Added issue ENSW-116559 to the "Open issues" section.
February 28, 2022
Added issue ENSW-115754 to the "Open issues" section.
February 22, 2022
Added issue ENSW-115561 to the "Open issues" section. Added issue ENSW-114951/ENSW-115310 to the "Issues resolved in 10.7.0 through 10.7.0 February 2022 Update" section.
February 17, 2022
Added more detail to issue 1238510 in the "Open issues" section regarding SDN matching.
February 14, 2022
Added issue TSDE-9841 to the "Open issues" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, go to the Product Downloads site.
NOTE:This update has been changed from GA to RTS.
The reason is the issue described in KB91642 - Reboot loop with Endpoint Security 10.6.1 July Update. This update is available only by contacting Technical Support.
See the "Related Information" section below for contact details.
Issue: A blue screen error or hang might occur when the following actions are performed:
You install or upgrade a product with SysCore.
ENS Exploit Prevention or Host IPS Exploit Prevention is enabled.
The issue is timing-related and doesn't always occur.
Resolution: This issue is resolved in ENS 10.6.1 and ENS 10.7.0. A utility, mfeepmpk_utility.exe, is included in the ENS 10.6.1 installation packages to resolve the issue with the faulty driver. When you install or upgrade to ENS 10.6.1, the utility automatically detects whether the endpoint has the faulty driver. If it does, the utility replaces it to resolve the issue. If a restart is needed, a prompt displays on the endpoint to perform a one-time restart. The restart must occur for the installation or upgrade to continue. When the faulty driver is replaced, future installations and upgrades don't require a restart for this issue. See the related article for more information.
Issue: In environments running ENS 10.7.0 September 2021 Update, ENS 10.7.0 November 2021 Update deployment tasks configured with multiple modules of ENS in addition to the ATP module can fail. The failure results in instances where the Threat Prevention module installs without the requisite Platform module, leading to unexpected behavior on client systems.
Workaround: Remove the ATP module from the existing deployment task containing multiple ENS modules and deploy it in a separate task.
Resolution: This issue is resolved in the ENS 10.7.0 February 2022 Update. See the related article for more information.
ENSW-114315
10.7.0 November 2021 Update
10.6.1 November 2021 Update
10.7.0 February 2022 Update
10.6.1 February 2022 Update
Issue: The SysCore version in the ENS console doesn't match the driver version at C:\Windows\System32\drivers. For example, the SysCore version shows "21.09.0.184," while the driver version shows "21.9.0.184." This issue is cosmetic.
Resolution: This issue is resolved in the ENS 10.6.1 February 2022 Update and ENS 10.7.0 February 2022 Update.
Issue: The Scan Engine functionality of ENS doesn't properly detect the system proxy when the policy is set to "Use system proxy settings." You might see the following issues:
Global Threat Intelligence (GTI) File Reputation for Scan Engines doesn't work if the GTI-REST requests have to go through a proxy, and are blocked from direct connection.
Detections that depend on GTI aren't detected.
Delays in file access time and behavior such as hung applications pending file release from the scanner.
Resolution: A change has been implemented in AMCore 4654 and later. The change allows the Scan Engine to query WPAD for proxy information when Use system proxy settings is selected. See the related article for more information.
Issue: An ENS Firewall rule with the same Name for more than one executable doesn't work as expected. The firewall rule for allowing or blocking traffic based on the defined executable in the rule doesn't function as expected.
Workaround: Modify the executable names in the firewall rule so that there are no duplicate executable names.
Resolution: This issue is resolved in the ENS 10.7.0 September 2021 Update. See the related article for more information.
ENSW-111260
10.7.0
10.7.0 November 2021 Update
10.6.1 November 2021 Update
Issue: The Threat Intelligence Exchange (TIE) reputation doesn't update on the local system for a file that has a space in the path.
Resolution: This issue is resolved in the ENS 10.6.1 November 2021 Update and ENS 10.7.0 November 2021 Update.
ENSW-113729
10.7.0 September 2021 Update
10.6.1 September 2021 Update
10.7.0 November 2021 Update
10.6.1 November 2021 Update
Issue: For an ENS standalone installation, Windows Defender is disabled during the HostCommon installation without the customer's consent.
Resolution: This issue is resolved in the ENS 10.6.1 November 2021 Update and ENS 10.7.0 November 2021 Update.
ENSW-110018
10.7.0 April 2021 Update
10.7.0 September 2021 Update
Issue: For a directory with case sensitivity enabled that contains multiple files with the same name but a case variant, only one of the files is Quarantined. A restore only restores the single file from the Quarantine.
Resolution: This issue is resolved in the ENS 10.7.0 September 2021 Update.
ENSW-109812
10.7.0 April 2021 Update
10.7.0 September 2021 Update
Issue: When you set a log location to a path with case sensitivity enabled, the error "Log path is invalid" displays instead of an error that the issue is due to case sensitivity.
Resolution: This issue is resolved in the ENS 10.7.0 September 2021 Update.
Issue: There might be a blue screen error after installing or upgrading ENS Threat Prevention. The Bug check code can be Bug check 3b, Bug check 19, Bug check 50, or Bug check 5d.
Resolution: This issue is resolved in the ENS 10.7.0 September 2021 Update. See the related article for more information.
10.7.0 September 2021 Update 10.6.1 September 2021 Update
Issue: When you add a "File or folder" scan location in Quick Scan in the On-Demand Scan (ODS) policy and save the policy, the scan location changes to "All mapped drives" in the saved policy when you reopen it. Or, if you previously configure "File or folder" scan locations in Quick Scan in the ODS policy, after upgrade to the ENS June 2021 extension in ePolicy Orchestrator (ePO), the scan locations change to "All mapped drives."
Resolution: This issue is resolved in the ENS 10.6.1 September 2021 Update and ENS 10.7.0 September 2021 Update. See the related article for more information.
ENSW-113019
10.7.0 June 2021 Update
10.7.0 September 2021 Update
Issue: While logged into the ePO console (MVISION ePO or on-premises ePO) in any other language than English, a message might pop up when looking at Access Protection rules. The message is about the length of rule names. The message might read:
Message from WebPage
Regelnamen dürfen 128 Zeichen nicht überschreiten...
Resolution: This issue is resolved in the ENS 10.7.0 September 2021 Update.
Issue: Users might see the PowerShell process hang randomly on a system. To recover PowerShell, you might need to relaunch the PowerShell process. During Windows deployment or upgrade via System Center Configuration Manager (SCCM) or other methods, once ENS is installed, installation of other products might hang due to the PowerShell hang. This issue occurs when all products are combined into a single task.
Workaround: Disabling Antimalware Scan Interface (AMSI) might resolve the issue in certain cases.
Resolution: This issue is resolved in the ENS 10.7.0 September 2021 Update. See the related article for more information.
10.7.0 February 2021 Update
10.6.1 February 2021 Update
10.7.0 April 2021 Update
10.6.1 April 2021 Update
Issue: When you add a Local Network or Remote Network entry to ENS Firewall rules using the Subnet value (which uses CIDR notation, for example, /24), the following error occurs after you try to open the policy again after the changes are saved.
An unexpected error occurred
Resolution: This issue is resolved in the ENS 10.6.1 April 2021 Update and ENS 10.7.0 April 2021 Update. See the related article for more information.
ENSW-109385
10.7.0 February 2021 Update
10.7.0 April 2021 Update
10.6.1 April 2021 Update
Issue: The ENS default deployment task doesn't deploy ENS to the endpoint.
Workaround: Create a custom deployment task.
Resolution: This issue is resolved in the ENS 10.6.1 April 2021 Update and ENS 10.7.0 April 2021 Update.
ENSW-107588
10.7.0 November 2020 Update
10.7.0 April 2021 Update
Issue: An upgrade from VirusScan Enterprise (VSE) 8.8 Patch 15 to ENS can fail on an unmanaged system.
Workaround: Upgrade McAfee Agent (MA) to the latest version before the ENS installation.
Resolution: This issue is resolved in the ENS 10.7.0 April 2021 Update.
Issue: After an ENS 10.6.x to 10.7.0 upgrade, scheduled custom ODS tasks don't run. This issue is observed on systems where the "Custom ODS" client task is assigned via ePO.
Workaround: Make any arbitrary change to the custom ODS task and save it. The change to the task allows the task to run as expected.
Resolution: This issue is resolved in MA 5.7.2. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
10.7.0 February 2021 Update
Issue: The ENS installation or upgrade fails. The installation log (McAfee_Common_Install_[date].log) contains the following error:
Product: McAfee Endpoint Security Platform -- Error 1303.The installer has insufficient privileges to access this directory: C:\ProgramData\McAfee\Endpoint Security\Logcfg
Workaround: Reboot the system. The folder is deleted or moved as needed, which allows the ENS installation or upgrade to complete.
Resolution: This issue is resolved in the ENS 10.7.0 February 2021 Update. See the related article for more information.
ENSW-98931
10.7.0
10.7.0 February 2021 Update
Issue: The $MfeDeepRem folder might not be removed after ENS is uninstalled from the endpoint.
Workaround: Change ownership of the folder and its contents from SYSTEM to an account you have permissions for, and then delete the folder.
Resolution: This issue is resolved in the ENS 10.7.0 February 2021 Update.
ENSW-29529
10.7.0 February 2020 Update
10.7.0 February 2021 Update
Issue: The Real Protect dynamic detection event description might report a fileless detection even though the detection is backed by a file. This issue is a reporting issue and doesn't impact any detection capabilities.
Resolution: This issue is resolved in the ENS 10.7.0 February 2021 Update.
ENSW-107455
10.7.0 November 2020 Update
10.6.1 November 2020 Update
10.7.0 February 2021 Update
10.6.1 February 2021 Update
Issue: Content updates done via V3Dat.exe locally might not always result in all ENS services starting successfully.
Workaround: A system restart might be needed to restart all ENS services successfully.
Resolution: This issue is resolved in the ENS 10.6.1 February 2021 Update and ENS 10.7.0 February 2021 Update.
10.7.0 February 2021 Update
10.6.1 February 2021 Update
Issue: The search annotations don't appear in all supported search engines.
Resolution: This issue is resolved in the ENS 10.6.1 February 2021 Update and ENS 10.7.0 February 2021 Update. See the related article for more information.
ENSW-107342
10.7.0 November 2020 Update
10.7.0 February 2021 Update
Issue: Quarantine might fail when a detection occurs from a shared folder inside the Windows container. But, if there's a detection from the same shared folder that's accessed from the host operating system (outside the container), the detection, quarantine, and restoration of the file happens correctly.
Resolution: This issue is resolved in the ENS 10.7.0 February 2021 Update.
10.7.0 September 2020 Update
10.6.1 September 2020 Update
10.7.0 February 2021 Update
Issue: You're editing the ENS Firewall Options policies via the ePO policy. If you add fully qualified domain name (FQDN) values that contain a dash to the Defined Networks section, they don't apply on the ENS clients.
Workaround: Instead of using the FQDN value as a Defined Networks entry, you can use any of the below options:
Add the IP addresses associated with the FQDN network entry to the Defined Networks section.
Add the FQDN value as a LOCAL NETWORK or REMOTE NETWORK in a new or existing Firewall rule in the ENS Firewall Rules policy.
Resolution: This issue is resolved in the ENS 10.7.0 February 2021 Update. See the related article for more information.
10.7.0 February 2021 Update
10.6.1 February 2021 Update
Issue: Some umlaut characters aren't working properly as Executable Signer values. These characters include the ö and ü characters.
Workaround: Substitute the lowercase characters (for example, ö and ü) with their uppercase equivalents (for example, Ö and Ü).
