cancel
Showing results for 
Search instead for 
Did you mean: 

Threat Protection client on endpoint server is broke; ePO says it's OK

Greetings, So I have a windows 2012 R2 Server with McAfee Agent 5.5.1.342,, Endpoint Security Platform 10.6, and Endpoint Security Threat Prevention 10.6.. Managed by EPO. Pretty standard deployment. Just finished upgrading all the bits on the server. Well, on the endpoint machine, it's experiencing the following issues: Running ESTP just shows "Error Communicating with the event log". Attempting to log in as Administrator, our standard password does not work; The services are all running; About > shows no information other than "Endpoint Security 10.6", rest of the screen is blank. Uninstalling either platform or ESTP fails; I have not yet attempted to uninstall the Agent as I suspect I will be unable to unless done from ePO. Ran the "Virtual Technician" and it found 0 problems. Another problem is that in ePO, this node shows as in compliance, normal, no problems. That should not be right. I'd like to figure out why that is, before I just go & uninstall / reinstall agent, etc. on this machine.
2 Replies
McAfee Employee sbenedix
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Threat Protection client on endpoint server is broke; ePO says it's OK

The reasons for such symptoms can be manifold, per se its not required to remove the agent though. Without traces/logs its comparatively difficult to say what is broken. The quickest way to remediate is likely to be running some removal procedure (EPR, can be obtained from Support) or if you are interested in researching, opening of a ticket with tech support. Usually we see those kind of symptoms with the injection of third party code into our process memory space, the processes become "untrusted" and are thus not allowed to interact/operate with other McAfee components present on the box (or the install has gone wonky, install logs provided, one can make a call on such a hypothesis).  

Highlighted

Re: Threat Protection client on endpoint server is broke; ePO says it's OK

I appreciate your response, but, that's really not the point.

My beef is simply this: The endpoint's AV is broken, and we've no way to know it's broken. The system could be compromised, and we're ignorant of it. I guess my naive understanding was that all this EPO, agent, platform, and Threat Prevention might have included some method to inform me when stuff is not working!! Just seems like a big failure of this entire EPO infrastructure.

I've a ticket open with support on the issue. My ticket got bounced to EPO, then back to regular support after it was determined that "There is no health check in the product."

If I were a malicious hacker, the first thing my code would be doing is killing / disabling all IDS/IPS/antiviirus on a node I'm attempting to compromise. From this, I gather that such activities would basically not be reported to me.

Am I missing something here?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community