Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 5004 Source: McLogEvent

Could not contact Filter Driver - NaiFiltr.sys. Error = The NaiFiltr device is not installed.
In one case, this was due to the Dfs Share that was configured to contain the McAfee DATs being empty. The Dfs configuration was corrected and when Dfs replication populated the Share, McAfee worked normally.
This problem was happening on a W2K server with McAfee Enterprise 7.0. Our Virus definitions had become corrupt and on access scan could not be enabled. Reinstalling the latest SDAT (SuperDAT) worked for us.
- Description: Could not contact Filter Driver. Error =0x2 : The system cannot find the file specified - Read McAfee solution kb40534. Go to the "McAfee Knowledge Search" page and search for the specified solution.
The file "NaiFiltr.sys" is the VirusScan filter driver. It assists in the process to determine what type of file is to be scanned. See Network Associates Solution ID: NAI29118 and Network Associates Solution ID: NAI26197 to resolve this problem.

If you are following the comment from contributor GetseKlets and you can't find article ME238413 on the Microsoft Knowledge Base, then see articles ME268528 and ME290301 for information on how you can remove a program's Windows Installer configuration information.
This error can occur if you are trying to upgrade from NetShield 4.0.3 to VShield 4.5.0 on a Windows 2000 Pro workstation. The reason for this is that Windows 2000 is not a supported platform for NetShield 4.0.3. Even though it will install and work properly, when you uninstall it and install VShield 4.5.0 or 4.5.1, the McShield service will be unable to start. You can even go as far as uninstalling, then remove all left over files, directories and registry entries and it will still fail. I have spent hours working with Network Associates on this problem and their stance is they have no fix for this. Contact Microsoft or reload OS.

This has occurred on other operating systems as well.
NaiFiltr is a device that should start automatically under "Control Panel" --> "Devices". I got it fixed by exporting all registry keys containing the text "naifiltr" from a machine that works properly and importing them on the affected machine.
Removing and then reinstalling the entire Virusscanner solved the problem in my case.
This is the solution conform McAfee

- McAfee NetShield 4.5
- Microsoft Windows NT Server
- Microsoft Windows 2000

- Error: "NAIFILTR.SYS cannot be located."
- Error: "NAIFILTR.SYS is not loaded"
- NetShield will not load.
- Event ID 5004
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NAIFiltr and it did not exist.

Server was upgraded from NetShield 4.03 to NetShield 4.5.

NAIFILTR.SYS does not exist

1. Use add/remove programs to uninstall NetShield 4.5.
2. Follow NAI7461: Preparing a server to install/reinstall NetShield 4.5.
3. Delete the Network Associates folders from C:\Program Files and
4. C:\Program Files\common File folders on installation drive.
5. Delete legacy keys using NAI2209: Removing the LEGACY keys to allow
6. VirusScan or NetShield to install. <primus://:NAI2209>.
7. Reboot.

Reinstall NetShield 4.5.

ID: nai7461

- Preparing a server to install/reinstall NetShield 4.5
- Using MSIZAP.EXE to clean out registry keys.

- McAfee NetShield 4.5
- Microsoft Windows NT 4
- Microsoft Windows 2000

- Unable to reinstall NetShield
- Unable to install McAfee NetShield 4.5

Follow these steps to resolve this issue:

1. Download the Microsoft Cleanup Utility from MS ME238413.
2. (see ME238413)
3. Install the Cleanup Utility.
4. Go to Start | Run and browse to C:\Program Files\Windows Cleanup
5. Utility (the default directory) or the directory to which you installed the utility. At the end of the path statement in the Run box, type a space and then the following:
T {DBDCAA19-597C-11D3-89BB-006008C7D0F2}
NOTE: Your Run line should end up looking similar to this, including the quotes: "C:\Program Files\Windows Cleanup Utility\MSIZAP.EXE" T {DBDCAA19-597C-11D3-89BB-006008C7D0F2}
6. Click OK to Run the utility.
7. When completed, reboot the system.
You should now be able to install NetShield.

ID: nai2209
- Removing the LEGACY keys to allow VirusScan or NetShield to install.

- McAfee VirusScan 4.5
- McAfee VirusScan 4.5.1
- McAfee NetShield 4.5
- Microsoft Windows 2000
- Microsoft Windows NT

- Error: "The McShield service returned service specific error 5020"
- Error: "Could not start the AVSync Manager service on \\wkstn"
- Error 1067: The process terminated unexpectedly
- NAIFILTR.SYS not found when installing VirusScan 4.5
- Error: "NAIFILTR.SYS not found"
- Event ID 7000 in event viewer
- ERROR "Could not contact filter driver naifiltr.sys"
- Services not starting after install
- Previous version of VirusScan/NetShield on the computer.
- Product not uninstalled using the Add/Remove Programs applet in the Control Panel.

- Some drivers are still installed from the previously installed AntiVirus software.

NOTE: The below keys are not installed or removed by McAfee software. These registry entries are created by the operating system. The effects of removing them cannot be guaranteed by Network Associates.

1. If VirusScan or NetShield is still installed, run the uninstall applet from the Control Panel using Add/Remove Programs.
2. When the uninstall is complete, from the Start menu choose Run and execute "REGEDT32" Browse to HKEY_Local_Machine\System\ControllSet001\ENUM\ROOT. Highlight the following LEGACY keys, depending on which product you are using, one at a time. After insuring the correct key is highlighted, follow steps a-g listed below for each LEGACY key listed.
a. For NetShield:
b. For VirusScan:

a. Click on Security | Permissions
b. Check the option for "Everyone" to have full control (the option in the bottom pane of the Permissions Tab)
c. Click on "Advanced"
d. Check the option to "Reset Permissions on all child objects and enable propagation of inheritable permissions."
e. Click "Apply"
f. Click "OK" to the message, "This will remove explicitly defined permissions on all child objects and enable propagation of inheritable permissions to those child objects. Only the inheritable permissions propagates from the LEGACY_***** will take effect. Do you Wish to continue?"
g. Press the "Del" key on your keyboard to delete the LEGACY key. Select "Yes" to the message, "Registry Editor will delete the currently selected key and all its subkeys. Do you want to continue the operation?"

3. Repeat step 2 for the same LEGACY keys in ControllSet002\ENUM\ROOT and ControllSet003\ENUM\ROOT if present.
4. Delete the folder C:\Program files\Network Associates\VirusScan, C:\Program Files\Network Associates\NetShield 2000 or the directory you to which you installed the program, if you installed to a different location.
5. When this is complete, reboot the system.

You should now be able to run the installation program again.
I got the same error with Viruscan 7 and Windows XPSP1. I found naifiltr.inf within the installation directory of McAfee and right clicked and installed it. It seemed to have fixed the problem.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.