Exchange 2016 numeric larger files under C:\Windows\Temp\SAFe\ if c: no space

Exchange 2016

McAfee Security for Exchange 8.6 SP2 (Safeservice.exe, RPCserv.exe (two instances), Postgres.exe (multiple instances))

D:\Program Files (x86)\McAfee\MSME\bin\SAFeService.exe

Server 2016

Source was: C: had no space in test lab server

If you see random Files with 96'201'998 (96MB) size under "C:\Windows\Temp\SAFe\" on your Exchange 2013/2016 those are from McAfee Security for Exchange 8.6. The shown server was a test lab running for long times a space on c: Drive did run out because it was unattended. You also see the "SAFe" directory under "D:\Program Files (x86)\McAfee\MSME\bin\lang\0409\SAFe"

Problem is finding something about thise issue since 99% google result end up in is it "safe" to delete "c:\windows\temp" ;-)

We used procmon.exe from Systernals to see what generates the files since the content is encrypted. You always have a bad feeling if you

See such files since Ransomware so maybe this helps someone once.

(From a first peek and moving files you think this is some kind of breach. Not very smart done by Mcafee…)

 

 

This event (IF your send E-Mail Alerts) should help too.

Since the Mcafee Security for Exchange OFTEN throws too much errors (RPC Crash > and it's back) people often turn those reports OFF we have seen in Mcafee Forum.

Loading the Anti-Virus Engine failed on '11/01/2018 19:19:53'.

1. Check whether the Product Update Information in the user interface is correct.
2. Check whether the corresponding folders with respect to DATs/Anti-Virus Engine version exists in the installation\\bin directory.
3. contact McAfee Technical Support.

 

Server 2016 unable to change Product key MAK in GUI (BUG)

We have a Server 2016 fully patched until 05/2019. We run a KMS-Server which does not have a SRV KMS 2016 channel activated.

PROBLEM: Strangely we can't change to Product key with the GUI. There is simply no reaction when you click "Change product key" button.

We have seen things like this under Control Panel (Unable to scroll) in W10 1903 where Dameware did not work and only possible with RDP.

 

 

 

Use the Activation Wizards to do it. In a cmd type.

slui 3

 

The wizard appears

Enter the MAK key (NOT any KMS please ;-)

You can also change the key with Commandline direct:

slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
slmgr.vbs /ato

 

Fortigate Forticlient Silent Installlevel 1 does not work on 6.X Version how to solve

 

Problem: Forticlient Silent Option to select different Module to install does not work as before with Forticlient 6.X up to 6.0.5 (FortiClientSetup_6.0.5.0209_x64)

Problem: You see an empty Forticlient Window when you open it

 

 

Explanation:

Bis jetzt gab es fuer den Forticlient:

  • Forti Configurator (Ein Tool bei welchem man die Optionen wählen konnte und dann gleichzeitig ein CONFIG file mitgeben und es machte am Schluss ein MSI)
  • Ein Windows Installer OPTION INSTALLLEVEL (Mit dieser konnte man bis Forticlient 5.9.X sagen was man will (SSLVPN/VPN/Antivirus usw.)

 

Den Configurator gibt es nur noch auf dem Developer Network von Fortinet. Damit man dort an das File kommt MUSS man zwei Fortinet Mitarbeiter als Referenz angeben.

To get the Configurator where you can you have to open a developer account with Fortinet. And to do that you have to get approval of TWO Fortinet employees (Fortinet E-mail Addresses). That's simply because they don't want customer to modify the default install and use the ONLINE Installer so everybody tries their Antivirus and Patch Module. Before you could download the Forticlient Configurator for free und the Support Forticlient download section.

There are also other nice things there like the VPN Automation scripts and SSLVPN Commandline tools. I am sure a lot of Fortinet Customer would like to use those and don't even know they exists and swap to VPN technology from Microsoft https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/always-on-vpn-technology-overview

 

 

This thread Shows what happens when you use Installlevel=1 (As worked before with Forticlient 5.X)

https://forum.fortinet.com/tm.aspx?m=165279

https://docs.fortinet.com/document/forticlient/6.0.2/configurator-tool/823336/use-forticlient-configurator-tool-tool-for-windows

 

Forticonfigurator:

 

Nice ;-.)

 

Solution:

Use INSTALLLEVEL 3 instead of 1

 

msiexec.exe /i FortiClientSetup_6.0.5.0209_x64\forticlient.msi /quiet INSTALLLEVEL=3

The MSI package:

VPN, SSLVPN, SSO is fine for most enterprise users.

We don't see the NAC Option in the GUI even if we choose it with option 3 > We don't want that so Installlevel 1 would be the choice but that DOES not work as mentioned.

 

 

Here is the reason Fortigate makes this so complex. They want to sell EMS which can be used to Deploy Forticlient.

 

 

MCAFEE Removal Tools Enduser Line and Corporate Endpoint (GUI or EPO)

Sometimes we have client machines where we can't rollout ENS or VSE even when all is fine. Because some people left over OEM supplied version of Mcafee Enduser products (User tried to Deinstall or update without Local Admin) or because a migration has gone bad because a user closed the laptop LID or lost power during migration. Or user forced off Desktop client. We very rare have such cases since 10 years and the EPO is great solution how it handles MSI Packages and Migration on Clients, Server and Terminal Server. If regular Deployment Solution would work like this?

So here are the two solutions for removing:

  1. Mcafee ENDUSER Products
  2. Mcafee ENS Corporate Version

 

 

MCPR (Removes all Enduser products or OEM Supplied version like on HP or DELL)

DOWNLOD: http://us.mcafee.com/apps/supporttools/mcpr/mcpr.asp

https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fcp&articleId=TS101331&_afrLoop=710472012957521&leftWidth=0%25&showFooter=false&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3Dfalse%26_afrLoop%3D710472012957521%26articleId%3DTS101331%26leftWidth%3D0%2525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D4xkm1wh6e_9

 

Sample leftover Enduser products:

 

 

MCAFEE Endpoint Product Removal Tool (ENS Corporate)

You can only download that tool if you have a VALID NAI Mcafee Support running

Here is HOW to find in under downloads. Yes you need a manual to download a file ;-(

www.mcafee.com

Choose Enterprise

There is standalone version for Remote Support or a Version which you PUSH out to Problems clients with the EPO with Task Sequence. You can set OPTION in the Deployment JOB if you let it run with EPO.

Some sample Commandline we use with the EPO Push Version to remove stalled single endpoint ENS 10.X > 10.X Migrations

--accepteula --ENS --=600

--accepteula --ENS --noreboot

Server 2016, MDT 2013, W10 1809 6.3.8456.1000 SQL Compact Database

If you don't connect MDT on Server 2016 to an SQL Database it will use SQL Server Compact to store information

You see in MONITOR. You ONLY access the Info from the Compact Edition with SQL Management Studio 2008R2

And NOT the newer Version I have read somewhere. With the SQL Management Studio 2008R2 we

Can open the SDF database from C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

 

You can also access through API Web:

http://localhost:9801/MDTMonitorData

http://localhost:9801/MDTMonitorData/Computers

http://localhost:9801/MDTMonitorData/ComputerIdentities

 

It's written that they keep the information in there for 3 days. So this is only a temporary solution until the client runs.

 

C:\Program Files\Microsoft Deployment Toolkit\Monitor\MDT_Monitor.sdf

 

To see or view data itself you could use:

https://www.linqpad.net/