We are implementing the ENS 10.5.3 and discovered a combination with Firefox that is puzzling us, through it we can download the Eicar.com. And open it with Notepad++, or Gedit.
What we found along the last week:
- We can download Eicar.com through Firefox, AND read it with Notepad++ or Gedit. If we try to open it with Notepad or copy Eicar.com with Windows Explorer the ENS deletes the file.
- Using Google Chrome, Waterfox, Powershell, IE, the ENS does its job and blocks the saving of download Eicar.com or quickly deletes the file after the download.
- The only exception was a Firefox that could not save the file due ENS. The policies and product versions of Mcafee are the same between it and my computer - for example (both computers are in the Homologation group). It could be a clue but we found nothing until now.
ENS keeps watching the grass grow with:
- Firefox 41.0.2 32 bit
- Firefox 43.0.1 32 bit
- Firefox 46.0.1 32 bit
- Firefox 56.0.0 32 bit
- Firefox Quantum 58.0.2 32 bit
- Firefox Quantum 58.0.2 64 bit
ENS does its job with:
- Google Chrome 54.0.2840.99 m
- Google Chrome 55.0.2883.87 32 bit
- Google Chrome 62.0.3202.94 64 bit
- Google Chrome 63.0.3239.132 64 bit
- Internet Explorer 9
- PowerShell 32 bit
- PowerShell 64 bit
- Waterfox 22.214.171.124 64-bit
- Firefox Quantum 58.0.1 64 bit
- Firefox Quantum 58.0.2 64 bit (the same computer from above, I asked the workmate to update his Firefox)
There is not any exclusion policy regarding Firefox or its folders. We tested 25 times, on different computers, browsers and versions, 32 and 64 bits, and SO - Windows 7 and 10. Even increasing the level log nothing different is registered.
The ideal solution would be set ENS to scan all files as we did with VSE, but due an incompatibility with ENS with a powerful IT support suite (from remote control to inventory and auditory) - when scanning all files the ENS blocks the suite and does not report anything, the Mcafee support partner workarounded the problem with "Default and additional file types" scanning and many exclusions.
We configured VSE to scan all files when writing and reading, but this option does not exist on ENS, there is only on reading OR writing, or "Let Mcafee decide"... =/ We choose this last one.
Do you have any idea?
Almost a PS: I noticed that ENS does not alert the user on a remote desktop connection. The alert is shown only if the MA icon was load.
Sounds like you have done some pretty indepth testing so far. What I would ask if you are still running into this issue is to give us a call. There are a couple differnet things that we can look at within policy and then ensuring that those modifications make it's way to the desired client correctly. If you give us a call and create an SR one of the ENS guys/gals should be able to assist you and advise on what is going wrong. Maybe you'll get me on the line and we can take a look at it together! Definately open an SR so we can take a look at it together though.