1 2 Previous Next 15 Replies Latest reply on Jul 31, 2017 8:47 AM by aerialjibe

    Endpoint security threat prevention for Linux ENSLTP 10.2 not running?

    aerialjibe

      Dear McAfee,

       

      We have updated some clients from VSE for Linux to ENSLTP 10.2.

      We have never got VSE for Linux running as supposed to. We couldn't keep systems complaint. VSE failing... updates failing...BUG's... till I stopped arguing with the Linux SupportTeam to keep trying...

       

      Now with the new ENS10.2 platform I gave them hope and got them so far to try again. We were surprised that the installation actually worked and the product starts running without problems.

      We updated some systems for Pilot.

       

      Now we ran into the following problem: After a (scheduled) reboot the isecav product does not run anymore?

      The score after 2 weeks 1 system of 10 still compliance... the rest died... That was the only system that didn't have a reboot.

       

      I am no Linux expert myself but the Linuxguy's say that a "normal" product also provides in a correct start-up script so a product correctly starts after reboot.

      I followed the guide and installed the product via ePO. I also tried removing al old SW and install on fresh systems. When I look in ePO the TP component seems to be gone after restart.

       

       

       

       

      freshly installed system:

      System after restart:

       

      when I look on the system the product files seem to be there but when ask for the version I get an error or no response.

      [root@nis-rd bin]# pwd

      /opt/isec/ens/threatprevention/bin

       

      [root@nis-rd bin]# ./isecav --version

      Error in showing version details due to ESP communication error.

       

      This is on a RHEL 6.8 system.

        • 1. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
          wouterr

          Hi,

           

          this all sounds quite troublesome... Especially as these issue's are so much looking like an issue we had with McAfee agent 4.8 + VSEL 1.9.x a couple of years ago.

          Basically at some point a symlink dissapeared which caused the Mcafee agent to no longer start. Also the product dissapearing from EPO was an issue we saw with VSEL 1.9.x when the lpc communication between agent and pointproduct were failing.

           

          As we are just testing with ENSL, i will check with our Linux guy if we also observe this

          • 2. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
            aerialjibe

            Hi,

             

            Any news on this?

            We would really like to get this running. This would be a good thing also for McAfee.

            Ever more internal customers and IT colleagues want that we look at other vendors for security software.

             

            Regards,

            AerialJibe.

            • 3. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
              jfeyen

              Hi Aerialjibe,

               

              We just started with ENS for Linux on a test station.

               

              The station is Ubuntu 14.04.4 and runs:

              Agent 5.0.5 for Linux

              ENS 2.2

              After some time, probably a few reboots only TP Platform is only left in the status on EPO.

              The TP itself is gone..

               

              When i go in the terminal all files are still there.

              /opt/isec/ens/threatprevention/bin$ sudo ./isecav --version

              Error in showing version details due to ESP communication error.

               

              I think we both need to open a ticket on mcafee side for this issue... seems to be a bug to me ...

               

              Joeri

              • 4. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
                aerialjibe

                Hi Joeri,

                 

                We have repported the following incident. So see below for a manual workarround.

                 

                The ENSLTP 10.2.1 is not functioning after system reboot.

                We can install the product and initially the product is functioning correctly but:

                After a reboot of a RHEL/CentOS 6 or 7 system, the /opt/isec/ens/threatprevention/bin/isectpd processes are not started.

                 

                Messages in /opt/isec/ens/threatprevention/var/isectpd.log:

                 

                ==============

                Jun12 05:00:25 ovl-was09-v.ocevenlo.oce.net INFO AMQuarantineRestoreManager [1178] Quarantine directory successfully changed to /Quarantine/

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net INFO AMEngineQuickInit [1178] AVEngine(5900.7806) initialised with DAT 8550.0

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net ERROR ENSLMain [1178] Exception raised when registering with ESP

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net ERROR ENSLMain [1178] Connect failed

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net INFO AMQuarantineRestoreManager [1588] Quarantine directory successfully changed to /Quarantine/

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net INFO AMEngineQuickInit [1588] AVEngine(5900.7806) initialised with DAT 8550.0

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net ERROR ENSLMain [1588] Failed to store engine and dat version to config store

                Jun12 05:00:26 ovl-was09-v.ocevenlo.oce.net ERROR ENSLMain [1588] AMExceptionraised while Threat Prevention FM was running - Failed to store engine and dat
                version to config store

                ================

                This problem can be solved by putting a sleep of 5 seconds at the end of script /opt/isec/ens/threatprevention/bin/kernelModuleControlWrapper.sh (also see attached file)

                 

                ………

                checkKernelModuleSupportAndUpdatePrefXml

                checkIsOASSupportedAndUpdatePrefXml

                sleep 5

                exit
                0

                 

                Please McAfee... correct this. 

                Our UnixTeam is not going to adjust this manually or with some scripting on all hosts (we have many Unix systems). This must be corrected in the McAfee (installation) Software.
                So please provide a patched version in which this problem is solved soon.

                 

                 

                Regards,

                Jacques

                1 of 1 people found this helpful
                • 5. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
                  jfeyen

                  Hi Jacques,

                   

                  I tried your solution and it works also on the newer version 10.2.1.8215

                  I will also open a ticket on McAfee side.

                   

                  This is a very important bug !!

                   

                  Kr,


                  Joeri

                  • 6. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
                    aerialjibe

                    Hi Joeri and other users (if existing?)

                     

                    Still no response from McAfee. I don't understand this. I really think they just never have tested there own product? 

                    Now they take a long time for bringing a solution (I dropped my call at McAfee at June 19). I don't think the solution is complex. Just at start an extra check if certain components are running or setting a wait somewhere during the installation?

                     

                    I took a long time getting the Linux guys so far to install a McAfee product again (after some fiasco doing this 2 years ago with previous versions), and now there (bad) opionion on the product is being supported again .

                     

                    ...did you get response yet?

                     

                    Regards,

                    Jacques

                    • 7. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
                      jfeyen

                      Hi Jacques,

                       

                      My call is created yesterday via our supplier.

                      I will keep you updated.

                       

                      Kr,

                      Joeri

                      • 8. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
                        jfeyen

                        Hi Jacques,

                         

                        They accepted the bug.

                        There will be a bugfix at the end of the month.

                         

                        Kr,

                         

                         

                        Joeri

                        • 9. Re: Endpoint security threat prevention for Linux ENSLTP 10.2 not running?
                          cstrzelczyk

                          Hi jfeyen,

                           

                          Do you have any type of reference number for your case (maybe a case number)?  I have the same issue and would love to link it.  I suspect they did not give you a bug ID number yet??

                           

                          Thank you.

                          1 2 Previous Next