We have an issue that has been occuring over the last few days in which in now particular order Threat Prevention is being disabled on Endpoints
ENS10.5.3/MA5.5/ePO5.3.2 on prem
On looking at the Endpoint Security platform error log the following error was logged at the start of thsi issue
04/16/2018 01:55:07.418 PM MfeUpgradeTool(2596.8660) <SYSTEM> blframework.ESConfigTool.Error (ImportExportUtil.cpp:353): Received invalid XSD contract from business object CertManagerBO, skipping business object
04/16/2018 01:55:07.702 PM MfeUpgradeTool(2596.8660) <SYSTEM> blframework.ESConfigTool.Error (ImportExportUtil.cpp:337): Unable to export properties for business object, Reputation-Unified
Please collect a MER and contact support.
There is not enough information here to be conclusive .
It could be that the deployment task is continue to execute due to a bug fixed in 10.5.3 HF2
(HF3 is the latest)
That issue is mentioned in KB82450 and KB90198
While there is a fix that will apply to future deployments the real solution would be to disable the deployment.
disable\Modify the product deployment task that is running the deployment for the ENS 10.5.3 Common Platform module multiple times
I'm having the exact same issue.
In ePO for affected systems, it looks like Threat Prevention is not even installed! And this is happening on systems that I know had it installed at one time. Every day I see different ones with the issue, some even after fixing them one or more times.
Unfortunately though, I'm seeing the same issue with other modules - ATP, Platform and DXL Client. I currently have about 175 systems that are not reporting different modules. I noticed on one device that TP was not enabled/running from the local console. A reboot did not fix it - I had to run an uninstall task, push a new agent and then reinstall TP. But with 175 affected devices, I'm not sure how to proceed, especially when I know it won't be a permanent solution.
I'm at a loss and extremely dissatisfied with this product.
The cause of our issue was traced to corruption in the master respository in ePO. Endpoints that did have TP enabled were having it broken by the an ePO install task attempting to reinstall the ENS platform thereby breaking the software. What was done was to remove all ENS software from the master respository then check it in again. Software only no pathces or hotfixes. If you are going to check in patches check them in to the Evaluation branch not into the Current branch. Yes it flies in the face of establised practice of ePO but this is what causes the problem, checking all software into the same branch. With regard to the affected endpoints you need to run the mferemoval tool from ePO on them, restart and reinstall the software. This is far from an ideal solution but that s what we were left with.
Thanks for your reply midolan. Unfortunately, I have almost 200 systems that would need the removal tool run. I can't believe it's not an easier process to resolve issues like these. It definitely puts a bad taste in my mouth about the product. Just too many issues....
If you package up the ripper with EEDK it should be smooth. It doesn't sound like a product issue, but a deployment one. The alternative is to use a third party tool to deploy.
Thanks for the reply.
The issue here is that these systems had no issues until one day the AMCore Compliance query started showing incorrect results. This happened about the same time that many systems, that once had all products installed, began showing that some or all of those products were not installed in ePO console.
The initial deployment looked really good and we didn't see any of these issues for a few months, so I don't know if it's really a deployment problem.
It appears to be 3rd party dlls are injecting into the software and altering the behavior of ENS much like malware would, only that it is a legitimate file/process. Running the mfesysprep tool from ePO on the endpoint in most cases immediately resolves the issue and Threat Prevention is re-enabled. Thrid party software such as Bluetooth & Apple Bonjour service can cases this. Running suysprep tool marks the software as trusted thereby resolving the issue which is not related to ePO deployment at all.