cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

ENS 10 Threat Prevention Registry Keys

Jump to solution
We are implementing some Posture with a new Remote Access Product. Does anyone know the Registry Key/s for ENS 10.6 Threat Prevention being On/Off ? The idea being that the third party Remote Access product checks a registry key for a value that means Threat Prevention is ON before allowing internal access
1 Solution

Accepted Solutions
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 14

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Threat Prevention contains multiple components. If you are just looking for OAS the reg key to check is:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\AV\OAS\ 

The value uOasWacState 1 indicates it's enabled, 2 is disabled

 

If you need any others let us know!

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

13 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 14

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Threat Prevention contains multiple components. If you are just looking for OAS the reg key to check is:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\AV\OAS\ 

The value uOasWacState 1 indicates it's enabled, 2 is disabled

 

If you need any others let us know!

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

View solution in original post

Highlighted

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Hi,

It appears that the uOasWacState value isn't always created in the registry, is there a reason for this?

I have checked various servers and some have the value and some don't even though the Agent, Endpoint Platform and Threat Prevention are all the same version.

Thanks.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 14

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

The value is not created on some OS builds as it's not required.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Hi, thanks for the quick response. 

Ok, is there another way we can check if the OAS is enabled on Windows servers without checking ePO or being on the local machine? For example a registry key, command or file.

Thanks.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 14

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Sure! You can monitor this regkey:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVSolution\OAS\OAS\enablefileoas

The value should be 1 if OAS scanning is enabled.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
Highlighted

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Hi, thanks again for the quick reply but when disabling the OAS in the interface the registry value HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVSolution\OAS\OAS\enablefileoas remains 1

I tried switching all the other features off such as Exploit Prevention and McAfee GTI etc and still the registry key didn't change but the interface showed THREAT PREVENTION Status: Disabled. 

Thanks.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 14

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Hi @DaveDaniels 

You can make use of the following powershell command:

Get-WmiObject -Namespace "root\SecurityCenter2" -Class "AntiVirusProduct"

ProductState=262144 = Up to Date Defs, On Access Scanning OFF
ProductState=266240 = Up to Date Defs, ON Access Scanning ON
ProductState=397328 = not Up to Date Defs, ON Access Scanning
ProductState=393216 = Up to Date Defs, On Access Scanning OFF
ProductState=397312 = Up to Date Defs, ON Access Scanning ON

Alternatively using CMD:

wmic.exe /NAMESPACE:\\root\SecurityCenter2 PATH AntiVirusProduct GET /value

 I sincerely hope this helps!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
Highlighted

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Hi @AdithyanT,

Unfortunately Windows Server does not support the SecurityCenter2 WMI namespace which is a shame as this is the method I wanted to use.

Thanks.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 14

Re: ENS 10 Threat Prevention Registry Keys

Jump to solution

Hi @DaveDaniels 

I am sorry to hear that. I think I may have just another thing that might help you. You will be using the same return codes for verification of OAS state though. Please check under:

HKLM\Software\Microsoft\Security Center\Provider\Av

This place should list out the AV providers in your machine. Should be easy to find McAfee as you would most commonly find 2 to 3 entries there (one of them is Windows Defender by default!) 

I sincerely hope this helps! Also, for newer queries, please create a separate thread as it would attract more experts and responses! Kudos to you for keeping us updated!

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community