cancel
Showing results for 
Search instead for 
Did you mean: 

Exploit Prevention Events - not showing all events

Jump to solution

Hello,

I have several systems generating EP events, but they are not displaying under Reporting --> Exploit Prevention Events. The last event to be reported was 05/30/18, but events on the client are being generated every day since. Any ideas?

 

 

2 Solutions

Accepted Solutions
ta11
Level 9
Report Inappropriate Content
Message 8 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

This is clarified with support for now.

The Exploit Prevention Events menu is related to Buffer Overflow signatures (not FILES class) events.

rgds

T

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

Actually we do have it documented in the product guide:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27574/en_US/... 

Only Bufferoverflow and illegal API events are expected under Exploit Prevention Events.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
8 Replies
denn
Level 10
Report Inappropriate Content
Message 2 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

Have you tried to reinstall McAfee agent ? I have same issue, Agent communicating with ePO, receiving tasks but not reporting any events to ePO, After Agent reinstall issue was resolved.

Re: Exploit Prevention Events - not showing all events

Jump to solution

Reinstalling the agent doesn't resolve the issue. Clients are sending events to ePO successfully, but Menu --> Exploit Prevention Events does not show any of the events after 5/30. If I create a manual query I can view all EP events. Furthermore, I receive an error when attempting to open any event currently under Menu --> Exploit Prevention Events. 

Re: Exploit Prevention Events - not showing all events

Jump to solution
Did you validate if all events are being sent back to EPO. This can be done manually on the endpoint.


Also are you using default settings which only gather 'HIGH' mcafee-defined messages. There are stilll a plethora of messages classfied as 'LOW' and 'MEDIUM' which are not ticked/checked by default. Please take a look there in the configuration section and check the endpoint message uploads again from endpoint to the EPO.

Re: Exploit Prevention Events - not showing all events

Jump to solution

The issue is the events are appearing under the Threat Events section of the machine record in ePO just not appearing in the 'Exploit Prevention Events' section in the console.

So the events are reported in ePO & present in the DB somewhere, just not in the area that makes the creation of new exclusions simple.

 

 

 

ta11
Level 9
Report Inappropriate Content
Message 6 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

Hi, I'm seeing the same issue. Exploit prevention events are received by ePO and viewable in threat events view, but not all are viewable in Exploit prevention events view. 

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 7 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

I would recommend opening a support ticket for this issue. I've heard about it a few times but haven't been able to reproduce myself or see any escalations to our Dev team about this.

Generally speaking any EP events should go into that EP Events view.

What would be useful for support? 
If you know how to reproduce the issue, then find a client, reproduce the issue and gather the event xml file that's created locally (C:\ProgramData\McAfee\Agent\AgentEvents). This along with a MER from the client (ideally with ENS debug logging enabled) and screenshots from your ePO should help us.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
ta11
Level 9
Report Inappropriate Content
Message 8 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

This is clarified with support for now.

The Exploit Prevention Events menu is related to Buffer Overflow signatures (not FILES class) events.

rgds

T

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 9 of 9

Re: Exploit Prevention Events - not showing all events

Jump to solution

Actually we do have it documented in the product guide:

https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/27000/PD27574/en_US/... 

Only Bufferoverflow and illegal API events are expected under Exploit Prevention Events.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support
  • The McAfee ePO Support Center Plug-in is now available in the Software Manager. Follow the instructions in the Product Guide for more.