There are some false positives where end users complained that the McAfee ePo was blocking the legitimate software. In this situation, I wanted to check and verify such claims.
My question is how to stop end devices from being protected by the McAfee ePo for a while? Can I do it on McAfee ePo console or have to do it directly at the endpoints? Is there any other way to confirm that these events were actually false positives (such as by reviewing logs on the endpoints)?
Thank you for your post. I guess we are looking at a False Positive issue here caused by an endpoint point product - possibly, ENS or or VSE. Please confirm the product in place and we shall recommend the steps accordingly.
Most importantly, Please report False Positives to us by contacting tech Support. Any remediation we may assist you here may merely be a work around and a solution must be obtained via Service Request if it is a False Positive by the installed AV product.
You can temporarily disable the on access scanner in the ens policy - just disable on access scanning, or you can do it locally as a temporary measure. But yes, for any suspected false positive, please submit it as a sample. When you do that, if they determine it is truly false, they will fix the detections so it is no longer detected.
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Thank you for the useful advice. Btw, how to disable only one endpoint via ePo? The policy applies to all corporate machines, so should I disable this general policy or should I add the machine in question to exclusion?
To make changes on single machine, select the target machine from system tree-->actions-->modify/edit policy on a single system (depends on the epo version)-->select McAfee agent-->Edit assignment-->break inheritance-->create a new policy-->make the necessary changes-->save.
Then send a wakeup call with force apply task and policy.
Was my reply helpful?
If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!