Resolution: This issue is resolved in the ENS 10.6.1 February 2021 Update and ENS 10.7.0 February 2021 Update. See the related article for more information.
10.7.0 November 2020 Update
10.6.1 November 2020 Update
Issue: After upgrading ENS, changes to the high-risk or low-risk process list in the on-access scan (OAS) policy sometimes don't take effect. The changes don't get enforced on the endpoint once a high number of processes have been added for each type. The EndpointSecurityPlatform_Errors.log contains the following error.
Resolution: This issue is resolved in the ENS 10.6.1 November 2020 Update and ENS 10.7.0 November 2020 Update. See the related article for more information.
ENSW-104401
10.7.0 April 2020 Update
10.6.1 April 2020 Update
10.7.0 November 2020 Update
10.6.1 November 2020 Update
Issue: The competitive uninstaller recognizes Windows VDE as Windows Server. The ENS installation is successful when deployed through ePO. An ENS standalone installation might fail.
Resolution: This issue is resolved in the ENS 10.6.1 November 2020 Update and ENS 10.7.0 November 2020 Update.
Issue: The 35111 events are generated on the endpoint and successfully delivered and uploaded to ePO by MA. But, ePO fails to parse the received events and so they don'tshow up in the ePO Threat Event Log for example. When the issue occurs, the managed product events sent to ePO aren't parsed and are added to the folder <ePO installation folder>\DB\Events\Debug.
Resolution: This issue is resolved in the ENS 10.7.0 November 2020 Update. See the related article for more information.
Issue: When ENS Threat Prevention Antimalware Scan Interface (AMSI) is enabled, Leica Cyclone software hangs at the Checking Licenses stage of the start process.
Workaround: Disable ENS Threat Prevention AMSI in the On-Access Scanning policy, or in the OAS settings of the ENS client.
Resolution: Leica has updated their software to include a newer build of the Faro SDK. This SDK no longer uses the third-party LogLib.dll component, which resolves a conflict. Contact Leica Technical Support for further information about how to acquire and implement the fix. See the related article for more information.
ENSW-99137
10.7.0
10.6.1
10.7.0 November 2020 Update
10.6.1 November 2020 Update
Issue: ePO fails to parse events. The operating system configuration allows longer paths than the default maximum path. On web servers that allow URLs with over 4,000 characters, the event isn't parsed. When the issue occurs, the managed product events sent to ePO aren't parsed and are added to the folder <ePO installation folder>\DB\Events\Debug.
Resolution: This issue is resolved in the ENS 10.6.1 November 2020 Update and ENS 10.7.0 November 2020 Update.
Issue: ENS 10.7.0 Hotfix 100194 or Hotfix 100413 can install over ENS 10.6.1/10.7.0 July 2020 Update. The fixes in Hotfix 100194 or Hotfix 100413 are already in the July 2020 Update. This issue doesn't affect product functionality. But, the ENS About field and ePO list the hotfix installed with the July 2020 Update.
Resolution: This issue is resolved in the ENS 10.7.0 September 2020 Update. See the related article for more information.
Issue: Custom ODS tasks fail to run after you upgrade to ENS 10.7.
Workaround: Modifying, or deleting and re-creating, the custom ODS task assignment temporarily mitigates the issue. But, a duplicate registry entry with no "StartDateTime" value exists for the task. Upon the next ENS upgrade, the issue returns.
Resolution: This issue is resolved in the ENS 10.7.0 September 2020 Update. See the related article for more information.
10.7.0 September 2020 Update
10.6.1 September 2020 Update
Issue: The ENS Firewall module blocks legitimate network traffic responses.
Workaround: To allow the traffic, create a rule within the ENS Firewall rules policy.
Resolution: This issue is resolved in the ENS 10.6.1 September 2020 Update and ENS 10.7.0 September 2020 Update.
ENSW-29268
10.7.0
10.6.1
10.7.0 September 2020 Update
10.6.1 September 2020 Update
Issue: Running an ENS repair with the following command incorrectly deletes the LogCfg folder:
%PROGRAMFILES%\McAfee\Endpoint Security\Endpoint Security Platform\
RepairCache\Setupcc.exe /fum
Workaround: Instead, use the following command with modified parameters:
%PROGRAMFILES%\McAfee\Endpoint Security\Endpoint Security Platform\
RepairCache\Setupcc.exe /fpum
Resolution: This issue is resolved in the ENS 10.6.1 September 2020 Update and ENS 10.7.0 September 2020 Update.
Issue: When the ENS Firewall Location Aware Group feature "Connection Isolation" blocks non-matching network adapter traffic, that traffic isn't logged to the FirewallEventMonitor.log file. Both ENS Firewall logging options Log all blocked and Log all allowed must be enabled for this traffic to be logged.
Workaround: For ENS Firewall 10.7.x, to log the correct network traffic, enable the Log all blocked and Log all allowed options in the ENS Firewall Options policy. For ENS Firewall 10.6.x, there's no workaround.
Resolution: This issue is resolved in ENS 10.6.1 July 2020 Update and ENS 10.7.0 July 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
10.7.0 July 2020 Update
10.6.1 July 2020 Update
Issue: You might encounter either of the following issues.
When using Outlook, a pop-up error message might display stating that the file chart.dll is missing. Clicking OK in the pop-up message causes Outlook to close and relaunch.
Webpages with ActiveX might fail to load in Internet Explorer.
Resolution: This issue is resolved in ENS 10.6.1 July 2020 Update and ENS 10.7.0 July 2020 Update. See the related article for more information.
Issue: An Exploit Prevention alert is triggered even if it's disabled after importing ENS settings with the ESConfig tool.
Workaround: Reboot the operating system after importing ENS settings with the ESConfig tool. After the reboot, Exploit Prevention alerts aren't triggered if they're disabled.
Resolution: This issue is resolved in the ENS 10.6.1 July 2020 Update and ENS 10.7.0 July 2020 Update. See the related article for more information.
Issue: Infrequently after a content update, the ENS console might fail to start. PowerShell scripts hang and the PowerShell interface doesn't start. The MA icon in the notification area doesn't open when you right-click it.
Workaround: The following workarounds are available.
Reboot the system.
Restart the ATP process:
Disable ENS Self-Protection.
Open the Windows Task Manager.
Right-click the mfeatp.exe process and kill the process.
Run the most recent V3dat.exe file to get content.
Enable ENS Self-Protection.
Resolution: This issue is resolved in the ENS 10.7.0 July 2020 Update. See the related article for more information.
Issue: A blue screen error (system crash) with bug check 3b can occur when the hook-core service (mfehcs.exe) crashes or isn't running. The crashing thread tries to notify the hook-core service about an injection completion event. But the service isn't running, which leads to a NULL pointer exception.
Resolution: This issue is resolved in the ENS 10.7.0 July 2020 Update. See the related article for more information.
Issue: ENS 10.7.0 July 2020 Update allows creation of exclusions for files, processes, and the registry. Early ENS 10.7 clients don't support these exclusions. If you have a mix of ENS 10.7 clients in your network, ENS 10.7.0 April 2020 Update and earlier show an exclusion that can't be edited in the local ENS console.
Resolution: Upgrade to ENS 10.7.0 July 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
10.7.0 April 2020 Update
10.6.1 April 2020 Update
Issue: ENS Firewall allows and blocks network traffic through Firewall rules when the rule doesn't have a defined Executable FILE PATH value. This issue occurs with any Firewall rule that meets this criteria. But, it's commonly seen with the "Allow McAfee signed applications" rule within the default Firewall Rule policies.
Workaround: To work around this issue, review the existing Firewall rules in the Firewall Options and Firewall Rules policies. Any Firewall rule that has a defined Executable must have the FILE PATH criteria defined.
Resolution: This issue is resolved in the ENS 10.6.1 April 2020 Update and ENS 10.7.0 April 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
10.7.0 April 2020 Update
10.6.1 April 2020 Update
Issue: Network card initialization is delayed. This issue causes short-term network connectivity issues such as lack of network connectivity and disconnected mapped drives.
Workaround: Disable the NDIS driver or install the ENS Firewall module.
Resolution: This issue is resolved in ENS 10.6.1 April 2020 Update and ENS 10.7.0 April 2020 Update. See the related article for more information.
Issue: When you install ENS 10.7.0 using the standalone installer, and supply the verbose logging switch, the ENS installer doesn't write anything to the logs. Also, it doesn't install and almost immediately exits. (An example of a verbose logging switch is "setupEP.exe ADDLOCAL="tp,atp,fw" /l*v"C:\temp\ ".)
Workaround: To allow the successful installation of ENS using the standalone installer, remove the verbose logging switch from the command-line argument passed to the standalone installer.
Resolution: This issue is resolved in the ENS 10.7.0 April 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: After you upgrade to MA 5.6.x, you experience failures when you run the ENS product update and deployment tasks.
Resolution: This issue is resolved in ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: On servers, during an ODS of many files, a memory leak can occur. The memory leak eventually leads to the system running out of resources and hanging. After a reboot, the system operates normally.
Resolution: This issue is resolved in the ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update. See the related article for more information.
ENSW-96202
10.6.1 July Update
10.7.0 April 2020 Update
10.6.1 April 2020 Update
Issue: Symantec DAgent (Altiris) fails to establish a connection to its engine when ENS Threat Prevention AMSI is enabled. This issue occurs only on Windows 10 version 1903 (and later) clients.
Resolution: This issue is resolved in the ENS 10.6.1 April 2020 Update and ENS 10.7.0 April 2020 Update.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: Within the ePO dashboard, if you add the "AMCore Content Date" column, the dashboard shows different dates for the same AMCore content.
Resolution: This issue is resolved in the ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update. See the related article for more information.
10.7.0 April 2020 Update
10.6.1 December 2019 Update
Issue: After an upgrade to ENS 10.6.1 or ENS 10.7.0, scheduled ODS tasks don't run due to an incorrect "AssignedTasks" value.
Workaround: Make any change to the ODS task and save it. The change to the task allows the task to run as expected.
Resolution: This issue is resolved in the ENS 10.6.1 December 2019 Update and ENS 10.7.0 April 2020 Update. See the related article for more information.
Issue: The ENS Web Control installation or upgrade fails. The installation waits for PowerShell to install the Web Control Edge extension, which doesn't return. The installation log contains the following line:
Issue: Issues can occur in Microsoft Excel when the add-in option "Solver" is enabled. Excel might crash, fail to load, or fail to apply the Solver add-in as expected in a cell.
Resolution: This issue is resolved in the ENS 10.6.1 April 2020 Update and ENS 10.7.0 April 2020 Update. See the related article for more information.
Windows KB4537079
10.7.0 April 2020 Update
10.6.1 April 2020 Update
Issue: After you upgrade from SCCM 1906 or earlier to SCCM 1910, a Windows 10 in-place upgrade task sequence might hang on a system with ENS installed.
Workaround: You have two options. You can revert to use the previously known working version SCCM 1906 or earlier. Or, you can try to implement the workarounds in the related article.
Resolution: Install Microsoft Update Rollup for Endpoint Configuration Manager, version 1910 (KB4537079). For more information, see KB4537079 rollup. Or, this issue is resolved in the ENS 10.6.1 April 2020 Update and ENS 10.7.0 April 2020 Update.
ENSW-96081
ENSW-29546
10.6.1
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: A blue screen error rarely occurs in mfencbdc.sys during upgrade of ENS on Windows Server operating systems.
Resolution: This issue is resolved in upgrades to the ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update.
ENSW-94498
10.6.1
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: ePO reports show the same AMCore content with different dates.
Resolution: This issue is resolved in the ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update.
ENSW-29600
10.6.1
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: The AMCore content fails to update.
