Troubleshooting Repeated (Looping) Prompts to Install McAfee Antivirus

03/26/2020 8 12873

DESCRIPTION:

This is seen when A PC already has Mcafee installed on it, but the Sonicwall thinks it does not and redirects the PC to install Mcafee again.

Here's what happens when a pc goes to the web if Mcafee TOPS (Total Protection Suite) is enforced on SonicWall:

1) A PC attempts to go to www.google.com
2) The SonicWall intercepts the http syn packet and sends a query back to the pc on udp port 59152
3) If the pc has Mcafee installed it will also has an exe called SWagent, which listens for queries on UDP port 59152. If nothing blocks the udp packet from getting to the SWagent, the SWagent will make sure all needed Mcafee services are running, then it will query data from the registry, IE: Mcafee Version, DAT date (Mcafee Virus Definition Files) and company key.

4) Once the SWagent gathers this information, it sends a UDP packet back to the SonicWall on UDP port 59153

            A) The info looks like this:

                                       -SwAgent:2f4 Send the following data back to 192.168.168.168:
                                       -SwAgent:2f4 4.7.0.0
                                       -SwAgent:2f4 575c5f7b545973232720
                                       -SwAgent:2f4 NT51
                                       -SwAgent:2f4 20081015140518
                                       -SwAgent:2f4 .. Leaving function:  
                                       -connect_OnWSA_Read                                              

5) The SonicWall examines this information and if the company key matches the one in the SonicWall, and the DAT date is not outside of the range configured in: Security Services>Client Antivirus>Configure> Days before forcing update (By default this is set to 5) it will let the PC out to the internet                            

6) If Mcafee is not installed or running, or if something blocks the UDP packet from getting to the PC or back to the SonicWall, the SonicWall redirects the pc's web request to the SonicWall AV required page and asks them to install virus scan.

A notice has been issued for SonicWall Enforced Client's (McAfee and Kaspersky). Please see Notice: End of Support for SonicWall Enforced Client for more information.

RESOLUTION:

Troubleshooting Checklist:

1)  Make sure Mcafee services: "Mcafee Virus and Spyware Protection service" & "Mcshield" & SWagent service are running
2)  It is a good idea to stop and restart them and try getting to the internet again (If any are not running, please check Microsoft windows Event Viewer > Application log for possible causes)
3)  Make sure Windows firewall and Internet connection share has been turned off at the services level
4)  Make sure their are no Third Party Firewalls or Ssecurity Suites installed on the machine
5)  If none of the above fix the issue do a netstat -an from cmd prompt and see if the machine is listening on udp port 59152

6)  If it is listening on 59152, you should do a packet trace/capture at the SonicWall (system > diagnostics > drop box down to “Packet Trace/Capture) on the PC’s private IP address and have the PC go to the internet. 
This will determine of the SonicWall is sending the packet out to the PC. If you do not see the packet leave the SonicWalls, check the SonicWalls TSR. There have been cases where customers have a site to site vpn configured where the remote subnet is 192.168.0.0/16 and the local SonicWalls subnet is 192.168.5.0/24. Because the remote subnet over laps with the local subnet, when the PC on the local subnet tries to get to the internet, the SonicWall sends the UDP 59152 query across the tunnel as that is where it believes the PC should be. This can also be an issue with a bad route and or Nat policy. Worst case scenario is that there may be an issue with the firmware

7)  If you do see the udp 59152 packet leave the SonicWalls LAN interface, you will now need to download a packet capture www.wireshark.org to the PC with the issue (we will have to create an exclusion for the PC in questions IP address so it can get to the internet to do the download. The exclusion is done in the SonicWall > Security Services > Client Anti-Virus > Configure > Exclude specified ranges from AV enforcement>Add the IP address from the machine. After download of Wireshark is complete, delete the exclusion)

8)  Once the Packet capture is up and running, have the machine try to get to the internet and see if Wireshark captures any packets from the SonicWall on UDP 59152.
9)  If it does not, then the packets aren’t getting to the PC.
10)  You will need to check if there is a layer 3 devices in between the SonicWall and the PC, if there is, it could be blocking the packet from getting to the machine.
11)  There could also be another PC on the network with the same IP (DHCP conflict or duplicate static IP)
12)   If the captures show the UDP query leaving the SonicWall and not getting to the PC and the above information does not help, there will need to be deeper network troubleshooting done.
13)   If the Packet capture at the PC shows the Query is getting to the PC, then you will need to create a case with SonicWall tech support at 1-888-777-1476 for further troubleshooting/help.