Technical Articles ID:
KB82450
Last Modified: 3/23/2020
Environment
McAfee Endpoint Security (ENS) Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x
For ENS supported environments, see KB82761.
For ENS Adaptive Threat Protection (ATP) known issues, see KB88788.
For ENS known issues applicable in ePolicy Orchestrator Cloud, see KB79063.
Summary
Recent updates to this article
Date
Update
March 23, 2020
Renamed 'Issues resolved in 10.6.1 December 2019 Update and earlier' to 'Issues resolved in 10.5.0 through 10.6.1 February 2020 Update'.
March 5, 2020
Added issues ENSW-96202 and ENSW-96715 to the "Open issues" section. Added issue TSDE-4403 to the "Issues resolved in 10.7.0 through 10.7.0 February 2020 Update" section.
March 3, 2020
Updated issue ENSW-97695 in the "Open issues" section.
February 28, 2020
Added issue ENSW-97695 to the "Open issues" section.
February 27, 2020
Moved issue ENSW-96956 to the "Issues resolved in 10.7.0 through 10.7.0 February 2020 Update" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.
NOTE: This update has been changed from General Availability (GA) to Released to Support (RTS). The reason is the issue described in KB91642 and is available only by contacting Technical Support.
See the Related Information section below for contact details.
NOTE: This update has been changed from General Availability (GA) to Released to Support (RTS). The reason is the issue described in KB91642 and is available only by contacting Technical Support.
See the Related Information section below for contact details.
Issue: A blue screen error or hang might occur when you install or upgrade a McAfee product with SysCore, and ENS Exploit Prevention is enabled, or Host IPS Exploit Prevention is enabled. The issue is timing-related and does not always occur.
Resolution: This issue is resolved in ENS 10.5.5 and ENS 10.6.1, and is resolved in ENS 10.7.0. A utility, mfeepmpk_utility.exe, is included in the ENS 10.5.5 and ENS 10.6.1 installation packages to resolve the issue with the faulty driver. When you install or upgrade to ENS 10.5.5 or ENS 10.6.1, the utility automatically detects whether the endpoint has the faulty driver. If it does, the utility replaces it to resolve the issue. If a restart is needed, a prompt displays on the endpoint to perform a one-time restart. The restart must occur for the installation or upgrade to continue. When the faulty driver is replaced, future installations and upgrades do not require a restart for this issue. See the related article for more information.
Issue: When you perform a right-click scan on a single file that is on a removable device (for example, a USB key), ENS might scan the whole device instead of only the single file selected.
Resolution: This issue is resolved in ENS 10.7.0 February 2020 Update. See the related article for more information.
Issue: After you upgrade from SCCM 1906 or earlier to SCCM 1910, a Windows 10 in-place upgrade task sequence might hang on a system with ENS installed.
Workaround: You can either revert to using the previously known working version SCCM 1906 or earlier, or try implementing the workarounds in the related article.
Issue: After you install or upgrade to the ENS Threat Prevention 10.7.0 extension, all Medium severity Exploit Prevention signatures change to enable the Block and Report setting within the McAfee Default policy. This function is a change from earlier ENS versions where Medium severity signatures have Block and Report disabled by default. This change can possibly generate false positives in your environment, depending on the signature and coverage details.
Workaround: Use either of the following workarounds:
Modify the ENS Threat Prevention Exploit Prevention policy assigned to the systems and disable the Block and Report setting for Medium severity signatures.
Review the ENS Threat Prevention Exploit Prevention Medium severity events and determine whether a false positive event occurred. If the signature is not applicable to the environment, disable the signature.
Resolution: This issue is resolved in ENS 10.7.0 February 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 December 2019 Update
10.5.5 December 2019 Update
Issue: Windows Security Center (WSC) intermittently reports that ENS is disabled. WSC can prompt to enable Windows Defender.
