"During a McAfee full scan in a BootCamp environment, the system terminated abnormally and restarted by itself" ★ How to fix it ★

【 Index 】
 1. BootCamp and virtualized environments are not supported. 

 2. But it's easy to deal with, a full scan will be successful. 

 I'm sorry that I can only verify BootCamp. 

"During a McAfee full scan in a BootCamp environment, the system terminated abnormally and restarted by itself"   ★ How to fix it ★

 1. BootCamp and virtualized environments are not supported. 

 Many of you may have given up when you called McAfee Technical Support and were told that "BootCamp and virtualized environments are not supported by McAfee"...

 Another thing I was able to confirm while talking on the phone is that "McAfee Full Scan" is always a full scan, so even if you specify a file or folder in the "Exclude files from scheduled scan" field, the exclusion setting will be ignored for a full scan.
 In other words, the exclusion settings only apply to custom scans!

 Of course, you also need to add the BOOTCAMP volume to the "Exclude files" for real-time scan.


The above screenshot is part of the "kernel panic file" that is sent to Apple after a "crash and reboot" (which is the normal setting).

Before clicking the "OK" button to send it to Apple, let's check the cause of the kernel panic!

From the left end of the first line  " panic(cpu 0 caller 0xffffff7faa223eb5): ntfs_attr_record_move_for_attr_list_attribute(): err\\n "@/AppleInternal/ ... "
 and around line 30, you will see  " Process name corresponding to current thread: VShieldScanner "
If so, the following approaching method should be fine.

 If you don't care about the reason and just want to know how to deal with it, check the above and then. Please proceed to   Chapter 2.  ! 

 VShieldScanner is a process (file) included in McAfee's virus detection application, and it indicates that this process caused the kernel panic.

"ntfs_attr_record_move"   "filesystems.ntfs" , so we can conclude that the failure is related to NTFS.

 NTFS is a file system developed by Microsoft, and BootCamp volumes that contain Windows10 are formatted with NTFS.

 The BootCamp volume is connected to macOS in a read-only state except when creating a BootCamp environment, so it is an area that cannot be modified.
 We can assume that there are files and areas that are not accessible from macOS, causing a kernel panic crash.
I'm not an expert, so I can't tell you the details, but...

 If you have not applied any other virtualized environment to your Mac other than BootCamp, the BootCamp volume is the only NTFS formatted area.
 Of course, it is assumed that no external devices such as USB flash drives or network devices are connected during the "Full Scan"...

 The only way to avoid crashing is to prevent the BootCamp volume from being scanned during a full scan or a custom scan that includes "System (/System)"!

 I mean, who wouldn't want to exclude only BootCamp volumes from virus detection?
 The first thing that comes to mind is to add the BootCamp volume (/Volumes/BOOTCAMP) to the "Excluded files" in the settings for scheduled and real-time scans.
 If you run a full scan after the above settings, you will see that it will cause another "kernel panic + reboot".

 This is because under the "System ( /System )" folder, there is a virtual folder for a BootCamp volume ( /Volumes/BOOTCAMP ), probably using an alias !

 The virtual folder is " /System/Volumes/Data/Volumes/BOOTCAMP ".  ( macOS Big Sur
 The real folder is just " /Volumes/BOOTCAMP " !


 Since macOS Catalina, the "Macintosh HD" system volume has been divided into two volumes: "the read-only OS execution part" and "the data part", to prevent accidental overwriting of important OS files.

 This is to enhance security. Sorry, I didn't learn enough.  I was using macOS Mojave for a long time until I upgraded to macOS Big Sur the other day...
 It's true that before Mojave, I never had a kernel panic during a virus detection.

 The files and data are stored in a separate volume called "Macintosh HD - Data" and both volumes are shown as "Macintosh HD" in the "Finder" .
 I can see in the "Disk Utility" application that the "OS Execution Volume" is only about 15GB...

 The entry point for the OS volume will still be mounted at " / ", and the data volume will be mounted at " /System/Volumes/Data ".
 Therefore, since macOS Catalina, all data including BOOTCAMP volumes must be placed under " /System/Volumes/Data " to access data.

 In order to maintain compatibility (so that you don't have to reinstall Windows OS), it seems that the "/System/Volumes/Data/Volumes/BOOTCAMP" virtual folder was placed without changing the real volume ( /Volumes/BOOTCAMP ).
 I mentioned alias earlier, but this may be achieved by other means such as symbolic links.
 Incidentally, I also confirmed the " /System/Volumes/Data/Volumes/'Macintosh HD' " alias.

 It took me 5 days to figure this out, and another 2 days to figure it out, and then I happened to right click on the BOOTCAMP icon and realized!
「 You will notice that there is an "Eject BOOTCAMP"  operation ! 

 It's a game changer! If you're not logically connected, you can't be accessed by any operating system, including macOS.
 I used to work with SunOS and other Unixes, and it's pathetic...
 After unmounting (the Unix OS command to logically disconnect a physically connected device), do a full scan and you should be fine! 

 All you have to do is temporarily disconnect it from the System (macOS) and reconnect it to the BootCamp volume after the full scan.
 In other words, mount it (the Unix OS command to logically connect to a physically connected device) and you're back in business.

 Since the BootCamp volume is an area prepared to install Windows in the first place, it is natural to install a new virus detection application for Windows after booting Windows in BootCamp to scan the BootCamp volume for viruses.

 Just to be sure, do a full scan with the "Virus Detection for Windows OS" application to make sure the "BOOTCAMP volume" is not corrupted!

 Fortunately, Mac are designed to make the mounting and unmounting process as easy as possible!


 2. But it's easy to deal with, a full scan will be successful. 

 At a later date, I will attach a picture so that anyone can do the following!
It's easy enough to do with just text, but...

 (1) Right-click on the "BOOTCAMP icon" and select "Eject BOOTCAMP" from the menu.
 ( The icon will disappear, but the contents of the folder will not. )

 If you are an old Mac user, you can drag and drop it to the "Trash icon".


 (2) Perform a full scan or a "custom scan including the 'System' folder".

 For "Users", "Applications", and "Libraries" folders other than "System", you should be able to do a custom scan  without doing (1) .


 (3) After the virus scan is complete, reboot the Mac computer. 
 After rebooting, the physically connected devices will be auto-mounted.
 Confirm that the "BOOTCAMP icon" is displayed again.
 ( Please note that the position of the icon may change. )

 If you can't reboot immediately, please use "Disk Utility" application.
 You can manually mount the "BOOTCAMP volume" using the "Disk Utility" application.
 The "BOOTCAMP icon" will reappear immediately.
 ( Please note that the icon display position may change. )


This is the end of the procedure.

Thank you for reading to the end.
Please come back again.
// Ataru

Macブログ ランキング アイコン
最後まで読んでいただき、ありがとうございます。 また、お越しくださいませ。
// アタル
For follow LINE Reader Group!Subscribe to this blog on Feedly!

Next Post Previous Post
No Comment
Add Comment
comment url