cancel
Showing results for 
Search instead for 
Did you mean: 
midolan
Level 7
Report Inappropriate Content
Message 1 of 11

Threat Prevention Not Enabled on random Endpoints

We have an issue that has been occuring over the last few days in which in now particular order Threat Prevention is being disabled on Endpoints 

Software versions 

ENS10.5.3/MA5.5/ePO5.3.2 on prem

On looking at the Endpoint Security platform error log the following error was logged at the start of thsi issue

04/16/2018 01:55:07.418 PM MfeUpgradeTool(2596.8660) <SYSTEM> blframework.ESConfigTool.Error (ImportExportUtil.cpp:353): Received invalid XSD contract from business object CertManagerBO, skipping business object

04/16/2018 01:55:07.702 PM MfeUpgradeTool(2596.8660) <SYSTEM> blframework.ESConfigTool.Error (ImportExportUtil.cpp:337): Unable to export properties for business object, Reputation-Unified

 

10 Replies
midolan
Level 7
Report Inappropriate Content
Message 2 of 11

Re: Threat Prevention Not Enabled on random Endpoints

Just checked this morning 10 more Endpoints have have Threat Prevention status 'Not Available 'in ePO over the weekend. Any ideas anybody?
McAfee Employee dmcgeary
McAfee Employee
Report Inappropriate Content
Message 3 of 11

Re: Threat Prevention Not Enabled on random Endpoints

Please collect a MER and contact support. 

There is not enough information here to be conclusive .
It could be that the deployment task is continue to execute due to a bug fixed in 10.5.3 HF2
(HF3 is the latest) 

That issue is mentioned in KB82450 and KB90198
https://kc.mcafee.com/corporate/index?page=content&id=KB82450

While there is a fix that will apply to future deployments the real solution would be to disable the deployment.
disable\Modify the product deployment task that is running the deployment for the ENS 10.5.3 Common Platform module multiple times

midolan
Level 7
Report Inappropriate Content
Message 4 of 11

Re: Threat Prevention Not Enabled on random Endpoints

Support has been contacted where can I obtain HF3 ? I assume patches and HFs are different

Re: Threat Prevention Not Enabled on random Endpoints

I'm having the exact same issue. 

In ePO for affected systems, it looks like Threat Prevention is not even installed!  And this is happening  on systems that I know had it installed at one time.  Every day I see different ones with the issue, some even after fixing them one or more times.

Unfortunately though, I'm seeing the same issue with other modules - ATP, Platform and DXL Client.  I currently have about 175 systems that are not reporting different modules.  I noticed on one device that TP was not enabled/running from the local console.  A reboot did not fix it - I had to run an uninstall task, push a new agent and then reinstall TP.  But with 175 affected devices, I'm not sure how to proceed, especially when I know it won't be a permanent solution.

I'm at a loss and extremely dissatisfied with this product.

midolan
Level 7
Report Inappropriate Content
Message 6 of 11

Re: Threat Prevention Not Enabled on random Endpoints

The cause of our issue was traced to corruption in the master respository in ePO. Endpoints that did have TP enabled were having it broken by the an ePO install task attempting to reinstall the ENS platform thereby breaking the software. What was done was to remove all ENS software from the master respository then check it in again. Software only no pathces or hotfixes. If you are going to check in patches check them in to the Evaluation branch not into the Current branch. Yes it flies in the face of establised practice of ePO but this is what causes the problem, checking all software into the same branch. With regard to the affected endpoints you need to run the mferemoval tool from ePO on them, restart and reinstall the software. This is far from an ideal solution but that s what we were left with. 

Highlighted

Re: Threat Prevention Not Enabled on random Endpoints

Thanks for your reply midolan.  Unfortunately, I have almost 200 systems that would need the removal tool run.  I can't believe it's not an easier process to resolve issues like these.  It definitely puts a bad taste in my mouth about the product.  Just too many issues....

Reliable Contributor Daveb3d
Reliable Contributor
Report Inappropriate Content
Message 8 of 11

Re: Threat Prevention Not Enabled on random Endpoints

If you package up the ripper with EEDK it should be smooth.   It doesn't sound like a product issue,  but a deployment one.   The alternative is to use a third party tool to deploy.   

Re: Threat Prevention Not Enabled on random Endpoints

Thanks for the reply.

The issue here is that these systems had no issues until one day the AMCore Compliance query started showing incorrect results.  This happened about the same time that many systems, that once had all products installed, began showing that some or all of those products were not installed in ePO console.

The initial deployment looked really good and we didn't see any of these issues for a few months, so I don't know if it's really a deployment problem.  

Re: Threat Prevention Not Enabled on random Endpoints

It appears to be 3rd party dlls are injecting into the software and altering the behavior of ENS much like malware would, only that it is a legitimate file/process. Running the mfesysprep tool from ePO on the endpoint in most cases immediately resolves the issue and Threat Prevention is re-enabled. Thrid party software such as Bluetooth & Apple Bonjour service can cases this. Running suysprep tool marks the software as trusted thereby resolving the issue which is not related to ePO deployment at all.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community