Resolution: This issue is resolved in ENS 10.5.5 December 2019 Update, ENS 10.6.1 December 2019 Update, and ENS 10.7.0 February 2020 Update. See the related article for more information.
10.7.0 February 2020 Update
10.6.1 December 2019 Update
Issue: McAfee-defined on-demand scans do not run with a standalone installation. But, custom-defined scans run and complete.
Resolution: This issue is resolved in ENS 10.6.1 December 2019 Update and ENS 10.7.0 February 2020 Update. See the related article for more information.
Issue: Network traffic through the SYSTEM process is being allowed by a McAfee core networking rule named "Allow McAfee signed applications". This fact affects SYSTEM-based network traffic, such as NetBIOS and SMB (for example, port 137, 138, and 445). If you created firewall rules to allow or block this type of SYSTEM-based network traffic, they do not apply. The reason is the "Allow McAfee signed applications" firewall rule is processed before any other firewall rules.
Resolution: This issue is resolved in ENS 10.7.0 February 2020 Update. See the related article for more information.
Issue: Blocking the protocols SSL v3 and TLS 1.0 leads to AMCore crashes.
Resolution: This issue is resolved in ENS 10.7.0. See the related article for more information.
1237915
10.6.0
10.7.0
Issue: Triggering the Threat Prevention Access Protection rule "Executing Windows Subsystem for Linux" references IDS_AP_RULE_PREVENT_WSL_EXECUTEION:IDS_BLADE_NAME_SPB when describing the violated rule.IDS_AP_RULE_PREVENT_WSL_EXECUTEION:IDS_BLADE_NAME_SPB is a reference for the Access Protection rule "Executing Windows Subsystem for Linux".
Resolution: This issue is resolved in ENS 10.7.0. With ENS 10.7.0, IDS_AP_RULE_PREVENT_WSL_EXECUTEION:IDS_BLADE_NAME_SPB is translated to the Access Protection rule "Executing Windows Subsystem for Linux".
1234300
10.5.3
10.7.0
Issue: When viewing the ENS Threat Prevention Exploit Prevention policy, the Signatures table includes an Action to Export Table. When exporting the signatures list to any file formats, the Status and Type columns are blank.
Resolution: This issue is resolved in ENS 10.7.0. With ENS 10.7.0, the Export Table function for Exploit Prevention signatures correctly exports the data in the Status and Type columns.
Issue: The ENS Web Control extension is not installed and can't be enabled in the Edge browser after an in-place upgrade of Windows.
Workaround: Enable the ENS Web Control extension in Edge as follows.
Close Edge.
Go to the following location:
32-bit:C:\Program Files\McAfee\Endpoint Security\Web Control
64-bit: C:\Program Files (x86)\McAfee\Endpoint Security\Web Control
Open the file McAfeeWebControl.appx. An installation prompt appears.
Follow the prompt and install the app package.
Close the prompt.
Open Edge. An Enable WC Extension prompt appears.
Click Enable.
1254789
10.6.1
Issue: The Edge extension does not load on Microsoft Windows 10 Fall Creators Update and Windows 10 Creators Update even though the extension is licensed. A license issue reported by Microsoft causes this issue. McAfee is working with Microsoft on this issue.
NOTE: The Edge extension is not supported on Windows 10 Anniversary Update. The reason is because the native messaging that is needed to communicate between the extension and the Win32 process was introduced in Windows 10 Fall Creators Update.
Workaround: The Edge extension is supported only on Windows 10 April 2018 Update and later.
10.6.1
Issue: There is no group policy exposed to allow the ENS Web Control extension to use the InPrivate mode of the Edge browser.
Workaround: Manually allow the extension in InPrivate mode.
ENSW-13888
10.6.1
Issue: The ENS Web Control toolbar icon does not show the correct color depending on the rating of the website while switching between tabs. This issue occurs intermittently.
10.6.1
Issue: On Windows 10 April 2018 Update, users can disable the Edge extension and bypass ENS Web Control protection.
