cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Threat Protection client on endpoint server is broke; ePO says it's OK

Greetings, So I have a windows 2012 R2 Server with McAfee Agent 5.5.1.342,, Endpoint Security Platform 10.6, and Endpoint Security Threat Prevention 10.6.. Managed by EPO. Pretty standard deployment. Just finished upgrading all the bits on the server. Well, on the endpoint machine, it's experiencing the following issues: Running ESTP just shows "Error Communicating with the event log". Attempting to log in as Administrator, our standard password does not work; The services are all running; About > shows no information other than "Endpoint Security 10.6", rest of the screen is blank. Uninstalling either platform or ESTP fails; I have not yet attempted to uninstall the Agent as I suspect I will be unable to unless done from ePO. Ran the "Virtual Technician" and it found 0 problems. Another problem is that in ePO, this node shows as in compliance, normal, no problems. That should not be right. I'd like to figure out why that is, before I just go & uninstall / reinstall agent, etc. on this machine.
2 Replies
McAfee Employee sbenedix
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Threat Protection client on endpoint server is broke; ePO says it's OK

The reasons for such symptoms can be manifold, per se its not required to remove the agent though. Without traces/logs its comparatively difficult to say what is broken. The quickest way to remediate is likely to be running some removal procedure (EPR, can be obtained from Support) or if you are interested in researching, opening of a ticket with tech support. Usually we see those kind of symptoms with the injection of third party code into our process memory space, the processes become "untrusted" and are thus not allowed to interact/operate with other McAfee components present on the box (or the install has gone wonky, install logs provided, one can make a call on such a hypothesis).  

Re: Threat Protection client on endpoint server is broke; ePO says it's OK

I appreciate your response, but, that's really not the point.

My beef is simply this: The endpoint's AV is broken, and we've no way to know it's broken. The system could be compromised, and we're ignorant of it. I guess my naive understanding was that all this EPO, agent, platform, and Threat Prevention might have included some method to inform me when stuff is not working!! Just seems like a big failure of this entire EPO infrastructure.

I've a ticket open with support on the issue. My ticket got bounced to EPO, then back to regular support after it was determined that "There is no health check in the product."

If I were a malicious hacker, the first thing my code would be doing is killing / disabling all IDS/IPS/antiviirus on a node I'm attempting to compromise. From this, I gather that such activities would basically not be reported to me.

Am I missing something here?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center