Resolution: This issue is resolved in the ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update.
ENSW-25432
10.6.1
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: Windows Backup Recovery might fail with ENS installed.
Resolution: This issue is resolved in the ENS 10.6.1 February 2020 Update and ENS 10.7.0 February 2020 Update.
Issue: After you install or upgrade to the ENS Threat Prevention 10.7.0 extension, all Medium-severity Exploit Prevention signatures change to enable the Block and Report setting within the Default policy. This function is a change from earlier ENS versions where Medium-severity signatures have Block and Report disabled by default. This change can possibly generate false positives in your environment, depending on the signature and coverage details.
Workaround: Use either of the following workarounds:
Modify the ENS Threat Prevention Exploit Prevention policy assigned to the systems and disable the Block and Report setting for Medium-severity signatures.
Review the ENS Threat Prevention Exploit Prevention Medium-severity events and determine whether a false-positive event occurred. If the signature isn't applicable to the environment, disable the signature.
Resolution: This issue is resolved in the ENS 10.7.0 February 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 December 2019 Update
Issue: Windows Security Center (WSC) intermittently reports that ENS is disabled. WSC can prompt to enable Windows Defender.
Resolution: This issue is resolved in the ENS 10.6.1 December 2019 Update and ENS 10.7.0 February 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 December 2019 Update
Issue: Defined ODSs don't run with a standalone installation. But, custom-defined scans run and complete.
Resolution: This issue is resolved in the ENS 10.6.1 December 2019 Update and ENS 10.7.0 February 2020 Update. See the related article for more information.
Issue: A core networking rule named "Allow McAfee signed applications" allows network traffic through the SYSTEM process. This fact affects SYSTEM-based network traffic, such as NetBIOS and SMB (for example, port 137, 138, and 445). If you create firewall rules to allow or block this type of SYSTEM-based network traffic, they don't apply. The reason is the "Allow McAfee signed applications" firewall rule is processed before any other firewall rules.
Resolution: This issue is resolved in the ENS 10.7.0 February 2020 Update. See the related article for more information.
ENSW-29097
10.7.0
Windows 10 Version 1803
Issue: A blue screen error (system crash) might occur when you try to upgrade to ENS 10.7 on Windows 10 Version 1709 (Fall Creators Update) and earlier.
Resolution: This issue is an operating system issue that Microsoft resolved in Windows 10 Version 1803 (April 2018 Update) and later. Before you upgrade to ENS 10.7, upgrade to Windows 10 Version 1803 (April 2018 Update) or later.
Issue: Blocking the protocols SSL v3 and TLS 1.0 leads to AMCore crashes.
Resolution: This issue is resolved in the ENS 10.6.1 December 2019 Update and ENS 10.7.0. See the related article for more information.
1237915
10.6.0
10.7.0
Issue: Triggering the Threat Prevention Access Protection rule "Executing Windows Subsystem for Linux" references IDS_AP_RULE_PREVENT_WSL_EXECUTEION
:IDS_BLADE_NAME_SPB when describing the violated rule.This itemis a reference for the Access Protection rule "Executing Windows Subsystem for Linux."
Resolution: This issue is resolved in ENS 10.7.0. With ENS 10.7.0, IDS_AP_RULE_PREVENT_WSL_EXECUTEION:
IDS_BLADE_NAME_SPB is translated to the Access Protection rule "Executing Windows Subsystem for Linux."
Issue: After you uninstall the ENS Firewall module, all incoming traffic to the client is blocked.
Workaround: To prevent the issue, disable the ENS Firewall before you uninstall the module. In your assign ENS Firewall Options policy, deselect the option Enable Firewall. If you're uninstalling the ENS Firewall module locally, disable ENS Firewall through the ENS console. On clients that are already affected, reinstall ENS Firewall, disable ENS Firewall through your assigned policy, and uninstall the ENS Firewall module.
Resolution: This issue is resolved in the ENS 10.7.0 April 2020 Update. See the related article for more information.
1234300
10.6.0
10.7.0
Issue: When viewing the ENS Threat Prevention Exploit Prevention policy, the Signatures table includes an Action to Export Table. When exporting the signature list to any file formats, the Status and Type columns are blank.
Resolution: This issue is resolved in ENS 10.7.0. With ENS 10.7.0, the Export Table function for Exploit Prevention signatures correctly exports the data in the Status and Type columns.
1152719
10.6.0
10.7.0
Issue: The enabled state property of underlying ATP technologies, such as, Dynamic Application Containment and Real Protect, isn't reported as a product property in ePO. Also, no compliance status is reported for ATP.
Issue: After an in-place upgrade of Windows, the ENS Web Control extension isn't installed and the extension can't be enabled in the Edge browser.
Workaround: Enable the ENS Web Control extension in Edge as follows.
Close Edge.
Go to the following location: 32-bit:C:\Program Files\McAfee\Endpoint Security\Web Control 64-bit: C:\Program Files (x86)\McAfee\Endpoint Security\Web Control
Open the file McAfeeWebControl.appx. An installation prompt appears.
Follow the prompt and install the app package.
Close the prompt.
Open Edge. An Enable WC Extension prompt appears.
Click Enable.
1254789
10.6.1
Issue: The Edge extension doesn't load on Microsoft Windows 10 Fall Creators Update and Windows 10 Creators Update even though the extension is licensed. A license issue reported by Microsoft causes this issue. We're working with Microsoft on this issue.
NOTE: The Edge extension isn't supported on the Windows 10 Anniversary Update. The native messaging that's needed to communicate between the extension and the Win32 process is introduced in the Windows 10 Fall Creators Update.
Workaround: The Edge extension is supported only on the Windows 10 April 2018 Update and later.
10.6.1
Issue: There's no group policy exposed to allow the ENS Web Control extension to use the InPrivate mode of the Edge browser.
Workaround: Manually allow the extension in InPrivate mode.
ENSW-13888
10.6.1
Issue: The ENS Web Control toolbar icon doesn't show the correct color depending on the rating of the website while switching between tabs. This issue occurs intermittently.
10.6.1
Issue: With the Windows 10 April 2018 Update, users can disable the Edge extension and bypass ENS Web Control protection.
Workaround: Windows 10 October 2018 Update provides a group policy (Prevent turning off required extensions) to harden the Edge extension. To make sure that users can't disable the Edge extension, add the ENS Web Control extension PFN to the group policy Prevent turning off required extensions. The ENS Web Control extension PFN is as follows and can be fetched from the Dev Center portal: 5A894077.McAfeeEndpointSecurityWeb
Control_wafk5atnkzcwy. For detailed instructions to enable this group policy, see Prevent turning off required extensions.
Issue: The Block or Warn page that ENS Web Control navigates to after blocking or warning for a URL contains the following message. See the related article for more information.
We're sorry, the page you requested cannot be found.
Issue: A "Data truncation" error is generated when upgrading the ENS Web Control extension on ePO servers.
Resolution: We've provided a script to run before installing ENS Web Control 10.7.0 extension 10.7.0.1162.1. See the related article for more information.
Issue: Enabling Exploit Prevention rules 6212 and 6213 (disabled by default) and using a third-party encryption application can cause a dead-lock that's seemingly random. This issue has only been observed in the presence of ZDK encryption software.
Workaround: These Exploit Prevention rules have been removed in Exploit Prevention content 12103 released on March 8, 2022. If you have this issue, and are using Exploit Prevention content before release 12103, disable the following Exploit Prevention rules:
Issue: When you modify five or more ENS ATP rules, the ATP cache is reset on every policy enforcement.
Workaround: Reduce the number of ATP rules modified from 'default' to a maximum of four modified rules with the same state. Or, change the ATP Rule Assignment from Balanced to Productivity. See the related article for more information.
ENSW-115562
10.7.0 February 2022 Update
Issue: When Local Security Authority (LSA) is enabled on the client (by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL to 1), the event for Credential Threat Protection no longer returns the target information.
10.7.0 November 2021 Update
10.6.1 November 2021 Update
Issue: The ENS installation date displays incorrectly in ePO after you check in the MA 5.7.4 extension to ePO 5.10 Update 9 or 10. See the related article for more information.
ENSW-113668
10.7.0 September 2021 Update
Issue: When an ENS installation is paused because of a required update, the MA monitor shows an incorrect message. The message suggests that ENS Platform has installed successfully when it isn't installed and is waiting for the system to reboot.
The installation continues after you reboot the system and finishes successfully. The task isn't completed until the system reboots. The final status of the task shows the correct status.
ENSW-113638
10.7.0 September 2021 Update
Issue: Performing a standalone upgrade over ENS versions fails with MA 5.7.2 or earlier.
Workaround: Retrying the upgrade works, or you can uninstall ENS before installing the new version.
10.7.0 September 2021 Update
10.6.1 September 2021 Update
Issue: We're investigating whether there are any potential compatibility issues, when you have ENS (with AMSI enabled) and the AMSI integration in Microsoft Exchange Server 2016/2019. There's a report of an issue where the AMSI integration isn't working properly when there are multiple AMSI providers.
Workaround: The Microsoft article More about AMSI integration with Exchange Server has steps on how to disable the AMSI feature on Microsoft Exchange Server while retaining the installed Exchange rollup updates. See the related article for more information.
Issue: The default ENS Firewall rules block DNS name resolution and most network traffic from Windows Subsystem for Linux 2 (WSL2) and Docker instances. Windows Subsystem for Linux 1 (WSL1) isn't impacted.
Workaround: Create firewall rules to allow incoming traffic on the required local ports so that the default firewall rules don't block the traffic from the WSL2/Docker instance. See the related article for more information.
Issue: Potentially Unwanted Program exclusions aren't honored if "Scan processes on service startup and content update" is also set. Potentially Unwanted Program exclusions are defined at Endpoint Security Threat Prevention, Policy Category, Options, <policy name>, Exclusion by Detection Name. The scan processes setting is set at Endpoint Security Threat Prevention, Policy Category, On-Access Scan, <policy name>, Scan processes on service startup and content update.
Workaround: Disable the setting "Scan processes on service startup and content update." See the related article for more information.
ENSW-110567
10.7.0 April 2021 Update
Issue: ENS doesn't show as the registered antivirus product on Windows Server 2016, but Windows Defender is uninstalled.
ENSW-110297
10.7.0 April 2021 Update
Issue: When an MVISION ePO user views an option that they don't have permissions to, an exception error displays instead of a "You're unauthorized" message.
ENSW-110224
10.7.0 April 2021 Update
Issue: For a directory with case-sensitivity disabled, after an enhanced remediation rollback, case-sensitivity is enabled if there's a symlink to the directory with case-sensitivity enabled. After a rollback, verify the case-sensitivity of the directory.
ENSW-110152
10.7.0 April 2021 Update
Issue: An enhanced remediation rollback restores the case-sensitivity settings of a directory, but a Quarantine recovery doesn't. Quarantine recovery doesn’t support case-sensitivity.
ENSW-110151
10.7.0 April 2021 Update
Issue: For a directory with case-sensitivity enabled that contains multiple files with the same name but a case variant, if case-sensitivity is later disabled, an enhanced remediation rollback only restores one of the files.
ENSW-109981
10.7.0 April 2021 Update
Issue: If you use the Windows Server Core user interface to set a custom ENS installation path, ENS is installed in the default location.
Workaround: Use the command-line parameter INSTALLDIR="C:\CustomFolder" to set a custom ENS installation path.
ENSW-109842
10.7.0 April 2021 Update
Issue: When the default ENS installation folder C:\Program Files\McAfee\Endpoint Security exists and has case-sensitivity enabled, ENS fails to install to a custom ENS installation path.
