If there is a windows machine which runs with McAfee ENS and user wanted to stop the services / disable McAfee altogether from their end, how to do that?
Also when they don't want any communication to happen from client side to ePO, how should they stop that?
Wanted a way to do from Client end and also looking for options or configurations what exactly need to be done on ePO side which will give the user capability to stop the services / disable AV / stop the Communication to ePO.
wanted the same info for linux machines as well.
Thanks in Advance,
Hi @User87791215(Sabari Kumar KB)
Woah! Thats's a lot of questions on one post. I am not sure if I can answer all of them. But I have tried to answer a few.
Any action you want to perform on the endpoint end, you would require to allow user to make changes to the product first. That would involve disabling "Self protection" features from both Agent (general) and endpoint Security Common (options) polices. Now, if a user wants to disable ENS locally, we would only recommend doing it via GUI. Support would not recommend any other means.
Also, not all ENS Services are visible on the Services.msc console. In order to prevent external control, we use our own Services management tool called mfemms.exe.
Quoting from the linked article on mmsinfo.exe:
"The goal of MMS is to reduce the security risks of Microsoft SCM-managed services being shut down or disabled by malware. Core McAfee security services are managed by MMS rather than SCM, and are protected by self-protection features, making them less susceptible to malware attacks and security vulnerabilities."
Under Endpoint Security Common policy > Options > select the required policy and select edit and under Client Interface Mode select Full access. This is to ensure any user can open ENS console with full privileges. Now any user can open the clientUI, access it's settings and disable the protection features one by one as they would like to.
Regarding McAfee Agent, one more interesting feature is involved in protection of it's services. It is Exploit prevention Signature ID 1023. You might want to disable that.
Additionally, we also have Safe-mode which can help any user to disable, remove or disarm drivers, however we would not want to talk about that here.
Additionally, We can always disable all protection features from respective policies on the ePO as well.
Also, stopping the agent services (McAfee Agent Service, McAfee Agent Backwards Compatibility Service and McAfee Agent Common Service) will stop agent form communicating with the Server.
Also an endpoint firewall like Windows Defender firewall can be used to block inbound and outbound traffic via certain ports or the ePO Server address based on this KBA.
Having discussed the above possibilities, I would like to stress upon the fact that we would not recommend any of these activities under ideal circumstances as this is lowing the protection offered by the endpoint by miles and the wrong implementation or usage of these might result in incompetency of the endpoint to function against malwares.
I sincerely hope this helps!
Hi @User87791215 (Sabari Kumar KB),
Also, regarding Linux related questions, I guess you might have better luck at posting them in this forum.
You can follow below steps to Stop, start and check ENSLTP services.
Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!