cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 15

[MA 5.5.1] Policy enforcement on every communication interval

Hello,

with the current version of McAfee Agent Extension I noticed too frequent policy enforcement on my clients.

 

My Windows Server 2016:

  • ePO 5.9.1
  • McAfee Agent Extension 5.5.1.124
  • Solidcore Extension 8.1.0.129

 

My Windows NT4 Client:

  • McAfee Agent 3.6.0.627
  • Solidcore 5.2.1.8200

 

My Windows XP Client:

  • McAfee Agent 4.8.0.1938
  • Solidcore 6.2.1.197

 

My Windows 7 Client:

  • McAfee Agent 5.5.1.342
  •  Solidcore 8.1.0.179

 

On all clients I see in the McAfee Agent Monitor the same messages:

Agent Subsystem	7/23/2018	11:43:23 AM	Info	Next policy enforcement in 720 minutes	
Agent Subsystem	7/23/2018	11:43:23 AM	Info	Agent finished Enforcing policies	
Management	7/23/2018	11:43:23 AM	Info	Enforcing Policies for EPOAGENT3000	
Management	7/23/2018	11:43:22 AM	Info	Enforcing Policies for EPOAGENT3000META	
Management	7/23/2018	11:43:22 AM	Info	Enforcing Policies for SOLIDCOR5000_WIN	
Management	7/23/2018	11:43:22 AM	Info	Enforcing Policies for McAfee Agent	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent Started Enforcing policies	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Enforcing newly downloaded policies	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent received POLICY package from ePO server	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent communication session closed	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Package uploaded to ePO Server successfully	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent is connecting to ePO server	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent is sending PROPS VERSION package to ePO server	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent communication session started	
Agent Subsystem	7/23/2018	11:43:22 AM	Info	Agent is looking for events to upload	
Management	7/23/2018	11:43:21 AM	Info	Collecting Properties	
Agent Subsystem	7/23/2018	11:43:21 AM	Info	Agent started performing ASCI	
Agent Subsystem	7/23/2018	11:38:22 AM	Info	Next policy enforcement in 720 minutes	
Agent Subsystem	7/23/2018	11:38:22 AM	Info	Agent finished Enforcing policies	
Management	7/23/2018	11:38:22 AM	Info	Enforcing Policies for EPOAGENT3000	
Management	7/23/2018	11:38:22 AM	Info	Enforcing Policies for EPOAGENT3000META	
Management	7/23/2018	11:38:22 AM	Info	Enforcing Policies for SOLIDCOR5000_WIN	
Management	7/23/2018	11:38:21 AM	Info	Enforcing Policies for McAfee Agent	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent Started Enforcing policies	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Enforcing newly downloaded policies	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent received POLICY package from ePO server	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent communication session closed	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Package uploaded to ePO Server successfully	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent is connecting to ePO server	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent is sending PROPS VERSION package to ePO server	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent communication session started	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent is looking for events to upload	
Management	7/23/2018	11:38:21 AM	Info	Collecting Properties	
Agent Subsystem	7/23/2018	11:38:21 AM	Info	Agent started performing ASCI	
Agent Subsystem	7/23/2018	11:33:22 AM	Info	Next policy enforcement in 720 minutes	
Agent Subsystem	7/23/2018	11:33:22 AM	Info	Agent finished Enforcing policies	
Management	7/23/2018	11:33:22 AM	Info	Enforcing Policies for EPOAGENT3000	
Management	7/23/2018	11:33:22 AM	Info	Enforcing Policies for EPOAGENT3000META	
Management	7/23/2018	11:33:22 AM	Info	Enforcing Policies for SOLIDCOR5000_WIN	
Management	7/23/2018	11:33:21 AM	Info	Enforcing Policies for McAfee Agent	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent Started Enforcing policies	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Enforcing newly downloaded policies	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent received POLICY package from ePO server	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent communication session closed	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Package uploaded to ePO Server successfully	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent is connecting to ePO server	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent is sending PROPS VERSION package to ePO server	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent communication session started	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent is looking for events to upload	
Management	7/23/2018	11:33:21 AM	Info	Collecting Properties	
Agent Subsystem	7/23/2018	11:33:21 AM	Info	Agent started performing ASCI	

Every 5 minutes the server is pushing policies to all clients, even if they haven´t changed a bit.

Although as you can see in the log, the policy enforcement interval is set to 720 minutes.

 

On my previous setup with ePO 5.3.2 and MA Extension 5.0.5.131 I do not have such behaviour.

The agents only enforce the policies on interval of 720 minutes or on wake up with enforcement.

 

Can someone confirm this strange behaviour?

How can I prevent the ePO from such frequent policy enforcement?

Labels (3)
14 Replies
Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Please get a screenshot of your policy settings for communication interval and policy enforcement interval for the policy assigned to your systems.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Policy was the first place, I double checked already.

As you can see the Agent Log clearly says, that next interval should be in 720 mins.

ePO_comm_interval.png

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 4 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Policy enforcement is triggered by several things:

1. asci

2. policy enforcement interval

3. explicit request by point product at any time

4. initiated by user (check new policies or enforce policies in agent status monitor)

5. initiated by server (agent wakeup call)

So what you are seeing is as designed.  I would suggest increasing your agent-server communication interval, as 5 minutes can certainly lead to flooding the server with too much traffic.