Workaround: Either delete the default ENS installation folder or disable case-sensitivity for the folder.
ENSW-109840
10.7.0 April 2021 Update
Issue: Access Protection rules don't work when MD5 is included on a path that has case-sensitivity enabled.
ENSW-109348
10.7.0 September 2020 Update
10.6.1 September 2020 Update
Issue: The Opera browser UI doesn't start on x86 platforms.
Workaround: Either use a different browser or uninstall ENS Web Control from the endpoint.
ENSW-106576
10.7.0 November 2020 Update
Issue: The ENS Exploit Prevention module remediates a Data Execution Prevention (DEP) violation. But, the event reporting that the remediation finishes successfully isn't sent from the client sometimes. The result might be that we remediate more DEP issues on the client system and report less of the remediated changes.
ENSW-106130
10.7.0 November 2020 Update
Issue: Tamper detection events aren't reported in the ePO console or ENS console. But, detection happens and you can see it in the Exploit Prevention logs.
ENSW-103559
10.7.0 September 2020 Update
10.6.1 September 2020 Update
Issue: You get an Access Denied error when accessing files on the C drive. The issue occurs if the Access Protection rule "Protect Endpoint Security logs folder" is enabled and you specify the ENS logs folder to be a common folder such as C:\, C:\Program Files, or C:\Windows. The rule protects the ENS logs folder from unauthorized processes. Only ENS processes have access to the folder when the rule is enabled. All other processes trying to create files, write files, and delete files within the folder are blocked.
Workaround: If you enable the rule "Protect Endpoint Security logs folder," don’t configure the ENS logs folder to be a common folder. We recommend keeping this folder isolated only for ENS logs and not sharing it for other purposes.
ENSW-98869
10.7.0 April 2020 Update
Issue: When you set Credential Theft Protection to "Observe mode," event description text incorrectly suggests that the detection is enforced.
Workaround: To view what action actually took place, see the "Action Taken" field. "Would Block" indicates an Observe-only action.
Issue: If a custom path is configured for Client logging, the ENS Product Logs folder might still exist after ENS is uninstalled.
ENSW-96724
10.7.0 February 2020 Update
Issue: The Limit maximum CPU usage option remains grayed out when Scan anytime is selected in the ePO extension.
ENSW-96670
10.7.0 February 2020 Update
Issue: The process mctray.exe might terminate unexpectedly when you update content via the V3 DAT exe.
Workaround: Run the V3 DAT exe again to restart mctray.exe.
ENSW-96274
10.7.0 February 2020 Update
Issue: In rare scenarios, the Threat Prevention policy changes might not be enforced on the client after the first agent-to-server communication.
Workaround: Settings get applied at the next agent-to-server communication of policy enforcement.
ENSW-29499
10.7.0 February 2020 Update
Issue: You deploy MA using the self-agent deployment URL with the Browsers launching files from the Downloaded Program Files folder Threat Prevention Access Protection rule set to Report. When you do, the Target Signed field in the resulting Access Protection event for McAfeeSmartInstall.exe is set to No.
ENSW-26135
10.7.0
10.6.1
Issue: Double-byte characters in ENS Web Control messages are garbled with the Edge browser. We're unable to correct the issue in the legacy Edge browser extension. Microsoft isn't accepting changes to legacy Edge extensions. We're investigating supporting the Edge Chromium browser to correct the display of double-byte characters in ENS Web Control messages.
ENSW-98887
10.7.0
10.6.1
Issue: ScriptScan doesn't scan when Internet Explorer Enhanced Protection Mode is enabled and the iexplore instance is running in AppContainer mode.
ENSW-28892
10.7.0
10.6.1
Issue: ODSs with frequent pauses might rescan many files.
Issue: The Windows Event Viewer shows Security Audit Failure messages for amcfg.exe or fwwindowsfirewallhandler.dll. The ENS 10.7.0 February 2020 Update lowers the frequency of the messages being seen. There's no functional impact to ENS. We're investigating how to eliminate the events.See the related article for more information.
Issue: Creation of a downloadable agent installation package for non-Windows agents fails. An example of an agent installation package is MA for Linux. The failure occurs if ENS is configured to scan inside archives. The following error displays in the ePO console:
An unexpected error occurred
Workaround: On the ePO server, disable archive scanning. Disable the option Compressed archive files for the Standard Profile. See the related article for more information.
ENSW-96723
10.7.0
Issue: If the AMCore content version is 0.5 before upgrading to ENS 10.7, the AMCore version information is missing from the About field until the content is updated.
Workaround: To resolve the issue, update the AMCore content.
Issue: Upgrading to the ENS 10.7 extension results in the default ENS deployment task losing the ENS modules and repository branch information.
Workaround: To deploy the ENS modules, create a MA deployment task. See the related article for more information.
ENSW-29514
10.7.0
Issue: ENS upgrades use the cached ENS MSI databases. If you've deleted the cached ENS MSI databases from the C:\Windows\installer directory, ENS upgrades fail.
Workaround:
To prevent this issue from occurring, don't upgrade ENS. Instead, uninstall the current version of ENS and then install the new version of ENS.
If you've already encountered an upgrade failure, use the Endpoint Product Removal (EPR) tool to remove ENS and clean up the system. Then, install the new version of ENS. For more information, see KB90895 - Endpoint Product Removal tool to uninstall products.
Issue: When Windows Defender has content older than 1.295.49.0, it might generate a false-positive on one or more ENS installation files. As a result, the installation or upgrade of ENS fails or only partially succeeds.
Workaround: Before the install or upgrade of ENS, make sure that Windows Defender content is current or that Windows Defender is disabled.
Resolution: After you update the Windows Defender content or disable Windows Defender, the next attempt to install or upgrade ENS might succeed. If not, the failed installation might require removal first. See the related article for more information.
ENSW-28427
10.7.0
Issue: When you upgrade from VSE 8.8 Patch 9 (and earlier) to ENS 10.7, VSE remnants might be left behind.
Workaround: The following workarounds are available:
Uninstall VSE before you install ENS 10.7.
Upgrade VSE to 8.8 Patch 10 (or later) and then upgrade to ENS 10.7.
ENSW-28315
10.7.0
Issue: When you upgrade from Windows Server 2008 R2 to Windows Server 2019, the option to retain apps and data is disabled.
Workaround: Upgrade the operating system from Windows Server 2008 R2 to Windows Server 2019 before installing ENS.
ENSW-28558
10.6.1 October Update
Issue: In an environment that uses Microsoft SCCM, installation or upgrade of the Web Control module might fail.
Issue: The ENS Web Control browser extension doesn't appear in the Firefox 74 and later extensions list for new installations.
Workaround: Firefox 73 and earlier with the ENS Web Control extension enabled can be upgraded to Firefox 74 and later and retain the ENS Web Control extension.
Resolution: Use Active Directory (AD) to install the ENS Web Control extension. Firefox provides ADMX templates that you can use to configure an AD policy to enable the ENS Web Control extension. For instructions, see KB87568 - Web Control browser extension must be enabled by the user. See the related article for more information.
Issue: The application mfetp.exe crashes at module MSVCR100.dll.
Workaround: If an Exploit Prevention application protection rule is configured with over 50 executables, the process mfetp.exe crashes. Modify the Exploit Prevention application protection rule so that it has a maximum of 50 executables.See the related article for more information.
Issue: ENS for Windows doesn't support Windows dockers.
Resolution: We're investigating making ENS for Windows compatible with containers for future ENS releases. See the related article for more information.
1238699
10.6.0
Issue: The Firewall Rule policy hangs in ePO 5.10 when a non-administrator user submits a policy for approval.
1238510
TSDE-8722
ENSW-113340
10.6.0
Issue: In the following case, signer SDN matching doesn't work:
You create a Buffer Overflow exclusion where the Signature ID or API is specified.
The exclusion is based on an Exploit Prevention event.
Workaround: Reverse the order of the SDN element provided by the event. For example, if the threat event details specify the SDN as:
O=MCAFEE, OU=ENGINEERING, CN=TEST
Reverse the SDN order to:
CN=TEST, OU=ENGINEERING, O=MCAFEE
1235491
10.6.0
Issue: For AMSI file detections, where the First Action is Delete and the delete fails, the detection event incorrectly shows the Second Attempted Action as Not Available.
Workaround: No workaround is needed. The Second Attempted Action is Block and correctly blocks the activity.
EPO-8779
ePO 5.10.0 and ENS 10.6.0
Issue: The About box on the Endpoint Security Client is blank after a successful Exploit Prevention content update.
Workaround: Rebooting the system resolves the issue.
Issue: Scan resumed is output to the ODS activity log instead of Scan started when the setting Scan anytime - User can defer scans is enabled in the ODS task.
Workaround: Disable the setting Scan anytime - User can defer scans in the ODS task. See the related article for more information.
1213517
10.6.0
Issue: Communication is blocked for Microsoft Edge with Application Guard when you use ENS Firewall.
Workaround: Create a firewall rule with the following criteria: Allow Inbound TCP/IPv4 and TCP/IPv6, Local Ports 80 and 443 (or just the proxy port, when appropriate), Remote Ports 49700–65535, Virtual Media. We're investigating whether further qualifying criteria can be set for this rule to avoid the issue. This article is updated if new information becomes available.
NOTE:This rule also matches for VPN adapters. VPN traffic matching is disrupted.
1212361
10.6.0
Issue: After installation, the ENS Web Control module reports as "Not started" in the ENS console.
Issue: When an ENS Firewall rule is created using the Range option with either a single IP address or an IP subnet, the ENS Firewall console displays an incorrect Address Type (for example, Subnet). See the related article for more information.
1155117
10.6.0
Issue: You can't create a Threat Prevention Access Protection user-defined rule (also called custom rule) to include or exclude files that have no extension. ENS doesn't allow the administrator to distinguish between a file or folder when creating Threat Prevention Access Protection custom rules. This fact prevents the creation of custom rules that include or exclude files that have no extension.
1147465
10.6.0
Issue: There's no option to set a warn action for a website rated with a specific Web Category present in the Content Actions policy. (A warn action to display a warning page to the user to either continue or cancel the navigation of a website.)Only allow or block actions are available to configure for any website rated with a specific Web Category.
1106888
10.6.0
Issue: Exclusions aren't added to allow System Information Reporter 1.0 to work properly when the SIR Set Registry policy is changed.
Issue: ENS Web Control reports in ePO can show a functional status for ENS Web Control in Chrome, Firefox, and Internet Explorer, and show in the report as True, Indeterminate, or False. But, on some systems, the computer can incorrectly report back a functional status of False.
Workaround: Use the ENS Web Control property enabled. See the related article for more information.
10.7.0 February 2022 Update
10.6.1 February 2022 Update
Won't fix
Issue: An Access Protection rule for service creation doesn't work on Windows 7 and Windows Server 2008 R2. An event isn't generated when you create a service.
ENSW-114962
10.7.0 February 2022 Update
10.6.1 February 2022 Update
Issue: An Expert Rule for service creation doesn't work on Windows 7 and Windows Server 2008 R2. An event isn't generated when you create a service.
ENSW-115267
10.6.1 February 2022 Update
Won't fix
Issue: During an update, a crash can occur in Reputation Provider when a HostCommon update completes, but the ENS ATP update isn't complete. From the crash dump:
Workaround: Continue with the update until it succeeds for all ENS components. This issue is due to an incompatibility between Reputation Provider and the older version of ENS ATP. ENS doesn't support mixing versions of modules from different releases.
ENSW-113841
10.7.0 September 2021 Update
10.6.1 September 2021 Update
Won't fix
Issue: Upgrading an old ENS version (for example, ENS 10.6.0) to ENS 10.6.1/10.7.0 September 2021 Update or later fails.
