Showing results for 
Show  only  | Search instead for 
Did you mean: 
Message 41 of 45

Re: mfehidk "warning" event-ID 516 referring to MCSHIELD.EXE, MCSVHOST.EXE and a McAfee-Driver

I would open a case with Technical Support as I suggested in my last post.   Linked under Useful Links at ther top of this page.

It's now free by phone as well as online chat.

Former Member
Message 42 of 45

Re: mfehidk "warning" event-ID 516 referring to MCSHIELD.EXE, MCSVHOST.EXE and a McAfee-Driver

The Windows System Event log reports multiple entries for Event ID 516. Entries similar to the following are recorded in the Windows System Event log:

Event Type: Warning
Event Source: mfehidk
Event Category: (256)

Event ID: 516
Date:  <Date>

Time:  <time>
User:  N/A
Computer: <name>
Process **\VSTSKMGR.EXE pid (XXXX) contains signed but untrusted code, but was allowed to perform a privileged operation with a McAfee driver

On some systems the event is logged every few minutes.

No other symptoms are reported on the client.

Perform the steps below to troubleshoot issues where third-party code is inserted into McAfee processes or interacts with McAfee kernel code from other processes. 

  1. Identification - Troubleshooting
        This step is necessary to identify other possible causes and to provide the solutions.
        Know why the event occurs for your environment - it could be malware.       
    1. Review the Event ID to determine which process is involved. Most commonly this is VSTSKMGR.EXE as described in the Problem section. Other process names include MCSHIELD.EXE and SVCHOST.EXE. 
    2. Identify the individual DLL(s) and owning applications for files that load themselves into that process.                  
      1. Download Microsoft Process Explorer from:
      2. Run the Process Explorer tool procexp.exe on the computer where you see the event 516.
      3. From the Process Explorer main menu, click Options and select Verify Image Signatures.
      4. From the main menu click View and select Show Lower Pane.
      5. Click View, Lower Pane View, and select DLLs.
      6. Click View, Select Columns.
      7. In the new window click the DLL tab, and select Verified Signer, then click OK.
      8. In the upper pane, expand winnt.exe, services and scroll down, then select VsTskMgr.exe.
                    The lower pane now shows all the DLLs that are loaded for the VsTskMgr.exe process.
      9. In the lower pane click the Verified Signer column to organize the DLLs. This allows any unsigned DLLs to be grouped together as Unable to Verify.
      10. Inspect the list of DLLs for non-McAfee and non-Microsoft files (ignoring the file WscAv.dll which is also a McAfee file).
      11. If you do not see the untrusted third-party application's DLL(s), click File, Save and save as a text file. Provide the text file to McAfee Support for assistance. For contact details, see the Related information section of this article..
  2. Resolving the third-party application (hook) problem
        If the DLL can be prevented from loading into the process, then VSE would not generate the event.

Deal with intrusive third-party applications
If you determine that the events are caused by a third-party application, and no option exists from the vendor to avoid hooking McAfee processes or otherwise engaging with McAfee code, you can opt to trust the application so that no more Event 516 messages will be generated for that specific application. These events will still occur for other applications and for malware.

NOTE: An application can only be trusted if it has a digital signature. If it does not, VSE can never trust it. There is no way to suppress events for unsigned applications.

Risks associated with trusting a third-party application
Files that contain a digital certificate that you choose to trust are still scanned when first accessed. McAfee utilizes a clean-file scan cache to avoid re-scanning files that have already been scanned and found to be clean. Files that are trusted are added to the cache and will remain in the cache even after a DAT signature update occurs. This behavior is inherent with trusting digital signatures.

NOTE: When you add a file to the scan cache, the stored data includes the settings used to scan the file. If your scan settings are changed to a higher (more secure) level, then trusted items in the cache would be rescanned.   


    Advantage: You may see a performance gain, even after a DAT update.

  • Disadvantage: If new DAT signatures would normally find those trusted files to be infected, they would not be scanned by the

  • On-Access Scanner to find that malware.

    Mitigation    McAfee reserves the right to use the DAT signature updates to force trusted files to be removed from the clean-file scan cache, causing them to be re-scanned when accessed. You can also cause existing trusted files to be scanned. Perform an On-Demand Scan and disable the option Allow On-Demand scans to utilize the scan cache. See the Related Information section for additional information
How to trust a third-party application  
  1. Obtain the signature file.               
    1. Right-click the third-party DLL file (or any of the third-party application signed files) and select Properties.
    2. Click the Digital Signatures tab.
    3. Select the appropriate digital signature from the Signature list.
    4. Click Details, View Certificate.
    5. Click the Details tab, then click Copy to File.
    6. Complete the Certificate Export Wizard and note where you save the .cer file. McAfee recommends that you accept the default wizard options, with the exception of the file path.
  2. Import a copy of the product's digital certificate into the McAfee Trust certificate store.
    1. Contact McAfee Support. See the Related Information section for the contact details.
    2. Provide the .cer file you want to add.
                  McAfee Support will provide an executable package to add the certificate to the McAfee Trust certificate store.
    3. Run the executable provided by McAfee Support. (Steps to do so via ePolicy Orchestrator will be provided by McAfee Support.)
    4. Click Tools, General Options, Global Scan Settings and deselect Enable saving scan data across reboots, then click Apply, OK.
    5. Restart your computer. This is necessary for the certificate store changes to take effect.
    6. Click Tools, General Options, Global Scan Settings and select Enable saving scan data across reboots, then click Apply, OK.

Message was edited by: alexn on 8/29/12 8:09:07 AM CDT
Reliable Contributor
Reliable Contributor
Message 43 of 45

Re: mfehidk "warning" event-ID 516 referring to MCSHIELD.EXE, MCSVHOST.EXE and a McAfee-Driver

Useful info, Alex, but two things.

1. You've answered a question posted two years ago. It's not clear from the context whether this is a response to an old problem or a new one. I suspect it's a new one, in which case a new thread with a different title might be appropriate.

2. The information was originally intended for Corporate users. Home users don't have VSE and won't see vstskmgr.exe or wscav.dll (I don't, anyway).  The Process Explorer instructions are useful, but I think the rest of it needs to be adapted for the Home User product(s). In particular,

  1. Run the executable provided by McAfee Support. (Steps to do so via ePolicy Orchestrator will be provided by McAfee Support.)

Will that executable be provided to Home users?

Tools, General Options, Global Scan Settings

This must be a menu setting on something we haven't got.

Message 44 of 45

Re: mfehidk "warning" event-ID 516 referring to MCSHIELD.EXE, MCSVHOST.EXE and a McAfee-Driver

Hi Alex,

You've clearly done a lot of research, but I tend to agree with Hayton. I believe I set the ball rolling 2 years ago. Your suggestion looks quite complicated and,if unsuccessful, could wreck an otherwise satisfactorily running Vista system.

As a McAfeeAntiVirus Plus Home user paying $65 p.a. (for 2 PCs) I don't see why I should have to go to so much trouble to fix a McAfee defect. Why can't an update, upgrade or the Virtual Technician do it?


Former Member
Message 45 of 45

Re: mfehidk "warning" event-ID 516 referring to MCSHIELD.EXE, MCSVHOST.EXE and a McAfee-Driver

We have also opened a ticket with support on this.  We see it across our environment. Win7 desktop and servers.. Anyone have anything new on this?

How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community