Hello,
I have several systems generating EP events, but they are not displaying under Reporting --> Exploit Prevention Events. The last event to be reported was 05/30/18, but events on the client are being generated every day since. Any ideas?
Solved! Go to Solution.
This is clarified with support for now.
The Exploit Prevention Events menu is related to Buffer Overflow signatures (not FILES class) events.
rgds
T
Actually we do have it documented in the product guide:
Only Bufferoverflow and illegal API events are expected under Exploit Prevention Events.
Have you tried to reinstall McAfee agent ? I have same issue, Agent communicating with ePO, receiving tasks but not reporting any events to ePO, After Agent reinstall issue was resolved.
Reinstalling the agent doesn't resolve the issue. Clients are sending events to ePO successfully, but Menu --> Exploit Prevention Events does not show any of the events after 5/30. If I create a manual query I can view all EP events. Furthermore, I receive an error when attempting to open any event currently under Menu --> Exploit Prevention Events.
The issue is the events are appearing under the Threat Events section of the machine record in ePO just not appearing in the 'Exploit Prevention Events' section in the console.
So the events are reported in ePO & present in the DB somewhere, just not in the area that makes the creation of new exclusions simple.
Hi, I'm seeing the same issue. Exploit prevention events are received by ePO and viewable in threat events view, but not all are viewable in Exploit prevention events view.
I would recommend opening a support ticket for this issue. I've heard about it a few times but haven't been able to reproduce myself or see any escalations to our Dev team about this.
Generally speaking any EP events should go into that EP Events view.
What would be useful for support?
If you know how to reproduce the issue, then find a client, reproduce the issue and gather the event xml file that's created locally (C:\ProgramData\McAfee\Agent\AgentEvents). This along with a MER from the client (ideally with ENS debug logging enabled) and screenshots from your ePO should help us.
This is clarified with support for now.
The Exploit Prevention Events menu is related to Buffer Overflow signatures (not FILES class) events.
rgds
T
Actually we do have it documented in the product guide:
Only Bufferoverflow and illegal API events are expected under Exploit Prevention Events.