Anti-Virus: ERROR: DCOM Error Event ID 10001
03/26/2020
6
14862
DESCRIPTION:
Anti-Virus: ERROR: DCOM Error Event ID 10001
RESOLUTION:
Problem
Total Protection fails to update on Domain Controllers when no users are logged in.
Account lockout errors are generated for McAfeeMVSUser on domain controllers.
The following error is displayed in the Windows System Event Viewer:
DCOM Error Event ID 10001 / 10004: Unable to start a DCOM Server: {427D6FE2-4FA4-B65C-AC7E2VF0B976} as ./ McAfeeMVSUser. The Error: "Access is denied." Happened while starting this command: "C:Program FilesMcAfeeManaged VirusScanAgentMyUsrSrv3.5.0.exe" -Embedding
The following error is displayed in the Windows Security Event Viewer:
Security 529 Logon Failure:
Reason: Unknown user name or bad password
User Name: McAfeeMVSUser
The following event 10004 error is logged on the domain controllers:
DCOM got error "Logon failure: user account restriction. "and was unable to logon .McAfeeMVSUser in order to run the server:{2242B406-90A2-4EF9-BC19-492D477F7914}
Summary
In previous versions of Total Protection, if no one was logged on, the computer would not update. To address this issue for those with unattended servers, mvsuser was introduced. This acts as a user for updating purposes in the absence of a actual logged on user. This feature works on many platforms and servers with the exception of Domain Controllers, because these require a domain user and, for security reasons, mvsuser only installs as a local user.
Cause
These events are informational and are non-critical errors. They are generated when the default McAfeeMVSUser account attempts to automatically update on a Domain Controller when a user is not logged in.
Total Protection is unable to automatically create a user account with sufficient privileges to update on a Domain Controller when no user is logged in. This is to avoid creating any unnecessary security risks on a critical network component.
On most computers, the McAfeeMVSUser account has sufficient privileges to update without a user logged in. When a user is logged in, the privileges of the logged in user allow the updates to occur.
Solution 1
A user account with sufficient permissions to update must be logged in to the Domain Controller to allow Managed VirusScan / Total Protection Services to update.
To stop these errors, disable the McAfeeMVSUser account from an Administrator account:
Step 1 - Create a new group for the Domain Controller
- You will need to log into you mcafee security center and delete machines that are no longer active or should not have mcafee installed.
- You can log into the security center by logging into your SonicWall security appliance>Click on securtity services>click on client av>Create report>input your mySonicWall log on information (that the SonicWall in question is registered under)
- At the top of the page, click Groups + Policies.
- Click Add Group, type a name for the new group (for example, Domain Controller), then click Save.
Step 2 - Create a new Policy to disable the McAfeeMVSUser account
- Click Add Policy.
Enter a name for the new policy (for example, Domain Controller).
Click the Advanced Settings tab.
Deselect Update client computers where users are not logged in.
Click Save.
Step 3 - Apply the new policy to the Domain Controller
On the Groups + Policies page, locate the new group and select Edit / Assign Policy.
From the drop-down menu, select the new Policy and click Save.
At the top of the page, click Computers.
In the list of computers, select your Domain Controller.
At the bottom of the page, from the Move to drop-down menu, select the new group, then click Move.
The Domain Controller will receive the updated policy at the next update interval.
Solution 2
Manually disable the McAfeeMVSUser account on the Domain Controller.
Click Start, Run, type cmd and click OK.
Go to C:Program FilesMcAfeeManaged VirusScanAgent.
Type the following command, then press ENTER:
myUsrSrv4.0.0.358.exe /UnregServer
NOTE :
- This only disables the McAfeeMVSUser account. An account with the correct permissions must still be logged in to allow updating.
- You can create an acount for updating purposes only and leave this logged on while locking the DC server screen.
Excerpt: https://mysupport.mcafee.com/Eservice/Article.aspx?id=KB58633