Workaround: Windows 10 October 2018 Update provides a group policy (Prevent turning off required extensions) to harden the Edge extension. To make sure that users can't disable the Edge extension, add the ENS Web Control extension PFN to the group policy Prevent turning off required extensions. The ENS Web Control extension PFN is the following and can be fetched from the Dev Center portal: 5A894077.McAfeeEndpointSecurityWebControl_wafk5atnkzcwy. For detailed instructions to enable this group policy, see https://docs.microsoft.com/en-us/microsoft-edge/deploy/new-policies#prevent-turning-off-required-extensions.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: Network card initialization is delayed. This issue causes short-term network connectivity issues such as lack of network connectivity and disconnected mapped drives. See the related article for more information.
Workaround 1: Disable the NDIS driver. This change might impact some Firewall-related functionality. Run the following from a command prompt started as an administrator:
netcfg /v /u mfe_ndisfilt
Workaround 2: Install the ENS Firewall module.
NOTE: The Firewall module does not need to be enabled.
ENSW-97123
10.7.0 February 2020 Update
Issue: When you upgrade from ENS 10.5.5 (with Web Control version 10.5.5.5221) to ENS 10.7.0 February 2020 Update, applications that have wcHook.dll loaded might crash during the upgrade.
Workaround: To work around the issue:
Download and run Microsoft Process Explorer.
Click Find.
Select Find handle or DLL.
Enter wcHook.dll and click Search.
Close any application that has wcHook.dll loaded.
Continue with the upgrade from ENS 10.5.5 to ENS 10.7.0 February 2020 Update.
ENSW-96726
10.7.0 February 2020 Update
Issue: The ENS debug log might contain the following error during agent policy enforcement. Despite this error, the on-demand scan policies are applied properly.
Issue: If a custom path is configured for Client logging, the ENS Product Logs folder might still exist after ENS is uninstalled.
ENSW-96724
10.7.0 February 2020 Update
Issue: The Limit maximum CPU usage option remains grayed out when Scan anytime is selected in the ePolicy Orchestrator extension.
ENSW-96670
10.7.0 February 2020 Update
Issue: mctray.exe might terminate unexpectedly when you update content via the V3 DAT exe.
Workaround: Run the V3 DAT exe again to restart mctray.exe.
ENSW-96274
10.7.0 February 2020 Update
Issue: In rare scenarios, the Threat Prevention policy changes might not be enforced on the client after the first agent-to-server communication.
Workaround: Settings get applied at the next agent-to-server communication of policy enforcement.
ENSW-29499
10.7.0 February 2020 Update
Issue: When you deploy McAfee Agent using the self-agent deployment URL, if the Browsers launching files from the Downloaded Program Files folder Threat Prevention Access Protection rule is set to Report, the Target Signed field in the resulting Access Protection event for McAfeeSmartInstall.exe is set to No.
ENSW-27455
10.7.0 February 2020 Update
Issue: You might see Security Audit Failure messages in Event Viewer for amcfg.exe. There is no functional impact to ENS.
10.7.0 February 2020 Update
10.6.1 February 2020 Update
Issue: When you upgrade to ENS 10.6.1 February 2020 Update or 10.7.0 February 2020 Update and a Standard User tries to change the ENS settings within the ENS Client, a pop-up message for administrator credentials displays. Even after you enter correct credentials, the changes can't be saved.
Workaround: Log on to the client system as an administrator to make any changes. See the related article for more information.
Issue: Upgrading to the ENS 10.7 extension results in the default ENS deployment task losing the ENS modules and repository branch information.
Workaround: To deploy the ENS modules, create a McAfee Agent deployment task. See the related article for more information.
ENSW-29514
10.7.0
Issue: ENS upgrades use the cached ENS MSI databases. If you have deleted the cached ENS MSI databases from the C:\Windows\installer directory, ENS upgrades fail.
