cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ATP prevents powershell to load the commands

Dear All,

Can anyone help with the McAfee ATP, after upgrading ENS 10.7.1 September update. 

PowerShell opens but not load the command line. This happens on all the Servers. Any ideas. Below are the logs for your reference.

2020-10-24 05:10:43.262 AM|Activity|Orchestrator| mfeatp|3016|8636|RealProtect|..\..\..\Source\ScanOrchestrator\rp_behavior_scanner.cpp| Real Protect cloud scanner will monitor process with process id 11320 , file path C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe
2020-10-24 05:10:45.372 AM|Activity|Orchestrator| mfeatp|3016|8636|RealProtect|..\..\..\Source\ScanOrchestrator\rp_behavior_scanner.cpp| Real Protect cloud scanner will monitor process with process id 11944 , file path C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe
2020-10-24 05:10:45.372 AM|Activity|Orchestrator| mfeatp|3016|11312|RepChangeListener|..\..\..\Source\ScanOrchestrator\reputation_change_listener.cpp| Real Protect cloud scanner trace complete for process id 11944 , file C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe with reason id 11

Venu
7 Replies
hitesh_Reddy
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 8

Re: ATP prevents powershell to load the commands

Hi vnaidu,

Thank you for writing,  with the details shared, We had a similar issue with PowerShell scripts hang and the PowerShell interface does not start which was also resolved in ENS 10.7 July release we a re already using ENS 10.7 Sep release.

I would suggest logging a Service request after enabling debug logging of ATP to start with. We should be able to assist accordingly.

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a solution" if this reply resolves your query!

Hitesh

Kenchee_etf
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 8

Re: ATP prevents powershell to load the commands

Hello @vnaidu 

Just like my answer in one additional post you made, just to cover basics, did you reboot machine after ENS upgrade?

Second question is, did you perform additional troubleshooting and what result did you receive to make you conclude that the issue is caused by ATP, but not, for example, AP or EP?

Last, but not least, the log output here is not showing any block.

It is showing that RealProtect is monitoring process, which is expected is it is not excluded, and also it shows that at the end the process is cached with unknown reputation (reason id 11). More about it you may find in:

*** McAfee Endpoint Security 10.7.x Product Guide - Windows (Real Protect test scan result codes)
https://docs.mcafee.com/bundle/endpoint-security-10.7.x-common-product-guide-windows/page/GUID-016A6...


Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: ATP prevents powershell to load the commands

Hello.
I am user of McAfee Endpoint Security 10.7.0.

The problem is that my Powershell scripts are hung randomly at start. Simple code examples to repeat this situations are:
for /l %x in (1, 1, 100) do powershell.exe 'echo %x' - for CMD
for ($i=0; $i -le 100; $i=$i+1) {invoke-expression "powershell.exe 'echo $i'"} - for PowerShell
Moreover starting CMD from PowerShell or runnung Powershell commands in one session doesn't hang any process.

I have installed 10.7.0 February 2021 KB82450 with next component versions:
Endpoint Security Platform 10.7.0.2421
Adaptive Threat Protection 10.7.0.2714
Threat Prevention 10.7.0.2522
Firewall 10.7.0.1686
Web Control 10.7.0.2080
All these components have "None" in "Hotfix number" and "Patch version" fields.

I hoped that Adaptive Threat Protection patch for issue ENSW-108097 will resolve my problem, but it doesn't. This issue has next description: "Resolves a deadlock in McAfee® Endpoint Security Adaptive Threat Protection (ATP) when Story Graph feature is enabled. Side effects of this deadlock are PowerShell not running, McAfee® Endpoint Security console not opening and so on".
Switching off the Story Graph Feature and/or disabling ATP with successive Windows restart had no effect on the problem.
My OS type is: 64-bit Windows 10 Pro 20H2 with build 19042.804. Windows Feature Experience Pack 120.2212.551.0

bertels
Level 9
Report Inappropriate Content
Message 5 of 8

Re: ATP prevents powershell to load the commands

Hi,

We experiencing the same issue.
Had some issues in July with powershell hangs. We received a HF (100194) to fix this.
It seemed fixed until yesterday.
New RP content (1.1.11001.7285) broke PS again, this time only on servers so far. 

Re: ATP prevents powershell to load the commands

@Kenchee_etf @bertels @hitesh_Reddy 

In our case, we had to exclude them temporarily to resolve the issue, still the investigation is in progress. I will keep us updated with the permanent fix.

Venu
bertels
Level 9
Report Inappropriate Content
Message 7 of 8

Re: ATP prevents powershell to load the commands

Hi,

We have also a running case at the moment with support.
Latest feedback:
"While analyzing the process dump, we notice that there is an AMSI call sent from TP to ATP AMSI which is pending to be responded, however, we cannot trace this any further as the call needs to be responded by McShield.exe and a process dump from it, was not provided at the time where the issue was exhibited."
Working now on providing new logs containing a full memory dump,
I'll keep you up-to-date.

Re: ATP prevents powershell to load the commands

Hi

 
 

did you get a solution in the end?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community