstallation.sh

    I use it as a postinstall script in a package that places install.sh in /private/tmp/install.sh

    M
    Forum|alt.badge.img+7

    Is anyone deploying the ePO agent installer script also blocking the writing to Removable Media using a configuration profile?
    In our environment, the install script fails when the configuration profile is installed. After removal and reboot, the install script works normally.

    Here is the output from the install log

    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Product archive /Library/Application Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg trustLevel=100
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: location = file://localhost
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: -[IFDInstallController(Private) _buildInstallPlanReturningError:]: file://localhost/Library/Application%20Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg#payload.pkg
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Set authorization level to root for session
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Administrator authorization granted.
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Will use PK session
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Using authorization level of root for IFPKInstallElement
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Starting installation:
    Jun 7 12:48:38 WM-C02QV298G8WM installer[67005]: Configuring volume "Macintosh HD"
    Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: Preparing disk for local booted install.
    Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: Free space on "Macintosh HD": 344.11 GB (344112967680 bytes).
    Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: Create temporary directory "/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T//Install.67005ec65J7"
    Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: IFPKInstallElement (1 packages)
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Adding client PKInstallDaemonClient pid=67005, uid=0 (/usr/sbin/installer)
    Jun 7 12:48:39 WM-C02QV298G8WM installer[67005]: PackageKit: Enqueuing install with framework-specified quality of service (utility)
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: ----- Begin install -----
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: request=PKInstallRequest <1 packages, destination=/>
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: packages=( "PKLeopardPackage <file://localhost/Library/Application%20Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg#payload.pkg>" )
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Will do receipt-based obsoleting for package identifier editmcafeeepo5.0.3 (prefix path=)
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Extracting file://localhost/Library/Application%20Support/JAMF/Downloads/edit_McAfee_ePO_5.0.3.pkg#payload.pkg (destination=/var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/E47C350C-EFEC-4733-8277-E627EE165A8C.activeSandbox/Root, uid=0)
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: prevent user idle system sleep
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: suspending backupd
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Using trashcan path /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/T/PKInstallSandboxTrash/E47C350C-EFEC-4733-8277-E627EE165A8C.sandboxTrash for sandbox /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/E47C350C-EFEC-4733-8277-E627EE165A8C.activeSandbox
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Shoving /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/PKInstallSandboxManager/E47C350C-EFEC-4733-8277-E627EE165A8C.activeSandbox/Root (1 items) to /
    Jun 7 12:48:39 WM-C02QV298G8WM install_monitor[67008]: Temporarily excluding: /Applications, /Library, /System, /bin, /private, /sbin, /usr
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: PackageKit: Executing script "./postinstall" in /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: ./postinstall: space required to copy archive is 13285292 bytes
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: ./postinstall: space available at mfesKLW2c is 344106283008 bytes
    Jun 7 12:48:39 WM-C02QV298G8WM installd[1690]: ./postinstall: extracting archive to mfesKLW2c... please wait
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 231+0 records in
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 231+0 records out
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 118272 bytes transferred in 0.000573 secs (206437255 bytes/sec)
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 12724+1 records in
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 12724+1 records out
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: 6515016 bytes transferred in 0.034234 secs (190308088 bytes/sec)
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: Archive: mfesKLW2c/package.zip
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/MFEma.dmg Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/reqseckey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/srpubkey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/sitelist.xml Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/req2048seckey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/sr2048pubkey.bin Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/agentfipsmode Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: inflating: mfesKLW2c/RepoKeys.ini Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: Checksumming whole disk (Apple_HFS : 0)…
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: whole disk (Apple_HFS : 0): verified CRC32 $D2FAD3B4
    Jun 7 12:48:40 WM-C02QV298G8WM installd[1690]: ./postinstall: verified CRC32 $7353B941
    Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: hdiutil: attach failed - no mountable file systems
    Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: /usr/local/.edit/TMPPKG/ePO/install.sh: line 274: cd: /Volumes/MFEMA: No such file or directory
    Jun 7 12:48:41 WM-C02QV298G8WM installer[67095]: PFPkg: No file found at path: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
    Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: Jun 7 12:48:41 installer[67095] <Critical>: PFPkg: No file found at path: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
    Jun 7 12:48:41 WM-C02QV298G8WM installer[67095]: PFPackage::packageWithURL - can't instantiate package: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
    Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: Jun 7 12:48:41 installer[67095] <Critical>: PFPackage::packageWithURL - can't instantiate package: /private/tmp/PKInstallSandbox.enfZJo/Scripts/editmcafeeepo5.0.3.tJj7f4/ma.pkg
    Jun 7 12:48:41 WM-C02QV298G8WM installd[1690]: ./postinstall: installer: Error the package path specified was invalid: 'ma.pkg'.
    Jun 7 12:48:46 WM-C02QV298G8WM installd[1690]: ./postinstall: hdiutil: detach failed - No such file or directory
    Jun 7 12:48:52 WM-C02QV298G8WM installd[1690]: ./postinstall: /usr/local/edit/TMPPKG/ePO//install.sh
    Jun 7 12:48:52 WM-C02QV298G8WM installd[1690]: ./postinstall: /usr/local/edit/TMPPKG/ePO/

    The line in bold is where the failure occurs. The encrypted pkg within the script cannot mount, there for no install can happen.

    Any thoughts?

    AVmcclint
    Forum|alt.badge.img+21
    • AVmcclint
    • Author
    • Esteemed Contributor
    • June 29, 2016

    @jrserapio I discovered that having a config profile that prevented WRITING to disk images caused a LOT of problems. As soon as I unchecked that box that prevented writing to disk images, nearly all my install problems disappeared. I opened a case with tech support and a new defect was filed. I don't remember the defect number off the top of my head, but it is on record. At this point, I just hope users don't realize that they can create writable dmg files until this is fixed. I still don't understand why this causes problems when some dmgs are read-only and can't be written to anyway.

    Terms & ConditionsCookie settingsAccessibility statement