Workaround:
To prevent this issue from occurring, do not upgrade ENS. Instead, uninstall the current version of ENS and then install the new version of ENS.
If you have already encountered an upgrade failure, use the Endpoint Product Removal (EPR) tool to remove ENS and clean up the system. Then, install the new version of ENS. For more information about the EPR tool, see KB90895.
Issue: When you install ENS 10.7.0 using the standalone installer, and supply the verbose logging switch (for example, "setupEP.exe ADDLOCAL="tp,atp,fw" /l*v"C:\temp\"), the ENS installer does not write anything to the logs, does not install, and almost immediately exits.
Workaround: To allow the successful installation of ENS using the standalone installer, remove the verbose logging switch from the command-line argument passed to the standalone installer. See the related article for more information.
Issue: When Windows Defender has content older than 1.295.49.0, it might generate a false-positive on one or more ENS installation files. As a result, the installation or upgrade of ENS fails or only partially succeeds.
Workaround: Before the install or upgrade of ENS, make sure that Windows Defender content is current or that Windows Defender is disabled.
Resolution: After you update the Windows Defender content or disable Windows Defender, the next attempt to install or upgrade ENS might succeed. If not, the failed installation might require removal first. See the related article for more information.
ENSW-29097
10.7.0
Issue: A blue screen error (system crash) might occur when you try to upgrade to ENS 10.7 on Windows 10 Version 1709 (Fall Creators Update) and earlier.
Workaround: This issue is an operating system issue that Microsoft resolved in Windows 10 Version 1803 (April 2018 Update) and later. Before you upgrade to ENS 10.7, upgrade to Windows 10 Version 1803 (April 2018 Update) or later.
ENSW-28427
10.7.0
Issue: When you upgrade from VirusScan Enterprise (VSE) 8.8 Patch 9 (and earlier) to ENS 10.7, VSE remnants might be left behind.
Workaround: The following workarounds are available:
Uninstall VSE before you install ENS 10.7.
Upgrade VSE to 8.8 Patch 10 (or later) and then upgrade to ENS 10.7.
ENSW-28315
10.7.0
Issue: When you upgrade from Windows Server 2008 R2 to Windows Server 2019, the option to retain apps and data is disabled.
Workaround: Upgrade the operating system from Windows Server 2008 R2 to Windows Server 2019 before installing ENS.
ENSW-28558
10.6.1 October Update
Issue: In an environment that uses Microsoft System Center Configuration Manager (SCCM), installation or upgrade of the Web Control module might fail.
ENSW-28517
10.7.0
10.6.1 October Update
10.5.5 October Update
Issue: After you upgrade from ENS 10.5.5/10.6.1 July Update to ENS 10.5.5/10.6.1 October Update or ENS 10.7, the mctray.exe process might become unresponsive.
Workaround: To resolve the issue, restart the system.
ENSW-96202
10.6.1 July Update
Issue: Symantec DAgent (Altiris) fails to establish a connection to its engine when ENS Threat Prevention AMSI is enabled. This issue occurs only on Windows 10 version 1903 (and later) clients.
Issue: An Exploit Prevention alert is triggered even if it is disabled after importing ENS settings with the ESConfig tool.
Workaround: Reboot the operating system after importing ENS settings with the ESConfig tool. After the reboot, Exploit Prevention alerts are not triggered if they are disabled. See the related article for more information.
Issue: Exploit Prevention is disabled and signature ID 344 is disabled. But, the following event for signature ID 344 gets generated. See the related article for more information.
Issue: The application mfetp.exe crashes at module MSVCR100.dll.
Workaround: If an Exploit Prevention application protection rule is configured with over 50 executables, mfetp.exe crashes. Modify the Exploit Prevention application protection rule so that it has a maximum of 50 executables.See the related article for more information.
Issue: Issues can occur in Microsoft Excel when the add-in option "Solver" is enabled. Excel might crash, fail to load, or fail to apply the Solver add-in as expected in a cell.
