cancel
Showing results for 
Search instead for 
Did you mean: 
jmcg
Level 10
Report Inappropriate Content
Message 1 of 17

McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Hello,

Just wanted to test ATP RealProtect with the kb88828.

 

RP-D TestFile.exe is detected and deleted. Cool.

RP-S TestFile.exe is exit with reason ID 5 (not enought even). why ?

 

Could someone tell me why RP-S TestFile.exe is not deleted ?

 

Using version 10.6.1.1064 on Windows 7

 

Thx.

Tags (2)
3 Solutions

Accepted Solutions
jmcg
Level 10
Report Inappropriate Content
Message 2 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
He has not been deleted because the sensitivity level was set to medium.
Changing the sensitivity to high, delete the RP-S TestFile.exe.
jmcg
Level 10
Report Inappropriate Content
Message 13 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
You will have better result using a TIE Server.

The issue may be come from the a setting in strategy.

If you can provide screenshot of your settings could be better to help u
jmcg
Level 10
Report Inappropriate Content
Message 17 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
This is ENS TP policy

You need to put HIGH on ENS ATP Policy
16 Replies
jmcg
Level 10
Report Inappropriate Content
Message 2 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
He has not been deleted because the sensitivity level was set to medium.
Changing the sensitivity to high, delete the RP-S TestFile.exe.
Roberst
Level 9
Report Inappropriate Content
Message 3 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Hello Everybode,
since my problem is a similar, I did not want to open a new thread.

I have in my test environment (newly installed ePO, ENS 10.6) the problem that the RP-S test file is found ONLY if I put in the ATP under "Real Protect Scan" the check mark "Enable Offline Scans".
Otherwise it is neither blocked nor deleted.

The RP-D testfile was also found and deleted only after I turned off the cloud-based scan once and then again!

Can someone tell me here, why the RP-S test file is not deleted until I put the check mark "Enable offline scans"?

 

 

Tag zusammen,
da mein Problem ein ähnliches ist, wollte ich hierzu keinen neuen Thread öffnen.

Ich habe in meiner Testumgebung (neu Installierter ePO, ENS 10.6) das Problem, dass des RP-S Testfile NUR dann gefunden wird, wenn ich im ATP unter "Real Protect-Scan" den haken bei " Offline-Scans aktivieren" setze.
Ansonsten wird es weder geblockt, noch gelöscht.

Auch das RP-D Testfile wurde erst nachdem ich den Cloud-basierten Scan einmal An und dann wieder ausgeschaltet hatte gefunden und gelöscht!

Kann mir hier jemand Sagen, weshalb das RP-S Testfile erst gelöscht wird, wenn ich den haken bei "Offline-Scans aktivieren " setze?

jmcg
Level 10
Report Inappropriate Content
Message 4 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
Hello, what is your sensitivity level ?
Roberst
Level 9
Report Inappropriate Content
Message 5 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Hi jmcg,

I had tried it first with the standard "Medium"  Level.

But even with the sensitivity level "high" no improvement.

jmcg
Level 10
Report Inappropriate Content
Message 6 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
@Roberst

Could you tell me the reason ID of your file ?

You can find log here :

"C:\ProgramData\McAfee\Endpoint Security\Logs\AdaptiveThreatProtection_Activity.log"

Look for "RP-S TestFile.exe" and give me the ID you have when it's not working
Roberst
Level 9
Report Inappropriate Content
Message 7 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Of course, no problem:

 

RealProtect.Activity: Überwachung von Prozess mit Prozess-ID 1032 , Dateipfad C:\USERS\ADMINISTRATOR\DOCUMENTS\REALPROTECT-TESTFILE\RP-S TESTFILE.EXE , durch Real Protect-Cloud-Scanner
28.05.2019 16:49:00 mfeatp(2168.3224) Orchestrator.RepChangeListener.Activity: Real Protect-Cloud-Scanner-Verfolgung abgeschlossen für Prozess-ID 1032 , Datei C:\Users\Administrator\Documents\RealProtect-TestFile\RP-S TestFile.exe mit Grund-ID 1

Roberst
Level 9
Report Inappropriate Content
Message 8 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

@jmcg 

Sorry, here is the Log Entry with "Offline Scans-Enabled":

 

Orchestrator.Action.Activity: Folgende Aktion wurde für Datei C:\USERS\ADMINISTRATOR\DOWNLOADS\REALPROTECT-TESTFILE\RP-S TESTFILE.EXE mit Reputation 1 ausgeführt: Säubern
28.05.2019 17:07:40 mfeatp(2168.7384) Orchestrator.Action.Activity: Aktionsdetails:: Datei: RP-S TESTFILE.EXE , Modus: Erzwingen , Scanner: Real Protect-Client , Erkennungsname: Real Protect-LS!930dd4b3661c , Reputation: 1 [Als bösartig bekannt] , ActionTaken: Säubern Regel-ID: 0 , Inhaltsversion: Nicht verfügbar

jmcg
Level 10
Report Inappropriate Content
Message 9 of 17

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution
Just saw your Offline log.

IT's look like your cloud-scanner does not receive the reputation.

Could you try nslookup on does cname :

cloud.gti.mcafee.com
ens.rest.gti.mcafee.com
compute.amazonaws.com
realprotect1.mcafee.com


Every cname should respond.

Re: McAfee ATP RP-S TestFile.exe ID 5

Jump to solution

Sorry, my fault.

Here is the response from all Servers:

C:\Windows\system32>nslookup cloud.gti.mcafee.com
Server: UnKnown
Address: 192.168.95.0

Nicht autorisierende Antwort:
Name: global.gti.mcafee.akadns.net
Addresses: 161.69.169.25
161.69.169.17
161.69.169.22
161.69.169.61
161.69.169.27
161.69.169.57
161.69.169.62
161.69.169.60
Aliases: cloud.gti.mcafee.com


C:\Windows\system32>nslookup ens.rest.gti.mcafee.com
Server: UnKnown
Address: 192.168.95.0

Nicht autorisierende Antwort:
Name: rest-lb-dublin.gtinative.cloudplatform.mcafee.com
Addresses: 34.249.206.168
52.215.124.82
Aliases: ens.rest.gti.mcafee.com
lam.gti.mcafee.akadns.net


C:\Windows\system32>nslookup compute.amazonaws.com
Server: UnKnown
Address: 192.168.95.0

Name: compute.amazonaws.com


C:\Windows\system32>nslookup realprotect1.mcafee.com
Server: UnKnown
Address: 192.168.95.0

Nicht autorisierende Antwort:
Name: realprotectelb-1104622282.us-west-2.elb.amazonaws.com
Addresses: 35.164.235.110
52.41.73.69
54.186.175.197
Aliases: realprotect1.mcafee.com

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator