I have just deployed ENS 10.7 to a brand new server via ePO, tagged the same as all the other similar servers which have a custom 'ENS - Threat Prevention On-Access Scan' policy created (so they are all under a sub group in ePO system tree via tagging and have the custom policy assigned to this sub group)
I have tried updating, rebooting, double, triple checking the endpoint but the policy is not applying (ePO reckons the correct policy IS applied however) as if I look on the endpoint > threat prevention > advanced > on access scan > exclusions the exclusions list does not match the custom policy as it should
I checked a ENS 10.5 client from the same sub group which has the correct exclusions list updated to the extra entries I put in this morning
One thing you could try to get an indication of if the issue is being caused by another faulty policy - assign the McAfee Default policy for all other ENSTP components to the system. Do you then see all exclusions listed?
I just uninstalled 10.7 and put 10.5 on the server and it applies the correct policy straight away, so I will have to experiment with 10.7 on a test PC to see what is going on
I believe @chealey is on the right track here, and your test of installing 10.5 doesn't necessarily disprove that.
An issue I have worked previously involved a 10.7 system taking an incorrect On-Access Scan policy on initial policy enforcement, while the same issue did not manifest using ENS 10.6. The root cause of the issue was a corrupt Exploit Prevention policy, which contained an entire On-Access scan policy within one of the sections of the policy manifest. ENS 10.7 seems to handle the way it enforces policy slightly different than previous versions of ENS, which can lead to this occurring.
I would recommend applying all McAfee Default policies to the system, and on-by-one performing the test with ENS 10.7 using each policy that you had assigned previously to the machine. From past experience, it is probably either your exploit prevention policy or your access protection policy that is corrupt.
See this KB for more information on how this corruption can sometimes occur: https://kc.mcafee.com/corporate/index?page=content&id=KB90280
Yes that makes sense, just I had to have the server ready to go today hence I will have to experiment with 10.7 on a test PC tomorrow with various policies to see which is causing the issue 🙂
At least it has been identifed before we considering upgrading all servers to 10.7 as that could have caused a bit of a meltdown!
I had a chance to look into this further and it looks like our custom 'Exploit Prevention' policy is causing the issue, once I set that to 'McAfee Default' on a 10.7 system and apply the correct TP exclusion list is applied
Now the question is what is the best way to 'repair' the custom 'Exploit Prevention' policy with minimum impact? As sadly it is applied to 4483 systems in ePO! (Although 95% are on 10.5.5 still)