Resolution: This behavior is as designed. Retrying the upgrade works. Or, you can first upgrade to ENS 10.6.1/10.7.0 June 2021 Update, and then upgrade to ENS 10.6.1/10.7.0 September 2021 Update or later.
Issue: Content Security Reporter (CSR) rejects logs from ENS Web Control if the logged on username contains a space.
Resolution: This behavior is as designed. CSR can't parse logs with a space in the username. Don't configure ENS Web Control to send logs to CSR if you have usernames with spaces.
ENSW-28517
10.7.0
10.6.1 October Update
Won't fix
Issue: After you upgrade from ENS 10.6.1 July Update to ENS 10.6.1 October Update or ENS 10.7, the mctray.exe process might become unresponsive.
Resolution: To resolve the issue, restart the system.
1258029
10.6.1
As designed
Issue: Search annotations don't display in Mozilla Firefox or Google Chrome when searching in Google.
Issue: The ENS installation fails. The Common BootStrapper log shows the following error:
[BootstrapperMain] RunCommandLine: Process return code : 4294967295
[BootstrapperMain] !> Error - Could not run command to uninstall vscore helper util: -1
[BootstrapperMain] VSCore uninstall helper failed. Returning!!
Resolution: This behavior is as designed. The ENS installation and product functionality work whenminRSAPubKeyBitLength is set to the default value of 1024 bits. If you've overridden the default value, review and determine whether there's a compelling reason for the adjusted value. See the related article for more information.
1254844
10.6.1
Won't fix
Issue: ENS Web Control block pages aren't displayed in iFrames in the Edge browser for Red and Yellow URLs directly in the iFrame page. When opening the page in a new window, a partial ENS Web Control block page appears.
Resolution: This issue won't be resolved.
1253322
10.6.1
Won't fix
Issue: The ENS Web Control Enforcement Messaging messages are truncated for Polish and Russian in the ePolicy Orchestrator policy.
Issue: When you create an exclusion for a process for Exploit Prevention signature 9990, the application continues to trigger signature 9990.
Resolution: This behavior is as designed. This workaround disables all ENS Buffer Overflow and Illegal API Use protection for the associated process. See the related article for more information.
Select Exploit Prevention event ID 18056 (Buffer Overflow detected and blocked (DEP)) in the Exploit Prevention Events log.
Choose Action, Add Exclusion.
Edit the added exclusion in the associated Exploit Prevention policy.
Remove signature ID 9990 from the exclusion.
Save the exclusion and policy.
10.6.0
As designed
Issue: When using the Help feature (clicking the "?" question mark) in the ePO console, a web browser page opens to the Product Documentation site instead of a contextual page of product information.
Resolution: This behavior is as designed with the Help feature starting with ENS 10.6.0. It'll be the functionality for all future versions.
1263066
1239337
10.6.0
Won't fix
Issue: If you use Mozilla Firefox, Google Chrome, or Microsoft Edge browsers, ENS Web Control email annotation banners don't appear when malicious URLs are present in the body of the email.
Resolution: This issue won't be resolved. To see ENS Web Control email annotation banners when malicious URLs are present in the body of an email, use the Microsoft Internet Explorer browser.
1233664
10.6.0
As designed
Issue: ENS Web Control doesn't allow a clean file to download from a malicious URL based on reputation, if McAfee Client Proxy (MCP) is in redirection mode.
Resolution: This behavior is as designed. The file isn't downloaded because of a double enforcement by ENS Web Control and MCP. The recommendation is to enable the setting Disable if McAfee Client Proxy is detected in the ENS Web Control Options policy.
1228925
10.6.0
As designed
Issue: ENS installation might fail on a system with older update levels of Host Intrusion Prevention (Host IPS) 8.0.
Resolution: This behavior is as designed. Upgrade Host IPS 8.0 to one of the following:
Host IPS 8.0 Update 11
February 2018 content release 8231 (or later) if using Host IPS 8.0 Update 7 or earlier
March 2018 content release 8274 (or later) if using Host IPS 8.0 Update 8–10
Issue: If you install ENS Web Control on a system with Application and Change Control (ACC) 8.1.0.118.1 or later present, the Google Chrome Endpoint Security Web Control Extension is disabled (it's grayed out.) So, no sites are blocked and no ratings are shown.
Resolution: This issue won't be resolved. See the related article for instructions in the following scenarios:
To prevent the issue from occurring before you install ENS Web Control
To resolve the issue if you've already installed ENS Web Control and have experienced the issue.
1235803
10.6.0
Won't fix
Issue: In environments with short living processes with an unknown reputation, such as a compiler, ENS produces a performance penalty on the overall execution. This penalty occurs because the time needed to get a reputation is longer than the reputation retrieval.
Resolution: This issue won't be resolved. To avoid performance penalty, you can add an exclusion for the known path where the originator of the short living process resides. For example, the compiler path.
1218004
10.6.0
As designed
Issue: ENS ATP doesn't honor TIE and GTI Certificate Reputation.
Resolution: This behavior is as designed to prevent administrators from accidentally marking known trusted certificates with an override. This change can cause issues like blue screen errors with large enterprise applications.
Issue: If the ENS Web Control iFrames support feature blocks a site, adding the site to the ENS Web Control Allow List doesn't allow access to the site.
Resolution: This behavior is as designed. See the related article for more information. Use any of the following options to allow access to sites that the iFrames support feature blocks:
Add the IP address of the web server to the Exclusions list in the ENS Web Control Options policy.
Change the action specified for sites that are rated as Yellow and Unrated to Allow in the ENS Web Content Actions policy. Sites that are rated as Yellow and Unrated are blocked if the action specified for these sites is set to Warn and they appear in an HTML iFrame.
Disable the option Enable HTML iFrames support in the ENS Web Control Options policy.
1215521
10.6.0
Unable to reproduce
Issue: An ENS Firewall upgrade hangs.
Workaround: Perform the relevant option below:
For an ePO-managed environment: Create an ePO deployment task for the upgrade, and specify the following command-line parameter in the Command line text field:
-nopreservesettings
The parameter skips preserving settings during the upgrade and installs with the default policy. The client gets the customized policy in the next policy enforcement interval.
For a standalone environment: Don't select the Preserve Settings option in the installation wizard during the upgrade.
1232358
10.6.0
Unable to reproduce
Issue: Access Protection rules for the Threat Prevention module aren't visible in the ePO console. An export of the policy (to XML) reveals that the value assigned to "APRules.dwAPRuleBlocks" doesn't match the actual number of rules.
Workaround: Delete the corrupt policy and create a new policy. Currently, the cause of the corruption is unknown.
1229445
10.6.0
Crowdstrike Hotfix is available
Issue: A system crash (blue screen error) occurs in mfencbdc.sys when installing ENS with the third-party software Crowdstrike present on the system.
Resolution: A hotfix is available from Crowdstrike to resolve the issue.
1216519
10.6.0
Won't fix
Issue: After installation, the ENS Web Control module isn't reporting to ePO.
Resolution: This issue won't be resolved. To fix the issue, restart the system.
1215828
10.6.0
Won't fix
Issue: Microsoft DEP integration works, but events aren't reported for buffer overflow attacks with standalone installations.
Resolution: This issue won't be resolved. DEP event reporting works as expected with ePO.
Issue: On Windows Server operating systems, web protection isn't blocking malicious sites in Internet Explorer 11.
Resolution: This behavior is as designed. On Windows Server operating systems, the Internet Explorer browser setting "Enable third-party browser extensions" is disabled by default. ENS Web Control requires this option to be enabled. For instructions to enable this option, see the related articles.
1214616
10.6.0
As designed
Issue: In an ePO deployment, the ENS installation is interrupted, leaving only the Platform installed.
Cause: Another application restarts the system after the Platform installation. Because of the restart, the MA deployment task is abruptly closed, which can cause ePO to not receive any response and then time out.
Resolution: This behavior is as designed. Send another deployment task to the systems with this issue. The ENS installation succeeds.
1209000
10.6.0
As designed
Issue: Access Protection File execute and Process run subrules and operations aren't working.
Resolution: This behavior is as designed. The service "McAfee Validation Trust Protection Service" allows trusted applications to function when needed. This service mitigates the risk of creating a rule accidentally that might prevent an essential process from running, and even impact the normal behavior of the operating system. The validation is applied only to some specific rules that are trusted from us and Microsoft. The validation is applied by default to all rules when created using the Access Protection user interface. But, the validation isn't applied by default for expert rules for Exploit Prevention.
10.6.0
As designed
Issue: Running the migration tool more than once can cause policies to be overwritten and appear to revert.
Resolution: This behavior is as designed. The policy migration task is intended to be run only once, and from that point, not run again in the environment.
Issue: After you install an ENS update or hotfix that upgrades AMCore, the AMCore scanner fails to initialize. On-Access Scanning and On-Demand Scanning don't work if the AMCore scanner doesn't initialize.
Resolution: This behavior is as designed. Anytime an ENS update or hotfix upgrades AMCore, it's mandatory to update to the current AMContent for the AMCore scanner to initialize. See the related article for more information.
1179963
10.6.0
Won't fix
Issue: When you use Kerberos authentication in the proxy server, Real Protect reports the connection failed and the ATP log reports RcStatus code 19. This issue occurs when the proxy server is configured by the IP address in the ENS Common policy setting and the ENS/Real Protect client fails to reach the proxy server. So, the Real Protect scan might make a direct connection.
Resolution: This issue won't be resolved. There's a known limitation in Kerberos. When you use Kerberos authentication in the proxy server, always configure the proxy server by fully qualified domain name (FQDN) or DNS name, rather than by IP address, in the ENS Common policy setting. (An example FQDN or DNS name is testkerbproxy.domain.com). For a system proxy in the Common policy, also follow the FQDN or DNS naming convention when you specify the proxy server in the browser proxy configuration. For example, in the browser manual proxy setting, and WPAD or PAC file.
1226114
10.6.0
Unable to reproduce
Issue: ENS Web Control site ratings don't appear on the second page of the results when using Internet Explorer 11 and the Bing search engine with the region set to English United States.
Workaround: Refresh the page and the site ratings appear.
1201666
10.6.0
As designed
Issue: A Potentially Unwanted Program exclusion by detection name isn't applied to detections through the scan email attachments feature.
Resolution: This behavior is as designed. Disable the scan email attachments feature if you see too many detections.
1185352
10.6.0
Won't fix
Issue: If MCP is uninstalled and reinstalled on a system with ENS, and "Disable if McAfee Client Proxy is detected" is enabled in the ENS Web Control Options policy, that setting isn't honored unless it's disabled and re-enabled.
Resolution: This issue won't be resolved. Disable "Disable if McAfee Client Proxy is detected" in the ENS Web Control Options policy, and check the new policies. Then, re-enable "Disable if McAfee Client Proxy is detected" in the ENS Web Control Options policy, and check the new policies again.
1183560
10.6.0
Won't fix
Issue: The RESTORE operation for registry-related Access Protection subrules doesn't work as expected when it's the only operation enabled on the Access Protection subrule.
Resolution: This issue won't be resolved. Enable REPLACE, DELETE, and WRITE operations with the RESTORE operation when defining a Registry Key or Registry Value Access Protection subrules.
1180078
10.6.0
Won't fix
Issue: If the user selects more than 1,000 files and performs a right-click ODS on the selection, only 1,000 files are scanned.
Resolution: This issue won't be resolved. When performing a right-click ODS of more than 1,000 items, select the parent folder instead of the files in it.
1175803
10.6.0
As designed
Issue: The "AMCore Content Compliance Days" property stays empty in all situations for both Compliant and Noncompliant content.