Workaround: ENS Web Control is not currently compatible with the Excel Solver add-in. To use the Solver add-in, you must uninstall ENS Web Control from the system. See the related article for more information.
Issue: ENS for Windows does not support the Microsoft Windows Subsystem for Linux (WSL) feature. There are known compatibility issues with ENS and WSL.
Resolution: McAfee is investigating adding support for WSL for future ENS releases. See the related article for more information.
Issue: ENS for Windows does not support Windows dockers.
Resolution: McAfee is investigating making ENS for Windows compatible with containers for future ENS releases. See the related article for more information.
1238699
10.6.0
Issue: The Firewall Rule policy hangs in ePolicy Orchestrator 5.10 when a non-administrator user submits a policy for approval.
1238665
10.6.0
Issue: Threat Prevention Exploit Prevention exclusions with "Allow any signature" incorrectly match processes that have no signature. "Allow any signature" must only match if the process is signed.
1238526
10.6.0
Issue: If the ePolicy Orchestrator administrator selects an Exploit Prevention event with ID 18056 in the Exploit Prevention Events log, and chooses Action, Add Exclusion, the resulting exclusion does not work. (Event ID 18056 indicates Buffer Overflow detected and blocked (DEP).)
Workaround: The following workaround disables all ENS Buffer Overflow and Illegal API Use protection for the associated process.
Edit the added exclusion in the associated Exploit Prevention policy.
Remove the signature ID (9990) from the exclusion.
Save the exclusion and policy.
1238510
10.6.0
Issue: When you create a Buffer Overflow exclusion where the Signature ID or API is specified and the exclusion is based on an Exploit Prevention event, signer SDN matching does not work.
Workaround: Reverse the order of the SDN element provided by the event. For example, if the threat event details specify the SDN as:
O=MCAFEE, OU=ENGINEERING, CN=TEST
Reverse the SDN order to:
CN=TEST, OU=ENGINEERING, O=MCAFEE
1235491
10.6.0
Issue: For Antimalware Scan Interface (AMSI) file detections, where the First Action is Delete and the delete fails, the detection event incorrectly shows the Second Attempted Action as Not Available.
No workaround is needed. The Second Attempted Action is Block and correctly blocks the activity.
Issue: ENS Firewall 10.5.5/10.6.1 July Update blocks ENS ATP (mfeatp.exe) network communication. The ENS FirewallEventMonitor.log shows the following. See the related article for more information.
Time: 07/12/2019 04:00:29 PM
Event: Traffic
IP Address: ###.###.###.###
Description: MCAFEE ADAPTIVE THREAT PROTECTION SERVICE
Issue: ENS does not honor the option Use system proxy settings for proxy settings on Windows Server Core. This fact results in the following issues:
Global Threat Intelligence (GTI) and TrustedSource connectivity do not work if the network traffic has to go through the proxy.
Detections that depend on GTI and TrustedSource are not detected.
AMCore and Exploit Prevention content updates do not work on an unmanaged client.
Workaround: Explicitly set the proxy server. See the related article for more information.
1254885
10.5.5
Issue: The McAfee Endpoint Security link does not open from the Virus & threat protectionsection of Windows Defender Security Center after you upgrade to ENS 10.5.5 from an older version.
Issue: After you uninstall the ENS Firewall module, all incoming traffic to the client is blocked.
Workaround: To prevent the issue, disable the ENS Firewall before you uninstall the module. In your assigned ENS Firewall Options policy, deselect the option Enable Firewall. If you are uninstalling the ENS Firewall module locally, disable ENS Firewall through the ENS Console. On clients that are already affected, reinstall ENS Firewall, disable ENS Firewall through your assigned policy, and uninstall the ENS Firewall module. See the related article for more information.
1215521
10.5.3
Issue: An upgrade to ENS Firewall 10.5.3 hangs.
