Update Agent Memory Leak when Running McAfee VirusScan 8.0i Patch 11 or higher
Description
This article provides a solution for a memory leak that arises when the PATCHLINK UPDATE Agent for Windows is running on the same machine as McAfee VirusScan Enterprise 8.0i Patch 11.
Applies To: Update Agent for Windows; McAfee VirusScan Enterprise 8.0i Patch 11
SYMPTOMS
The Update Agent for Windows, when installed on a machine also running McAfee VirusScan Enterprise 8.0i Patch 11 or higher, consumes increasing amounts of memory in the following scenarios:
Agent receives a deployment from the PATCHLINK UPDATE Server (PLUS)
When the Update Agent receives a deployment, memory allocation to the gravitixservice.exe spikes from around 10 MB to around 30 MB. This memory is not released to the system when the deployment completes and continues to grow with each subsequent deployment.
Agent attempts to establish a connection with PLUS but is unable to due to network connectivity issues
When the Update Agent is unable to establish a connection with PLUS due to network connectivity issues, memory allocation to the gravitixservice.exe increases 2 to 4 KB with each connection attempt.
CAUSE
On machines running McAfee VirusScan Enterprise 8.0i Patch 11 or above, the memory leak can exist with any process that utilizes VBScript/Jscript. Normally the leak goes unnoticed as applications are closed by the user and memory is released, but for services like gravitixservice.exe and processes that heavily utilize scripting the leak can be significant over time.
The root cause of this issue is in the ScriptScan (scriptproxy.dll) architecture. This component is unable to track which interface is adding/releasing references to objects, causing a leak.
RESOLUTION
McAfee has published McAfee Virus Scan 8.0i Patch 15 which allows processes to be excluded from ScriptScan.
Note: This issue is resolved in VirusScan Enterprise 8.5i
WORKAROUND
Disable ScriptScan
McAfee 8.0i customers that are not utilizing the ScriptScan feature within their enterprise should disable the feature. This can be done by unregistering the scriptproxy.dll file as follows:
1. At a command prompt, cd to C:\Program Files\Network Associates\VirusScan.
2. Type regsvr32 /u scriptproxy.dll.
3. Press ENTER.
4. Restart the computer.
A hotfix is also available from McAfee Support, named VSE80HF241572.zip, which allows you to disable the ScriptScan feature via the user interface or policy enforcement and will be included in the Patch 15 release. Refer to McAfee kb44955 for more information.