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 9
Report Inappropriate Content
Message 5 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Thanks for the info.

Since which version of ePO / MA Extension this behaviour is "as designed"?

Why do I have than 2 separate intervals for policy enforement and communication?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

As far as I can remember, this has always been the behavior.  You have 2 separate settings for this reason.  The policy enforcement interval is a local setting that the agent adheres to for enforcing policies.  The purpose of that is so if a setting is manually disabled (access protection, for example), it will stay disabled until manually re-enabled, or policy enforcement kicks in.  It is to ensure that the epo policies are maintained and enforced on the system in the event of user modifications.  It has nothing to do with asci and the value is at the discretion of the company to how they want it set.  Asci is how frequently the agent communicates to epo to get new settings to enforce, new tasks, send props, etc.  It also does a policy enforcement in the event new settings are received. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 9
Report Inappropriate Content
Message 7 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

I understand this, if there have been any changes to policies or tasks.

But nothing changes and the enforcement still takes place, which cause CPU spike on old single core machines.

Also on my previous setup with ePO 5.3.2 and MA Extension 5.0.5.131 and same policies the enforcement does not happen every 5 minutes. How this can be explained?

 

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Your agent to server communication interval, from what I could see, is set to every 5 minutes.  That will also enforce policies every 5 minutes in addition to the policy enforcement interval.  5 minute asci is a pretty agressive schedule and has been known to cause performance issues, not only on the system, but on epo server and network bandwidth for the frequency agents communicate.  One thing to note, the more complex your policies and larger size, that will increase resources needed to process them.  There are some known issues with solidcore, firewall, dlp and possibly others where the policies get so large the agent runs high cpu enforcing them.

I can't guarantee that you previously had a 5 minute communication interval or not, as we don't have data from that time frame, but it is definitely not something that is recommended.  I would have to set up a test environment with all your versions and settings to validate that there actually is a difference in behavior, but as long as I have been supporting the agent and epo (over 10 years), it has behaved the same way.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Highlighted
Level 9
Report Inappropriate Content
Message 9 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Here is the Agent log from my old setup ePO 5.3.2 and MA Extension 5.0.5.131:

Framework Service	8/1/2018	11:16:53 AM	Info	Agent communication session closed	
Framework Service	8/1/2018	11:16:53 AM	Info	Agent received POLICY package from ePO server	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent did not find any events to upload	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent is looking for events to upload	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent is connecting to ePO server	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent communication session started	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent communication session closed	
Framework Service	8/1/2018	11:16:52 AM	Info	Package uploaded to ePO Server successfully	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent is sending PROPS VERSION package to ePO server	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent is connecting to ePO server	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent communication session started	
Framework Service	8/1/2018	11:16:52 AM	Info	Agent started performing ASCI	
Framework Service	8/1/2018	11:16:52 AM	Info	Collecting Properties	
Framework Service	8/1/2018	11:16:29 AM	Info	Agent is looking for events to upload	
Framework Service	8/1/2018	11:11:53 AM	Info	Agent communication session closed	
Framework Service	8/1/2018	11:11:53 AM	Info	Agent received POLICY package from ePO server	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent is connecting to ePO server	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent is looking for events to upload	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent did not find any events to upload	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent communication session started	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent communication session closed	
Framework Service	8/1/2018	11:11:52 AM	Info	Package uploaded to ePO Server successfully	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent is connecting to ePO server	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent communication session started	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent is sending PROPS VERSION package to ePO server	
Framework Service	8/1/2018	11:11:52 AM	Info	Agent started performing ASCI	
Framework Service	8/1/2018	11:11:52 AM	Info	Collecting Properties	
Framework Service	8/1/2018	11:11:29 AM	Info	Agent is looking for events to upload	
Framework Service	8/1/2018	11:06:53 AM	Info	Agent communication session closed	
Framework Service	8/1/2018	11:06:53 AM	Info	Agent received POLICY package from ePO server	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent did not find any events to upload	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent is looking for events to upload	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent is connecting to ePO server	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent communication session started	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent communication session closed	
Framework Service	8/1/2018	11:06:52 AM	Info	Package uploaded to ePO Server successfully	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent is connecting to ePO server	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent communication session started	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent is sending PROPS VERSION package to ePO server	
Framework Service	8/1/2018	11:06:52 AM	Info	Agent started performing ASCI	
Framework Service	8/1/2018	11:06:52 AM	Info	Collecting Properties	
Framework Service	8/1/2018	11:06:29 AM	Info	Agent is looking for events to upload

 Here the policy:

epo_532_comm_interval.png

Can you please explain, why the policy enforcement does not occur every 5 minutes here?

Do I have to open a service request for this, to get a definitive answer from the developers?

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 15

Re: [MA 5.5.1] Policy enforcement on every communication interval

Hi,

Looking at screenshot, ASCI: 5 minutes, policy enforcement: 720 minutes. Any reason you have smaller value of ASCI (Agent server communication interval). Every 5 minutes, MA is communicating to the ePO server and there could be chance that it's making server busy.

Do you see server busy message in masvc log.  can't process request in ePO server logs etc?

Any time you can open SR with support.

 

 

 

Was my reply helpful?

If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?please select Accept as Solution in my reply and together we can help other members?
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community