Resolution: This behavior is as designed. The "AMCore Content Date" property is added to Queries, making the "AMCore Content Compliance Days" property obsolete.
1173540
10.6.0
Won't fix
Issue: The following migration issues occur when the ENS Firewall extension isn't installed:
Manual migration doesn't allow you to migrate VSE Access Protection and Buffer Overflow Protection (BOP) policies and Host IPS policies to ENS Threat Prevention policies.
Auto migration doesn't migrate trusted applications for Host IPS to the Access Protection policy as global exclusions.
The policy naming convention is different. The policy is named "Migrated VSE Policy-n" rather than "Merged Policy -n."
Resolution: This issue won't be resolved. Install the ENS Firewall extension even though you don't use the Host IPS firewall features.
1184610
10.6.0
Won't fix
Issue: Services protection doesn't block some services from starting. This issue has been reported with the Security Center Service and Bluetooth Support Service.
Issue: Installation of ENS fails. The installation logs contain error code 0x80096005, -2146869243, or both.
Cause: The required trusted root certificates aren't added during installation.
Resolution: This behavior is as designed. Address the issue preventing the automatic update of root certificates, or import the required root certificates. See the related article for more information.
1167969
10.6.0
As designed
Issue: Service protection has the following limitations (that also exist in Host IPS):
User and executable parameters aren't distinguished; although they're available in the UI, they aren't valid parameters.
Services protection is valid up to Windows 8.0; later releases aren't supported.
The enable or disable hardware profile operation isn't supported.
Resolution: This behavior is as designed.
1165257
10.6.0
As Designed
Issue: A user can continue to change settings after a time-based password expires if the console to the settings is still open before the password expires. The next policy enforcement overrides the changed settings.
Resolution: This behavior is as designed.
1163884
10.6.0
As designed
Issue: After you disable firewall-timed groups, time ticking is paused when the firewall is disabled. It starts from the point in time when the firewall is re-enabled. Even though timed groups are enabled, they aren't functional because the firewall is disabled.
Resolution: This behavior is as designed. When the firewall is re-enabled, re-enable the timed group and change its running time in the policy. To stop the timed group, use the Disable Firewall Timed Group option in the McTray Quick Settings.
1161102
10.6.0
As designed
Issue: If the ENS console is open when the ATP module is installed, you must close and reopen the console for the ATP module to display properly in the console.
Resolution: This behavior is as designed.
1160153
10.6.0
As designed
Issue: A process detected as malicious by Real Protect, its child process, and files dropped by the detected process, is sometimes not backed up using a single Quarantine ID. Remediation of Real Protect detection involves cleaning (Delete or Repair) of the process itself, child processes, and dropped files. During the remediation process, there's a possibility that some items might be cleaned by Engine and some might be cleaned by Real Protect. In such scenarios. Each item remediated by Engine is backed up in the Quarantine store with a different Quarantine ID. All items remediated by Real Protect have a single Quarantine ID. Usually, Real Protect cleans all items in a single quarantine session, so all items are grouped under a single Quarantine ID.
Resolution: This behavior is as designed. If you want to restore all items of a Real Protect detection, make sure that you look at multiple consecutive quarantine items (Grouped by Time Quarantined) in the Quarantine Manager. For a single remediation session of Real Protect detection, items remediated by Engine have the quarantine name with TIE/Suspect! and items remediated by Real Protect have the quarantine name that starts with Real Protect.
Issue: When ENS Web Control is installed on an operating system that has Internet Explorer with the Enhanced Protected Mode setting enabled, it fails to block malicious sites and file downloads. ENS Web Control isn't compatible with Internet Explorer Enhanced Protected Mode.
Resolution: This issue won't be resolved. See the related article for instructions to disable Enable Enhanced Protected Mode in Internet Explorer.
1158995
10.6.0
Won't fix
Issue: Real Protect doesn't delete the directories created by a malicious application. Real Protect remediates each item created or changed by the target application. But, the metadata about whether the item is created or changed isn't provided for remediation.
Resolution: This issue won't be resolved. The remediation module doesn't delete the directories to avoid loss of any other data.
1157387
10.6.0
As designed
Issue: You install ENS, enable Disable if McAfee Client Proxy is detected in the Options policy of ENS Web Control, enforce the policy, and then install MCP. But, ENS Web Control isn't disabled immediately after the installation of MCP.
Resolution: This behavior is as designed. Use either of the following workarounds:
Wait for about five minutes, and ENS Web Control is disabled.
Change any ENS Web Control policy and enforce the new policy, and ENS Web Control is disabled.
1154452
10.6.0
Won't fix
Issue: When you select a sub System Tree ENS migration, select some groups, click Actions, choose columns, and save, the selection of groups is reset.
Resolution: This issue won't be resolved.
1151514
10.6.0
Won't fix
Issue: Block and Report settings of the Exploit Prevention policy aren't set when the Host IPS Rules Policy isn't edited, but the IPS Protection policy is changed. When the Host IPS Rules Policy isn't edited, but the IPS Protection policy is changed with the Reaction as either Log or Ignore, the Migration Assistant doesn't migrate the Host IPS Rules. The ENS settings are set to the default behavior.
Resolution: This issue won't be resolved. This issue is an unlikely scenario wherein the Host IPS Rules policy isn't edited and the dependent IPS Protection policy is changed to a lower Reaction for high-severity signatures. Even though this configuration might have been made by mistake, ENS defaults to correct the behavior with setting the Block setting.
1140086
10.6.0
As designed
Issue: A file with an unknown reputation isn't contained by Dynamic Application Containment (DAC).
Resolution: The DAC threshold can be configured via the policy or client interface. Find the option "Trigger Dynamic Application Containment when reputation threshold reaches," and set its threshold to Unknown.
1077660
10.6.0
Won't fix
Issue: If an MA update task is configured to show the update progress window, and the user is allowed to postpone the task, the "Update in Progress" window might appear for a short time. It appears even though the update isn't actually occurring. If the user postpones the task, an "Update finished" window might appear, even though the update didn't occur.
Issue: A scan exclusion configured for multiple mount points doesn't work.
Workaround: Configure the scan exclusion with the full path for the mount point. If you experience this issue, contact Technical Support. See the related article for more information.
1144915
10.6.0
Won't fix
Issue: After all ENS modules are uninstalled, the Common module (ENS Platform) uninstallation is automatically started. Sometimes, the user interface for this uninstallation is minimized. This fact can make it more difficult for a user to tell when this uninstallation occurs.
Cause: The ENS Platform is a support module that's needed for the ENS protection modules to function. When all other modules are uninstalled, the ENS Platform module is automatically removed. But, Windows sometimes starts this process in a minimized mode or shows the window behind the other windows on the screen. If the user doesn't know that this uninstallation is happening, they might inadvertently restart the system in the middle of that uninstallation.
Resolution: This issue won't be resolved. Before you uninstall ENS products, make sure that any current work is saved, and close running desktop programs. The user can likely see that the ENS Platform uninstallation is occurring.
1148403
10.6.0
Won't fix
Issue: If you upgrade the Threat Prevention extension version, the ENS client UI might fail to display Exploit Prevention exclusions, indicate erroneous validation errors, and generate errors in EndpointSecurityPlatform_Errors.log such as the following:
Failed to retrieve GPEP setting for Exploit Prevention.
Failed to enforce Exploit Prevention policies.
Resolution: This issue won't be resolved. Edit and save the assigned Exploit Prevention policy, and send an agent wake-up call to the affected systems.
Issue: On Windows 7, user roaming profiles aren't saved to a network share on user logoff.
Workaround: Create an exclusion in Threat Prevention to not scan the roaming profile folders on the server. See the related article for more information. Currently, a root cause can't be found on Windows 7. If you experience the issue with Windows 8 or Windows 10, collect the information described in the related article and provide the results to Technical Support.
1137118
10.6.0
Won't fix
Issue: During upgrade from a previous version of ENS, when Save my settings if upgrading is deselected, the user provided Access Protection exclusions remain on the system.
Resolution: This issue won't be resolved. Remove unwanted Access Protection exclusions; use the ENS console before the upgrade to the latest version of ENS.
1137117
10.6.0
Won't fix
Issue: During upgrade from a previous version of ENS, when Save my settings if upgrading is deselected, the user-provided Exploit Prevention exclusions partially remain on the system.
Resolution: This issue won't be resolved. Remove unwanted Exploit Prevention exclusions; use the ENS console before the upgrade to the latest version of ENS.
Issue: MA installation is blocked because DAC contains the file FramePkg.exe due to "unknown" reputation as indicated by Threat Intelligence.
Resolution: This issue won't be resolved. Create a DAC exclusion for the file FramePkg.exe. See the related article for more information.
1134953
10.6.0
Won't fix
Issue: If you use Firefox, when ENS Web Control blocks the download of a malicious file, a zero-byte file is left in the folder in which the file is being downloaded.
Resolution: This issue won't be resolved. Use a different browser, such as Internet Explorer or Chrome.
1132923
10.6.0
As designed
Issue: When you select the IPS Rules policy for migration, the IPS Protection policy category lists all policies from the Policy Catalog including predefined and unmodified My Default policies.
Resolution: This behavior is as designed.
1132406
10.6.0
Won't fix
Issue: SiteAdvisor Enterprise policies named Typical Corporate Environment aren't migrated in a manual migration or one-to-one auto migration. Typical Corporate Environment is a default policy name for a few products that aren't migrated. The Migration Assistant doesn't migrate policies with this name for any products.
Resolution: This issue won't be resolved. Rename the SiteAdvisor Enterprise policy from Typical Corporate Environment to any other name and then perform the migration.
1132404
10.6.0
Won't fix
Issue: Manual migration is allowed to continue when only the IPS protection policy is selected.
Resolution: This issue won't be resolved.
1132212
10.6.0
Won't fix
Issue: Auto-migrated Threat Prevention Access Protection and XP policies don't include the IPS Protection policy in their notes section.
Resolution: This issue won't be resolved.
1131595
10.6.0
Won't fix
Issue: Executable notes from Host IPS Exceptions don't migrate to the Exploit Prevention executable notes section.
Resolution: This issue won't be resolved.
1129727
10.6.0
Won't fix
Issue: If a Host IPS file, reg, or program rule exception contains multiple parameter types, such as username and executable, the exception applies when all parameters are true. After migration to an ENS Access Protection rule, the exception applies when any of the parameters are true.
Resolution: This issue won't be resolved. In ENS, create one rule per parameter type.
1127732
10.6.0
As designed
Issue: The TIE client sends only TIER 1 requests for known trusted files signed by a certificate.
Resolution: This behavior is as designed.
1120973
10.6.0
As designed
Issue: When you perform a Secure Search from the search bar, it doesn't automatically use the configured Secure Search engine.
Resolution: This behavior is as designed. Manually set Secure Search as the default search provider.
1128863
10.6.0
Won't fix
Issue: Duplicated DAC exclusions are allowed on the client. The client UI doesn't detect duplicate DAC exclusions like the ePO Policy Editor does. There's no negative result from the duplicated exclusions.
Resolution: This issue won't be resolved. Manually check for duplicate DAC exclusions.
1110634
10.6.0
As designed
Issue: When a deployment task for ENS fails because of an insufficient version of MA, the MA Monitor displays a message that says the task is successful.
Resolution: This behavior is as designed. Ending the deployment process during the prerequisite software check isn't considered a failure state by MA. The deployment doesn't continue to the download phase. As far as MA is concerned, the task itself is successful in running, even though it ends prematurely. This behavior is different from when the deployment fails while running the installation program after it has been downloaded to the endpoint.
