cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ENS ATP 10.7.0 not detected test file for real protect

Jump to solution
ENS atp 10.7.0.1531 not detect test files for testing real protect scan. ENS version 10.7 McAfee Agent 5.6.2.209 atp options: Enable client-based scanning - ON Sensivity level - High Enable cloud-based scanning - ON Rule Assignment - Balanced
1 Solution

Accepted Solutions
patrakshar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ENS ATP 10.7.0 not detected test file for real protect

Jump to solution

Hi @User47076105 

Can you please clear the cache once? Disable the self protection of ENS. Open the Task Manager. Kill the MfeAtp process. it will come back automatically. then Execute the file again. Can you confirm if that is working or not?

View solution in original post

5 Replies

Re: ENS ATP 10.7.0 not detected test file for real protect

Jump to solution

AdaptiveThreatProtection_Activity.log not show some events for this test files, but i can saw actions on ATP_Debug.log:

2019-12-26 15:00:36.692Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[4] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\RP-D TestFile.exe] actorCacheKey=[2951040328086604534] targetCacheKey=[2951040328086604534]
2019-12-26 15:00:36.692Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 4 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 10492 , Target Name: D:\RP-D TestFile.exe, Target command line: "D:\RP-D TestFile.exe" , Winning Rule description: Process terminate, Winning rule GUID EDEAC516-9A27-4947-A0BC-AEBCCB91C4A1
2019-12-26 15:00:36.693Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(226) | JCMTransactionCreateScan: open Process Terminate transaction. Process: D:\RP-D TestFile.exe.
2019-12-26 15:00:36.693Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0

 

 

|scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test.exw] actorCacheKey=[2951040328086604534] targetCacheKey=[14729107533182254338]
2019-12-26 15:00:35.247Z|Debug |Orchestrator |mfeatp | 5492| 24568|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test.exw, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 24568|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.exw, ActorCacheKey: 2951040328086604534, TargetCacheKey: 14729107533182254338
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 8996|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test.exe] actorCacheKey=[2951040328086604534] targetCacheKey=[2448402683842744397]
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 8996|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test.exe, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test.cse] actorCacheKey=[2951040328086604534] targetCacheKey=[10560388814036929084]
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test.cse, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 8996|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.exe, ActorCacheKey: 2951040328086604534, TargetCacheKey: 2448402683842744397
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 8996|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.cse, ActorCacheKey: 2951040328086604534, TargetCacheKey: 10560388814036929084
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 24568|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test.csv] actorCacheKey=[2951040328086604534] targetCacheKey=[1879550071742376850]
2019-12-26 15:00:35.251Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test.csv, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.252Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.csv, ActorCacheKey: 2951040328086604534, TargetCacheKey: 1879550071742376850
2019-12-26 15:00:35.252Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0
2019-12-26 15:00:35.253Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test.pdf] actorCacheKey=[2951040328086604534] targetCacheKey=[2993901937635414531]
2019-12-26 15:00:35.253Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test.pdf, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.253Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.pdf, ActorCacheKey: 2951040328086604534, TargetCacheKey: 2993901937635414531
2019-12-26 15:00:35.253Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0
2019-12-26 15:00:35.255Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test.pde] actorCacheKey=[2951040328086604534] targetCacheKey=[16365438263920364642]
2019-12-26 15:00:35.255Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test.pde, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.255Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.pde, ActorCacheKey: 2951040328086604534, TargetCacheKey: 16365438263920364642
2019-12-26 15:00:35.255Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(891) | Closing event. Result: 0
2019-12-26 15:00:35.262Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |scan_orchestrator.cpp(1182) | ATP Event - EventType=[1] actorPath=[D:\RP-D TestFile.exe] targetPath=[D:\test1.exe] actorCacheKey=[2951040328086604534] targetCacheKey=[12951870955910095387]
2019-12-26 15:00:35.262Z|Debug |Orchestrator |mfeatp | 5492| 23860|OES |on_event_scanner.cpp(77) | Scanning event, Event Type: 1 , Actor Pid: 10492 , Actor Name: D:\RP-D TestFile.exe , Target Pid: 0 , Target Name: D:\test1.exe, Target command line: , Winning Rule description: A file was created by a VTP, JCM or AMCore non trusted process, Winning rule GUID 2EAE9D37-FABC-414C-8BDB-223F51724620
2019-12-26 15:00:35.262Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test1.exe, ActorCacheKey: 2951040328086604534, TargetCacheKey: 12951870955910095387

 

 

 

 

AdithyanT
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: ENS ATP 10.7.0 not detected test file for real protect

Jump to solution

Hi @User47076105,

Thank you for reporting this. Owing to this report I just ran the test file on my Lab machine and I can confirm detection on 10.7 ENS ATP! This is quite strange and would require an investigation to be done from Support's end through a Service Request. Kindly please raise an SR so that we can look into this for you.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
patrakshar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 6

Re: ENS ATP 10.7.0 not detected test file for real protect

Jump to solution

Hi @User47076105 

Can you please clear the cache once? Disable the self protection of ENS. Open the Task Manager. Kill the MfeAtp process. it will come back automatically. then Execute the file again. Can you confirm if that is working or not?

View solution in original post

Re: ENS ATP 10.7.0 not detected test file for real protect

Jump to solution

Oh, Thanks you, it's works!!

Can you explain why this problem occurred?

ensreport1.pngensreport2.png

patrakshar
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: ENS ATP 10.7.0 not detected test file for real protect

Jump to solution

The log you shared shows:

2019-12-26 15:00:35.255Z|Debug |Orchestrator |mfeatp | 5492| 23860|JCM |jcm_transaction_scan.cpp(250) | JCMTransactionCreateScan: open File Create transaction. Actor: D:\RP-D TestFile.exe. Target: D:\test.pde, ActorCacheKey: 2951040328086604534, TargetCacheKey: 16365438263920364642

It give me a hint mostly there is a cache that is coming into play. It can happen that before ATP policies were applied to scan this file, ATP already had the information that it is a clean file. As a result next time onward it was picking up the same cache and marking it clean. 

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community