Workaround: Perform the relevant option below:
For an ePolicy Orchestrator (ePO) managed environment: Create an ePO deployment task for the upgrade, and specify the following command-line parameter in the Command line text field:
-nopreservesettings
The parameter skips preserving settings during the upgrade and installs with the default policy. The client gets the customized policy in the next policy enforcement interval.
For a standalone environment: Do not select the Preserve Settings checkbox in the installation wizard during the upgrade.
1213517
10.5.3
Issue: Communication is blocked for Microsoft Edge with Application Guard when you use ENS Firewall.
Workaround: Create a firewall rule with the following criteria: Allow Inbound TCP/IPv4 and TCP/IPv6, Local Ports 80 and 443 (or just the proxy port, when appropriate), Remote Ports 49700–65535, Virtual Media. McAfee is investigating whether further qualifying criteria can be set for this rule to avoid the issue. This article is updated if new information becomes available.
NOTE: This rule also matches for VPN adapters. VPN traffic matching is disrupted.
1212361
10.5.3
Issue: After installation the ENS Web Control module reports as "Not started" in the ENS console.
Issue: A compatibility issue exists between McAfee Application and Change Control (MACC) and ENS that might cause ENS install or upgrades to fail.
Workaround: To make sure that MACC and ENS can coexist on an endpoint, disable the MACC memory protection and script as updater features. See the related article for instructions to disable these features and for direction on how to install or upgrade the ENS and MACC software.
Issue: When an ENS Firewall rule is created using the Range option with either a single IP address or an IP subnet, the ENS Firewall Client Console displays an incorrect Address Type (for example, Subnet). See the related article for more information.
1155117
10.5.0
Issue: You can't create a Threat Prevention Access Protection user-defined rule (also called custom rule) to include or exclude files that have no extension. ENS does not allow the administrator to distinguish between a file or folder when creating Threat Prevention Access Protection custom rules. This fact prevents the creation of custom rules that include or exclude files that have no extension.
1147465
10.5.0
Issue: There is no option to set a warn action for a website rated with a specific Web Category present in the Content Actions policy. (A warn action to display a warning page to the user to either continue or cancel the navigation of a website.)Only allow or block actions are available to configure for any website rated with a specific Web Category.
1106888
10.5.0
Issue: Exclusions are not added to allow System Information Reporter 1.0 to work properly when the SIR Set Registry policy is changed.
Issue: ENS Web Control reports in ePolicy Orchestrator can show a functional status for ENS Web Control in Chrome, Firefox, and Internet Explorer, and show in the report as True, Indeterminate, or False. But, on some systems the computer can incorrectly report back a functional status of False.
Workaround: Use the ENS Web Control property enabled. See the related article for more information.
Issue: The ENS installation fails. The Common BootStrapper log shows the following error:
[BootstrapperMain] RunCommandLine: Process return code : 4294967295
[BootstrapperMain] !> Error - Could not run command to uninstall vscore helper util: -1
[BootstrapperMain] VSCore uninstall helper failed. Returning!!
Resolution: This behavior is as designed. The ENS installation and product functionality work whenminRSAPubKeyBitLength is set to the default value of 1024 bits. If you have overridden the default value, review and determine whether there is a compelling reason for the adjusted value. See the related article for more information.
1254844
10.6.1
Will Not Fix
Issue: ENS Web Control block pages are not displayed in iFrames in the Edge browser for Red and Yellow URLs directly in the iFrame page. When opening the page in a new window, a partial ENS Web Control block page appears.
Resolution: This issue will not be resolved.
1253322
10.6.1
Will Not Fix
Issue: The ENS Web Control Enforcement Messaging messages are truncated for Polish and Russian in the ePolicy Orchestrator policy.
Resolution: This issue will not be resolved.
1259082
10.6.0
As Designed
Issue: Upgrading the ENS 10.5.5 extension to 10.6.0 is not supported. The upgrade fails with the following error:
Unable to install extension. Upgrade from version 10.5.5.5033 is not supported.