1099253
10.6.0
Won't fix
Issue: ENS fails to preserve custom settings for features that aren't installed in VSE 8.8 when you upgrade to ENS.
Resolution: This issue won't be resolved.
1097395
10.6.0
Won't fix
Issue: The Action Taken properties from "Contains pattern" values in the Threat Event Log show Intrusion Detection System (IDS) strings, for example, “IDS_ALERT_ACT_TAK_DEN”. These strings are instead natural language strings, for example, "deny access."
Resolution: This issue won't be resolved.
1094383
10.6.0
Won't fix
Issue: The VSE BOP exclusion API value isn't migrated if either the module or API name contains a period (for example, dll.socket or fakeAPI.abc).
Resolution: This issue won't be resolved. Make sure that the module or API name doesn't contain a period.
1089748
10.6.0
Won't fix
Issue: Sometimes, there's a delay in the display of the email annotation in Outlook.
Issue: On Windows Server operating systems, the Internet Explorer browser setting Enable third-party browser extensions is disabled by default. ENS Web Control requires this option to be enabled. After ENS Web Control is installed, the user can't enable the setting Enable third-party browser extensions.
Resolution: This issue won't be resolved. Enable the setting Enable third-party browser extensions in Internet Explorer. See the related article for more information.
1083135
10.6.0
As designed
Issue: The list of assigned tasks in one group isn't moved to another group when a major upgrade is deployed from ePO. (For example, from ENS 10.6 to 10.7.)
Resolution: This behavior is as designed.
1075106
10.6.0
Won't fix
Issue: Firewall DNS blocking isn't enforced for Internet Explorer running on Windows 7 64-bit and Windows Server 2008 R2 systems.
Resolution: This issue won't be resolved. This issue is intermittent and occurs only for a short time after you upgrade ENS.
1074557
10.6.0
Won't fix
Issue: The McTray icon is distorted after you install ENS in a TPS environment.
Resolution: This issue won't be resolved.
1070400
10.6.0
As designed
Issue: The client UI doesn't start in Safe Mode.
Resolution: This behavior is as designed.
1070739
10.6.0
Won't fix
Issue: Natural language descriptions aren't properly translated.
Resolution: This issue won't be resolved. To resolve the issue, restart the system.
Issue: The service start process times out while waiting for a dependent service to start. If the service doesn't respond in 30 seconds, Windows stops the service.
Resolution: This issue won't be resolved. Log on and start the service manually from the Services user interface (Services.MSC). The service also starts automatically from a COM ping when a browser window is left open for a few minutes. See the related article for more information.
1070189
10.6.0
Won't fix
Issue: Even if you choose another language for the client interface language, the interface language of ENS Web Control is written in the default language.
Resolution: This issue won't be resolved. The language of the ENS Web Control interface in the browser doesn't depend on the client user interface language that's set. The language is localized based on system locale.
996973
10.6.0
As designed
Issue: A manual installation generates an Unidentified Publisher error.
Resolution: This behavior is as designed. Check Event Viewer, Windows Logs, Application log for the latest event from the source Certificate Services Client to verify that it has been started successfully. Certificate Services Client is a core part of Windows that manages certificate handling, such as certificate enrollment, including auto-enrollment and credential roaming.
996375
10.6.0
As designed
Issue: A Windows Security Audit failure occurs because of mfeelamk.sys.
Resolution: This behavior is as designed. A driver developed for Windows 8 and signed by "Microsoft Windows Early Launch Anti-malware Publisher" generates audit errors on Windows 7. Depending on how often your system is designed to run an audit, you might see several of these errors in the Windows Event Log.
993212
10.6.0
As designed
Issue: ENS client help isn't enabled for screen readers, such as JAWS.
Resolution: This behavior isn't supported.
991842
10.6.0
As designed
Issue: By default, Use system proxy settings are selected in the Common setting for a self-managed system.
Resolution: This behavior is as designed. Use the local UI to change the setting.
990974
10.6.0
As designed
Issue: Some informational common settings for modules still exist in the Common settings page even though the module isn't installed. For example, Threat Prevention events aren't removed after the related blades are uninstalled from the system.
Resolution: This behavior is as designed. No problems occur because of the existence of these settings.
990805
10.6.0
Won't fix
Issue: The local update task doesn't run at the specified time, but instead runs later.
Resolution: This issue won't be resolved. To avoid a network storm, the local update task uses a randomization of 60 minutes when setting up the schedule. So, the update task runs within 60 minutes of the scheduled time. The randomization setting isn't available from the local UI and can't be changed.
982238
10.6.0
As designed
Issue: A sharing violation error is logged in the local log file after scanning the C:\Windows folder. The sharing violation is expected because of the files being open exclusively (no shared read) in Windows processes.
Resolution: This behavior is as designed. The sharing violation error severity is set to Informational. This fact means that by default, the error isn't sent to ePO. Also, the error doesn't display in the Windows Event Log by default.
976918
10.6.0
As designed
Issue: Some Access Protection rules protect against remote access, such as the Remotely accessing local files or folders rule. When these rules are enabled and an access is reported or blocked, the target path value in the Event Log might report the pipe connection. It can report the pipe connection rather than the file path that's requested in the access that's attempted. For example, the Event Log might report \\.\pipe\srvsvc rather rather than \\computer\share\filename.
Resolution: This behavior is as designed, and is a reflection of how the Windows file system works.
949580
10.6.0
As designed
Issue: An erroneous summary is displayed in the Threat Summary: Threat free for last 30 days if ENS is installed in the last 30 days.
Resolution: This behavior is as designed. If there have been no threats in the last 30 days, ENS displays this message. If there have been threats in the last 30 days, ENS displays the exact number of threat-free days.
922465
10.6.0
As designed
Issue: The Firewall Rules table doesn't allow a new rule to be added to a new empty group in one step.
Resolution: This behavior is as designed. To move a newly added firewall rule to an empty group, first drag the rule above the group, and then drag and drop the rule inside the new group.
919855
10.6.0
As designed
Issue: When running some ePO ENS event queries, and you drill down on a specific event's details, not all details of the event display.
Resolution: This behavior is as designed. Select the Go to related Event Log link to see the complete event details.
912588
10.6.0
As designed
Issue: There are no Self-Protection events in the Windows Event Viewer, ENS Client Event Viewer, or ePO Threat Events.
Resolution: This behavior is as designed. Self-Protection events are set to Informational by default and they're tied to the Event Filtering of Access-Protection. All event filtering is set to Major and Critical by default in ePO and in the client UI. To see Self-Protection events in the Windows Event Viewer, the ENS Client Event Viewer, or ePO Threat Events, you must change the Event Filtering for Access-Protection to All. Because All includes informational events, Self-Protection events display in the three areas mentioned.
NOTE:Regardless of the Event Filtering settings, Self-Protection events are logged to the SelfProtection_Activity.log file located in %PROGRAMDAT%\McAfee\Endpoint or %allusersprofile%\application data\McAfee\Endpoint. You can view this information at any point if needed.
898131
10.6.0
Won't fix
Issue: Clicking Update Now reports a successful update when the system is already up to date.
Resolution: This issue won't be resolved. When you click Update Now, the updater is initiated and the repository is checked for new updates. This behavior occurs regardless of whether the system is already up to date. Even in the case where no update is applied, the updater reports that the update is successful.
Issue: A reboot loop can occur after you install or upgrade to ENS 10.6.1 July Update. The issue occurs only if other Subject Interface Package providers are present and Exploit Prevention is enabled.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost. See the related article for more information.
Issue: The ENS ATP service (mfeatp.exe) might crash with a reference to the DLL ReputationProvider.Dll. When a crash occurs, the ENS ATP service automatically restarts about 10 minutes after the crash. The crash can reoccur. If the crash reoccurs, the ENS ATP service automatically restarts.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost and ENS 10.6.1 Hotfix 190501. See the related article for more information.
1232096
10.3.0
Windows Server 2016
Issue: A small kernel memory leak in tags CMNB and CM31 occurs with Real Protect enabled on server operating systems.
Workaround: To mitigate the issue, disable Real Protect.
Resolution: Microsoft handling of Event Tracing for Windows (ETW) causes this issue. Real Protect uses ETW tracing. This issue is resolved in Windows Server 2016 and in a Windows Server 2012 update (KB4489881 update).
Issue: After Threat Prevention is installed, Windows Server 2012 or Windows Server 2012 R2 servers with Cluster Shared Volumes randomly experience a system crash (blue screen error).
Workaround: The issue doesn't occur with Windows Server 2016.
Resolution: There's a Microsoft release that resolves this issue, which is described in the March 2017 rollup. See the related article for more information.
Issue: When you click Update Now in the ENS client UI console for the second time when content is already up to date, the following messages display in the Update window:
Update stopped
Cannot communicate with the update service
Resolution: This issue is resolved in the ENS 10.6.1 September Update. See the related article for more information.
Issue: When you perform a right-click scan on a single file that's on a removable device, ENS might scan the whole device instead of only the single file selected. A removable device can be a USB key.
Resolution: This issue is resolved in the ENS 10.6.1 July 2020 Update. See the related article for more information.
Issue: When certain third-party software (Check Point VPN, Check Point ZoneAlarm, and Shrewsoft VPN Client) is installed on the system, installation of ENS fails.
Resolution: If you experience the issue with Check Point VPN, there's a hotfix available from Check Point that resolves the issue. See the related article for more information.
ENSW-99844
10.6.1
10.6.1 July 2020 Update
Issue: In rare circumstances, third-party applications might fail to start or might crash with ENS 10.6.1. Examples include NVidia Quadro vDWS license engine, NVDisplay.Container.exe, and Adobe Creative Cloud Desktop. ENS unintentionally overrides application default lookup paths for DLLs.
Resolution: Upgrade to the latest available build for ENS 10.7. This issue is also resolved in the ENS 10.6.1 July 2020 Update.
Issue: After you install ENS ATP, you see continuous high CPU usage for the mfeatp process.
Workaround: Disable the option Enable Enhanced Script Scanning (includes AMSI) found within the ENS ATP Options policy.
Resolution: The issue is resolved in Real Protect Engine version 1.1.0.6396. The Real Protect content is automatically updated on the endpoints through the AMCore content package. See the related article for more information.
Issue: ENS Firewall blocks ENS ATP (mfeatp.exe) network communication. The ENS FirewallEventMonitor.log shows the following. See the related article for more information.
Time: 07/12/2019 04:00:29 PM
Event: Traffic
IP Address: ###.###.###.###
Description: MCAFEE ADAPTIVE THREAT PROTECTION SERVICE
Issue: After applying the Windows 2019 August Update, you observe high non-paged memory consumption in mfetp.exe. Over time, system performance degrades on systems, creating large numbers of short-lived processes.
Or, after installing MVISION EDR on systems, you see general higher CPU usage.
Resolution: These issues are resolved in the ENS 10.6.1 October Update. See the related article for more information.
Issue: Opening PDFs in Adobe Acrobat Reader X Protected Mode is blocked with the ENS 10.6.1 July Update installed and Exploit Prevention enabled. When opening the document, the Adobe Acrobat Reader application either becomes unresponsive or displays the following error:
Adobe Reader cannot open in Protected Mode due to a problem with your system configuration. Would you like to open Adobe Reader with Protected Mode disabled?
Workaround: Set the Adobe Acrobat Reader Application Protection rule to Exclude.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost. See the related article for more information.
1267942
10.6.1 February Update
10.6.1 July Update
Issue: ENS 10.6.1 February Update through ENS 10.6.1 May Update don't work with Dell CAVA.
Workaround: Stay on ENS 10.6.1 December Update (or earlier).
Resolution: This issue is resolved in the ENS 10.6.1 July Update.
