Thank you for indicating that a restart is required.

Since this is a production server, no reboot was performed after installation. There was no hint on the system side. Even the large number of systems would make a required reboot a problem for us.
To get around the problem we had to take out the ATP module first,
so it doesn't make sense to send logging files now.

i have sometimes the same issue and 'im readying the february update to solve this case. but generally, each ATP update should be followed by a maintenance reboot for the target. for two reason, freeing the memory and also, to be able to reactivate all submodules after the update. Without the reboot, some options could be offline.

Philippe

In fact Windows has an event on the Application logs with Event ID 1029 / Source - MsiInstaller indicating the ENS patch was installed and the reboot will be deferred. 

Product: McAfee Endpoint Security Platform. Restart required. The installation or update for the product required a restart for all changes to take effect.  The restart was deferred to a later time.

We have our monitoring system to look for event id 1029 with search string "Restart required" to raise an alert. I suggest you to explore some of these options.

Many thanks for the feedback, I think I will install such updates in the future if the WSUS updates are also installed and a restart is pending anyway.
The large number of systems contributes to the fact that such things cannot be handled as flexibly as it would be useful.

No amount of reboots will help.

If you reboot the server with ATP at max Memory utilization all it does is restart the services. You have a 50/50 chance of it happening again.

We have loaded the May Patch to help with the issues of the Feb patch and even after that it still randomly re-occurs.

There are no defined parameters that cause this memory leak as we have experienced it across multiple technologies, multiple patch levels of Windows as well as McAfee as well as Windows OS.

It does however seem to be more prominent on Server 2008 R2, And Windows 2012. not sure if we have had it on multiple 2016 servers yet.

We have a ticket open with McAfee but at this stage disabling ATP keeps the system admins and business happy. But its not the right solution.  

First of all, the  July update should contain once again an mfeatp memory improvement for this bug (info from the support)

As a workaround, i have implemented for my servers a service reset process that will kill and restart the service (based on an article published last year in a KB) automatically. On some servers i launch that process (Don't forget to add the executable into McAfee autoprotection exclusions) each 48H, or on some others in response when the memory start to reach a limit i fixed. It is a quick win really.

As patches are delivered, i must admit that this issue is becoming more rare actually

Hi there.

Thanks. Problem is the server support is out sourced.

We are not able to implement service resets ect and if we could it would take at least another month to get that approved and then tested and working. 

"As patches are delivered, i must admit that this issue is becoming more rare actually"

Well im not sure. we have had endless issues with the ATP module and memory leaks since last year and in our case it seems to get worse every time.