cancel
Showing results for 
Search instead for 
Did you mean: 
cy_al
Level 8
Report Inappropriate Content
Message 1 of 7

Installing ENS on Endpoints with MCDATREP1000

Jump to solution

Hi,

So we've been migrating from VSE and installing (via ePO) ENS 10.5.4 to our endpoints and noticed that some of them are failing in installation. All of which are either Win7 or Win10, and within or above the minimum system requirements.

All endpoints seem to be functioning properly. The only thing they have in common is that they all have DAT Reputation (MCDATREP1000) installed. Is it possible that this can cause ENS installation failures?

Thanks!

1 Solution

Accepted Solutions
McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

As you are seeing the 1092 events, you are seeing an injector. You can find out which injector is causing an issue by looking at the sysprep logs on the local machine.  As you are performing the upgrade via ePO you can find the logs in C:\Windows\Temp\McAfeeLogs. Review the logs and you will find the dll causing the issues. You will then need to look at the dll on the machine and check if it is signed, signed with an expired certificate or unsigned. In the first two cases you can add the certificate to the ENS trust store by exporting the .cer file and importing it into your ENS Common policy. If it's unsigned you should contact the vendor of the application and ask for them to digitally sign the file. More on injectors and how to add the .cer files can be found here: https://kc.mcafee.com/corporate/index?page=content&id=KB88085

Further you might want to look at using our EUA Tool. It won't help you with these events but might make your life a bit easier with the migration. The McAfee Endpoint Upgrade Assistant is a tool designed to help with analyzing, planning, and executing your upgrade from McAfee Virusscan Enterprise / McAfee Endpoint Security to latest version of McAfee Endpoint Security. You can find it in the McAfee Support Portal (https://support.mcafee.com) Knowledge Center, if you search for “Endpoint Upgrade Assistant”.

Here are some more details about the tool: https://kc.mcafee.com/corporate/index?page=content&id=KB88141

 

Also VSE can be used on ePO 5.10 - the compatible version is patch 11 and higher: https://kc.mcafee.com/corporate/index?page=content&id=KB90383

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
6 Replies
Highlighted
wouterr
Level 11
Report Inappropriate Content
Message 2 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

Hi,

VSE Dat reputation (MCDATREP1000) functionality will be removed by the ENS installer, so this should not be a problem.

benp
Level 8
Report Inappropriate Content
Message 3 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

Im having the same problem... so then is there a problem with the ENS installer?

Perhaps a little back story.. I am in the process of migrating from 5.3.2 to 5.10 completely from scratch... I was under the same assumption and have moved 200 clients just to have a play around before the complete cutover. Alot have successfully uninstalled but I have about 20 odd clients (Win7, SP1, 7601) that seem to be stuck. Im curently adding and deleting columns to see what the similarities and differences of the systems are..

I have noticed in the Threat events that they all have the same 'Core Protection - Protect core McAfee files and folders' so it seems the uninstaller (which I guess is 'McAfee System Prep Tool') is triggering Access Protection somehow..   

Detecting Prod ID (deprecated): ENDP_GS_1050

Detecting Product Name: McAfee System Prep Tool

Event Category: 'Process' class or access

Event ID: 1092

Threat Severity: Information

Threat Name: Core Protection - Protect core McAfee files and folders 

Threat Type: Self Protection 

Action Taken: Blocked

Event Description: Access Protection rule violation detected and blocked

 

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

@benp 

The SYSPREP tool is unbuilt into the ENS installer and it checks for any injectors on the machine. This is what happens when the utility runs:

  • It automatically updates the McAfee Trust store for third-party injectors that McAfee recognizes and that exist on the system. It sends Event ID 1095 for these injectors and writes them to the logs.
    • You can verify that trust has been added here: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\McAfee Trust
  • It identifies any unknown injectors, and determines if they are signed or unsigned. It sends Event 1092 for these injectors and writes them to the logs.
    • Lines indicating failure to add trust, are denoted with an '[E]' following the date and time stamps.

The events created by this utility do not populate to the Endpoint Common policy. Any entries in the Endpoint Common policy are injectors in the environment that Endpoint Security has already identified. If no measures have been taken to trust that certificate or remove the third-party software from the environment, the application might cause issues for Endpoint Security, sporadically throughout the environment.

 

DATREP should not be causing any issues.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
benp
Level 8
Report Inappropriate Content
Message 5 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

Thanks for the reply! Yeah I came to the conclusion that it had nothing to do with DATREP...

The first systems I transfered to the new ePO environment, I was deleting the VSE as a step before the transfer.. When a colleague said 'dont bother' it happens automatically.. But half the Clients I moved without removing VSE are having this problem now.. And from my understanding 5.10 doesn't support VSE in anyway so I can't  even create a Uninstall VSE Client task..... or can I? What would you suggest?

 

 

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

As you are seeing the 1092 events, you are seeing an injector. You can find out which injector is causing an issue by looking at the sysprep logs on the local machine.  As you are performing the upgrade via ePO you can find the logs in C:\Windows\Temp\McAfeeLogs. Review the logs and you will find the dll causing the issues. You will then need to look at the dll on the machine and check if it is signed, signed with an expired certificate or unsigned. In the first two cases you can add the certificate to the ENS trust store by exporting the .cer file and importing it into your ENS Common policy. If it's unsigned you should contact the vendor of the application and ask for them to digitally sign the file. More on injectors and how to add the .cer files can be found here: https://kc.mcafee.com/corporate/index?page=content&id=KB88085

Further you might want to look at using our EUA Tool. It won't help you with these events but might make your life a bit easier with the migration. The McAfee Endpoint Upgrade Assistant is a tool designed to help with analyzing, planning, and executing your upgrade from McAfee Virusscan Enterprise / McAfee Endpoint Security to latest version of McAfee Endpoint Security. You can find it in the McAfee Support Portal (https://support.mcafee.com) Knowledge Center, if you search for “Endpoint Upgrade Assistant”.

Here are some more details about the tool: https://kc.mcafee.com/corporate/index?page=content&id=KB88141

 

Also VSE can be used on ePO 5.10 - the compatible version is patch 11 and higher: https://kc.mcafee.com/corporate/index?page=content&id=KB90383

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?
benp
Level 8
Report Inappropriate Content
Message 7 of 7

Re: Installing ENS on Endpoints with MCDATREP1000

Jump to solution

I dont think the MCDATREP1000 is the problem.. I have compliant systems that also have this installed and are fine.. 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community