We are running a pilot of Netskope on our infosec machines that are also running test versions of ENS 10.7. During an upgrade of Netskope on 12/10/19 there was a failure of the upgrade. The command line upgrade looks like this:
MSI logs show the following:
- upgrade is reporting "files in use" specifically stAgentSvc
- this is possibly because taskkill.exe is failing to shutdown stAgentUI
- the roll-back stage of the MSI removes all of the files from c:\Program Files (x86)\Netskope\STAgent\ and .\win10
- it also attempts to remove the folder itself, but that failed
This does not happen if exploit prevention is disabled. There are no McAfee event logs in threat prevention or exploit prevention that show this intervention but the upgrade works if exploit prevention is off.
Is there any information that you could give or further digging we could do on our end that could solve this issue?
Another update to this, see attached. When attempting a fresh install of the Netskope client, the error logs regarding StopSTAgentUI/STAgentUI are attached. The installer fails to stop the STAgentUI with exploit prevention on, but allows STAgentUI to stop and then registers components after exploit prevention is disabled, but there are no logs in McAfee despite logging set to all.
This is not helpful unfortunately. We've already made a service request with the company and I have done this on several logging levels (critical and high only and all). Could a McAfee representative chime in here for some support?
Something you could try to check if the Netskope has code sign certificate which you could add to the exclusion on the EPO and try attempt the Netskope agent install.
I'm more concerned with why this process is being blocked and not logged. Excluding would fix the problem but doesn't get to the root cause.
Can anyone from McAfee point me to someone who can describe more what is happening?