cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Level 10
Report Inappropriate Content
Message 1 of 7

ENS 10.7 - TP policy not applying correctly?

I have just deployed ENS 10.7 to a brand new server via ePO, tagged the same as all the other similar servers which have a custom 'ENS - Threat Prevention On-Access Scan' policy created (so they are all under a sub group in ePO system tree via tagging and have the custom policy assigned to this sub group)

I have tried updating, rebooting, double, triple checking the endpoint but the policy is not applying (ePO reckons the correct policy IS applied however) as if I look on the endpoint > threat prevention > advanced > on access scan > exclusions the exclusions list does not match the custom policy as it should 

I checked a ENS 10.5 client from the same sub group which has the correct exclusions list updated to the extra entries I put in this morning

Any ideas?!

6 Replies
Highlighted
Level 10
Report Inappropriate Content
Message 2 of 7

Re: ENS 10.7 - TP policy not applying correctly?

I should also add that all ENS extensions are updated to the 10.7 versions in ePO

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 7

Re: ENS 10.7 - TP policy not applying correctly?

Hi @jround 

One thing you could try to get an indication of if the issue is being caused by another faulty policy - assign the McAfee Default policy for all other ENSTP components to the system. Do you then see all exclusions listed? 

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 10
Report Inappropriate Content
Message 4 of 7

Re: ENS 10.7 - TP policy not applying correctly?

I just uninstalled 10.7 and put 10.5 on the server and it applies the correct policy straight away, so I will have to experiment with 10.7 on a test PC to see what is going on

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: ENS 10.7 - TP policy not applying correctly?

Hi @jround 

I believe @chealey is on the right track here, and your test of installing 10.5 doesn't necessarily disprove that.

An issue I have worked previously involved a 10.7 system taking an incorrect On-Access Scan policy on initial policy enforcement, while the same issue did not manifest using ENS 10.6. The root cause of the issue was a corrupt Exploit Prevention policy, which contained an entire On-Access scan policy within one of the sections of the policy manifest. ENS 10.7 seems to handle the way it enforces policy slightly different than previous versions of ENS, which can lead to this occurring.

I would recommend applying all McAfee Default policies to the system, and on-by-one performing the test with ENS 10.7 using each policy that you had assigned previously to the machine. From past experience, it is probably either your exploit prevention policy or your access protection policy that is corrupt.

See this KB for more information on how this corruption can sometimes occur: https://kc.mcafee.com/corporate/index?page=content&id=KB90280

Thanks,

Mitchell Buehler

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted
Level 10
Report Inappropriate Content
Message 6 of 7

Re: ENS 10.7 - TP policy not applying correctly?

Yes that makes sense, just I had to have the server ready to go today hence I will have to experiment with 10.7 on a test PC tomorrow with various policies to see which is causing the issue 🙂

At least it has been identifed before we considering upgrading all servers to 10.7 as that could have caused a bit of a meltdown!

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 7

Re: ENS 10.7 - TP policy not applying correctly?

I had a chance to look into this further and it looks like our custom 'Exploit Prevention' policy is causing the issue, once I set that to 'McAfee Default' on a 10.7 system and apply the correct TP exclusion list is applied

Now the question is what is the best way to 'repair' the custom 'Exploit Prevention' policy with minimum impact?  As sadly it is applied to 4483 systems in ePO! (Although 95% are on 10.5.5 still)

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community