cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 7

ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

Only WORKS with OPTION "Enable offline scanning (Might result in increased false positives)"

 

Hello,

 

We have several customers with the ATP/TIE Module in place since years and know the product very well. Those are large deployment with TIE-Server, ATD-Sandbox etc.

Wanted to integrate and test the one without a TIE-Server and over GTI. The seem to do nothing or something is wrong or buggy?

 

* We are aware of KB79640 and have all open already for GTI normal ENS and MSME 8.X

* ENS 10.7 APRIL 2020 (Platform, Threat, ATP Module > 3) > Exmaple realprotect1.mcafee.com open

* Windows 10 PRO OR ENT EN/GERMAN with all latesst patches

* 2 x different TEST CLients have Internet Access (1 x LAB DIRECT + 1 x Customer all Mcafee Fortigate open)

* tested with Mcafee RP Files (RP-D TestFile.exe/RP-S TestFile.exe)

The only WAY to get something BLOCKED OR LOGGED in NON TIE-Server (GTI only) mode is when we TURN ON THE OPTION "Enable offline scanning (Might result in increased false positives)".

As we understood and would say this is from Endpoint with no WAN/Internet Access isolated in VLAN's. There this would be OK. (Non change machines/Validated)

 

Sales/Makreting

In longterm this we would like to use with all our customers since the ATP Mdoule is free now. However we need this solved first. We all understand this is very important to keeping False/Positive LOW without the TIE and ATD-Sandbox in place.

 

Any help welcome, we asume it's a bug today 04.05.2020

 

2020-05-04 16_15_10-local - visionapp Remote Desktop 2010.png

 

2020-05-05 16_29_21-Dokument1 - Word.jpg

 

 

 

 

 

6 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 7

Re: ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

We asume you have all URL/IP open on the Firewall Points where the client goes to WAN?

https://kc.mcafee.com/corporate/index?page=content&id=KB79640

We seen following on a machine with the ATP Module PLUS the one you did mention: realprotect1.mcafee.com

161.69.169.23,sae.gti.mcafee.com
23.10.249.26,update.nai.com
161.69.169.23,sae.gti.mcafee.com
34.249.206.168,lam.gti.mcafee.akadns.net
161.69.169.23,sae.gti.mcafee.com
161.69.169.56,cloud.gti.mcafee.com

 

Gruss aus Basel

 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 7

Re: ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

If you don't/can't have the firewall open, you can configure it to go out your proxy.  That may be an easier course, though it adds a bit of latency most likely.

Dave

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

Hello Dave, we know. It's not the proxy or WAN access. We see all the related IP/URL going out in the flow on the Fortigate. We extra made a setup of ENS + EPO in a LAB with direct WAN (NO IPS/AV Filters Firewall side) and the bug is still there.

So this is not Firewall related. 😉

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 7

Re: ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

Hmm..  I just set my client to GTI-only connectivity and I was still able to get the RP-S file to detect.  I am also on the April release.  Maybe because I do have DXL connectivity?  I'm not sure at that point.  If you hit the About menu in ENS, under ATP, what does it say for your connectivity?

Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: ENS 10.7 ATP MODULE Realprotect not working GTI without TIE

Thanks i hope this helps all others if we document this is a little bit here.

DId they fix something in the REAL PROTECT CONTENT release today? LAB works now.

The other one we tested clearly seems no connection to GTI we have to see what is missing.

I remember in last Mcafee Partner presentation they talked about reducing Firewall Ports / Protocolls needed in new Agent.I extra updated the Partner client to 5.6.5.165 but it did not work before and after Agent update (Was just a try before we searched further)

---------------------

 

Strange in the TEST LAB since this morning this works. (Nothing changed except AMCORE Update and Real Protect DEF Update). (See Screenshots) (Agent 5.6.3.157)

LAB, Agent 5.6.3.157 > I see "Mcafee GTI Connectivity Only" > There is NO TIE OR DXL-Server there EPO 5.9.1

INTERNAL PARTNER, Agent 5.6.5.165 > I see "Disconnected/Getrennt" > So for sure the Fortigate Firewall there blocks something i guess. Have to see what they block again there.

 

Screenshot from LAB (The seen effect > Log did not happen yesterday > Works since this morning)

2020-05-06 09_52_32-10.20.33.11 - Remote Desktop Connection.png

Screenshot from LAB PC with direct WAN access. But i also see the same settings on my home office PC behind a restricted Sophos Firewall.

2020-05-06 09_53_54-10.20.33.11 - Remote Desktop Connection.png

I can only asume this change is now related to the REAL PROTECT DEF (Maybe our Ticket we have open did help on Mcafee side...)

2020-05-06 10_00_24-McAfee Endpoint Security.png

 

Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 7 of 7

REALPROTECT 10.7 APRIL 2020 conhost.exe FALSE/Positive

Now since it seems to work in the lab we already see the false/positive from conhost.exe alert on a CLEAN W10 LAB Setup. (EN OS / PRO / W10 1903)

 

2020-05-06 10_21_53-10.20.33.11 - Remote Desktop Connection.png

2020-05-06 10_28_07-VirusTotal - Profil 1 – Microsoft​ Edge.png

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community