1238665
10.6.0
10.6.1 December 2019 Update
Issue: Threat Prevention Exploit Prevention exclusions with "Allow any signature" incorrectly match processes that have no signature. "Allow any signature" must only match if the process is signed.
Resolution: This issue is resolved in the ENS 10.6.1 December 2019 Update.
TSDE-522
10.6.1
10.6.1 July Update Repost
Issue: In "Programs and Features," the entry for ENS Platform shows garbled characters rather than the correct Japanese translation.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost.
Issue: If you select the Allow checkbox in the Certificates section of the ENS Common, Options policy, it doesn't remain selected after you save the ENS Common policy and later reopen it. This issue is cosmetic. The Allow option is correctly set in the ENS Common policy when saved. It's also accurately transferred to any client with the policy applied.
Resolution: This issue is resolved in the ENS 10.6.1 October Update. See the related article for more information.
1263450
10.6.1
10.6.1 October Update
Issue: There can be high memory consumption by mfeatp.exe if debug logging is enabled for ENS ATP under load over an extended period.
Workaround: Disable debug logging for ENS ATP and the high memory consumption stops.
Resolution: This issue is resolved in the ENS 10.6.1 October Update.
1254894
10.6.1
10.6.1 October Update
Issue: Client systems aren't unlocked if you try to unlock them by selecting all systems after you run the following ePO query: Endpoint Security: Locked Client Systems Due to Failed Password Attempts.
Workaround: Instead of selecting all systems, select multiple systems and unlock the systems.
Resolution: This issue is resolved in ENS 10.6.1 October Update.
Issue: In some circumstances, an upgrade to the ENS ATP 10.6.1 December or February Update results in a failure to submit certain files for checking. These files are ones that are found to be of unknown reputation to a correctly configured Advanced Threat Defense (ATD) appliance. In this context, correctly configured means that TIE, Data Exchange Layer, and ATD connectivity is generally working well.
Workaround: Upgrade the affected system to the latest available ENS build available and restart the affected system.
Resolution: This issue is resolved in the ENS 10.6.1 May Update. See the related article for more information.
1239082
10.6.0
10.6.1
Issue: Threat Prevention displays the following pop-up error during an upgrade from a previous version of ENS. The issue occurs when a Threat Prevention 10.6.0 deployment doesn't accompany ENS Platform 10.6.0 while upgrading ENS.
Error 2761. Cannot begin transaction. Global mutex not properly initialized
Workaround: Deploy Threat Prevention 10.6.0 with ENS Platform 10.6.0 during upgrades.
Issue: A system crash (blue screen) error with Bug Check 19 "BAD_POOL_HEADER" might occur sporadically when ENS Threat Prevention 10.6.1 May/July Update is present and AMCore content is installed.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost. See the related article for more information.
Issue: A system crash (blue screen) error with Bug Check 19 "BAD_POOL_HEADER" might occur sporadically when Exploit Prevention is enabled and there's a mapped network drive that points to a non-drive letter.
Workaround: The following workarounds exist to avoid this issue:
Remove the mapped drives that point to a non-drive letter, or reassign the mapped drives to a drive letter.
Disable Exploit Prevention.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost. See the related article for more information.
Issue: After upgrading ENS, the installation client might encounter an exposed Windows kernel bug. This bug corrupts XML files and the system local console GUI might display abnormal behavior including one of the following:
One or more modules report as "Unknown."
A password prompt displays, but there's no password policy in place.
Systems report as out of compliance in ePO despite the update tasks appearing successful.
Workaround: To restore functionality, run the ENS RepairCache utilities against all impacted modules and then restart the system. See the related article for more information.
Resolution: This issue is resolved in the ENS 10.6.1 December 2019 Update.
Issue: When you upgrade from a previous ENS version to 10.6.1, the installation gets stuck in an infinite restart loop. In the McAfee_Common_Bootstrapper.log, you see the following:
05/02/2019 08:00:43.872 [3532] [BootstrapperMain] Common:Product version :10.6.1
05/02/2019 08:00:48.530 [3532] [BootstrapperMain] Check if installed common is 10.6.0, need to install a HF for 10.6.0 before upgrade
05/02/2019 08:00:48.530 [3532] [BootstrapperMain] Installed ENS Common Product Version : 10.6.0
05/02/2019 08:01:39.843 [3532] [BootstrapperMain] Utility to update ENS exp driver returned reboot required.
05/02/2019 08:01:39.858 [3532] [BootstrapperMain] Common failed during install or Upgrade!!!
Workaround: Delete the McAfeeEndpointSecurity_100 registry key on the client.
Resolution: This issue is resolved in the ENS 10.6.1 July Update Repost. See the related article for more information.
1260017
10.6.1
10.6.1 February Update
Issue: The following error displays when editing the ENS Firewall policy using ePO 5.10:
Unexpected error occurred
Resolution: This issue is resolved in the ENS 10.6.1 February Update Firewall extension.
1254885
10.6.1
10.6.1 May Update
Issue: The Endpoint Security link doesn't open from the Virus & threat protection section of Windows Defender Security Center after you upgrade ENS from an older version.
Resolution: This issue is resolved in the ENS 10.6.1 May Update.
Issue: After switching between ENS Firewall and Host IPS Firewall, WSC incorrectly reports the status of ENS Firewall and Host IPS Firewall. For example, after you disable Host IPS Firewall and enable ENS Firewall, WSC reports the status of ENS Firewall as disabled.
Resolution: This issue is resolved in the ENS 10.6.1 February Update. See the related article for more information.
1237730
10.6.0
10.6.1
Issue: The EndpointSecurityPlatform_Errors.log logs a message similar to the following when trying to update the reputation of a process that's already terminated:
mfeatp(4912.8868) Orchestrator.JCM.Error (jcm_native.cpp:866): Failed to set new reputation for process , result:0xc0300027
Resolution: The log message is moved to the EndpointSecurityPlatform_Debug log in ENS ATP 10.6.1.
1270581
10.6.0
10.6.1
Issue: A blue screen error (bug check 3b) might occur because of failing pool allocations, eventually leading to a NULL pointer de-reference involving mfehidk.sys.
Resolution: This issue is resolved in ENS 10.6.1.
1252046
10.6.1
10.6.1 February Update
Issue: Web Control events on URLs over 4,000 characters long aren't parsed by ePO. Any character after 3,999 is truncated in the event.
Resolution: This issue is resolved in the ENS 10.6.1 February Update.
Issue: In the Mozilla Firefox and Google Chrome browsers, the enforcement message for red- and yellow-rated sites doesn't appear when a red- or yellow-rated site is browsed. A redirection to the mcafee.com site occurs and a page not found error appears.
Resolution: This issue is resolved in ENS 10.6.1. See the related article for more information.
1236546
10.6.0
10.6.1
Issue: The Security Status dialog box sometimes shows ENS modules as not responding.
Issue: The Web Gateway Interlock policy allows ENS Web Control to become disabled on an internal network that's protected by an internet appliance like Web Gateway. After a network change to an external network, ENS Web Control becomes enabled in the browsers. Currently ENS Web Control isn't changing status until the first policy enforcement after the network change.
Resolution: This issue is resolved in ENS 10.6.1. See the related article for more information.
Issue: Installing ENS might fail if the system hasn't rebooted since the last installation of an ENS version.
Workaround: Reboot the system and run the ENS installation again.
Resolution: This issue is resolved in ENS 10.6.1. See the related article for more information.
10.6.0
10.6.1
Issue: You can't log off from of a Google account in Chrome.
Workaround: Use Firefox or Internet Explorer to sign out of a Google account.
Resolution: This issue is resolved in ENS 10.6.1.
1240394
1234679
1230833
10.6.0
Microsoft fix available
Issue: Bug check KMODE_EXCEPTION_NOT_HANDLED (1e) occurs. This issue is typically found on Windows 10 kernels, such as Windows Server 2016, and the process is typically the cluster service clussvc.exe. Disabling Real Protect might resolve the issue. The stack text is similar to the following:
Resolution: Microsoft monthly rollup KB4103720 resolves this issue. For more information, see KB4103720 rollup.
1235170
10.6.0
Exploit Prevention Content 8479
Issue: Microsoft Internet Explorer, Outlook, or Word hangs or crashes when Exploit Prevention is enabled and you open a document from SharePoint or off a network share in the presence of Microsoft Application Virtualization.
Workaround: Perform one of the following workarounds:
Create an Application Protection Rule exclusion for the affected application.
Make Signature 6015 a Repot-only event.
Add an "Illegal API User – Buffer Overflow" signature exclusion for the affected application where the Caller Module is appventsubsystems32.dll, the Signature is 6015, and the API is LoadLibraryW.
Resolution: This issue is resolved in Exploit Prevention Content version update 8479.
Issue: A compatibility issue exists between ACC and ENS that might cause ENS install or upgrades to fail.
Workaround: To make sure that ACC and ENS can coexist on an endpoint, disable the ACC memory protection and script as updater features. See the related article for instructions to disable these features and for direction on how to install or upgrade the ENS and ACC software.
Resolution: This issue is resolved in ACC 8.2.1.435.
1204625
10.6.0
Host IPS 8.0 Update 11
Issue: If the Host IPS feature is enabled, ENS installs or update upgrades fail on about 20% of systems.
Workaround: Disable the IPS feature before the ENS install or upgrade; re-enable the IPS feature after the ENS install or upgrade completes.
Resolution: Use one of the following options:
Upgrade Host IPS to 8.0 Update 11 before the ENS install or upgrade.
CLASSPNP.SYS - Address FFFFF8800217F198 base at FFFFF8800217E000, DateStamp 4ce7929b MER mfeclnk.sys
The issue is seen on Citrix XenApp clients running the Citrix File System Minifilter PVS driver.
Resolution: Upgrade Citrix PVS to version 7.6 or later before you install or upgrade your ENS or VSE installation. See the related article for more information.
1152714
10.6.0
ePO 5.10
Issue: In Queries & Reports, in the Available Columns section, the ATP Properties title shows as Endpoint Security Threat Intelligence Properties. If an extension registers multiple product families with different display names, a random display name is chosen to be used for defining queries. The TIE extension is renamed to the ATP extension. The ATP extension supports both TIE and ATP clients, so it registers multiple product families.
Issue: There are compatibility issues with ENS and Entrust 9.3, including the following:
Performance issues
After installation of ENS on a system with Entrust 9.3, the system won't start after a restart.
Resolution: Contact Entrust to obtain a hotfix and quote Entrust reference number ref:_00D301H7DR._5001412ZkNK:ref. The hotfix is available only through Entrust support. See the related article for more information.
Issue: After you install ENS on a Windows 7 system with Forcepoint (formerly Websense) Data Loss Prevention (DLP) 7.8 installed, a system crash (blue screen error) occurs.
Workaround: Either remove the Forcepoint software or upgrade to Windows 10.
Resolution: We determined that the cause of this issue is the Forcepoint software that uses the QIP.sys driver on Windows 7 systems. Any solution must come from Forcepoint. If you experience this issue, we recommend that you contact Forcepoint Technical Support for assistance. This issue hasn't been reported to occur with newer versions of Forcepoint DLP 8.2. See the related article for more information.
Issue: Installation of ENS fails when Entrust Entelligence 9.2 is installed.
Resolution: Upgrade to Entrust Entelligence 9.3. Installations of ENS are successful with the latest Entrust Entelligence version. See the related article for more information.
1074673
10.6.0
Microsoft KB2487426
Issue:mfewc.exe generates a crash dump during restart.
Resolution: This issue is resolved in Microsoft KB2487426. For more information, see KB2487426 update.
If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