Resolution: Upgrade to ENS 10.6.1 instead. This behavior is as designed. ENS 10.5.5 has a new feature "Client UI lock out" that is not available in ENS 10.6.0. Allowing the upgrade would cause deprecation of this feature. So, ENS blocks this upgrade.
10.6.0
As Designed
Issue: When using the Help feature (clicking the "?" question mark) in the ePolicy Orchestrator console, a web browser page opens to https://docs.mcafee.com/, instead of a contextual page of product information.
Resolution: This behavior is as designed with the Help feature starting with ENS 10.6.0. It will be the functionality for all future versions.
1263066
1239337
10.6.0
Will Not Fix
Issue: If you use the Mozilla Firefox, Google Chrome, or Microsoft Edge browser, ENS Web Control email annotation banners do not appear when malicious URLs are present in the body of the email.
Resolution: This issue will not be resolved. To see ENS Web Control email annotation banners when malicious URLs are present in the body of an email, use the browser Microsoft Internet Explorer.
Issue: On rare occasions, in the presence of Adaptive Threat Protection, an ENS upgrade from 10.5.0 (and later) to 10.6.0 fails, thus causing the system to enter a non-protective state. The following symptoms are observed when the issue occurs:
The content update fails continuously and the product properties of the system show the old AMCore that was updated last.
Threat Prevention and Adaptive Threat Protection show the previous versions whereas Endpoint Security Platform shows 10.6.0 in the product properties for the respective endpoint.
The Endpoint Security Console shows Threat Prevention and Adaptive Threat Protection in a "Not Started" state. The Threat Prevention and Adaptive Threat Protection version information is not displayed in the About dialog box.
The mfetp, mfeatp, and mcshield processes stop running on the endpoint.
EICAR or any malware detection fails on the endpoint.
Resolution: To resolve the issue, McAfee has released a tool that can be deployed using ePolicy Orchestrator. See the related article for more information.
1233664
10.6.0
As Designed
Issue: ENS Web Control does not allow a clean file to download from a malicious URL based on reputation, if McAfee Client Proxy is in redirection mode.
Resolution: This behavior is as designed. The file is not downloaded because of a double enforcement by ENS Web Control and McAfee Client Proxy. The recommendation is to enable the setting Disable if McAfee Client Proxy is detected in the ENS Web Control Options policy.
1228925
10.6.0
As Designed
Issue: ENS installation might fail on a system with older update levels of Host Intrusion Prevention 8.0.
Resolution: This behavior is as designed. Upgrade Host Intrusion Prevention 8.0 to one of the following:
Host Intrusion Prevention 8.0 Update 11
February 2018 content release 8231 (or later) if using Host Intrusion Prevention 8.0 Update 7 or earlier
March 2018 content release 8274 (or later) if using Host Intrusion Prevention 8.0 Update 8 through 10
Issue: If you install ENS Web Control on a system with Application and Change Control 8.1.0.118.1 present, the Google Chrome Endpoint Security Web Control Extension is disabled. (It is grayed out.) So, no sites are blocked and no ratings are shown.
Resolution: This issue will not be resolved. See the related article for instructions to prevent the issue from occurring before installing ENS Web Control. Or, to resolve the issue if you have already installed ENS Web Control and have experienced the issue.
Issue: If the ENS Web Control iFrames support feature blocks a site, adding the site to the ENS Web Control Allow List does not allow access to the site.
Resolution: This behavior is as designed. See the related article for more information. Use any of the following options to allow access to sites that the iFrames support feature blocks:
Add the IP address of the web server to the Exclusions list in the ENS Web Control Options policy.
Change the action specified for sites that are rated as Yellow and Unrated to Allow in the ENS Web Content Actions policy. Sites that are rated as Yellow and Unrated are blocked if the action specified for these sites is set to Warn and they appear in an HTML iFrame.
Disable the option Enable HTML iFrames support in the ENS Web Control Options policy.
1232358
10.5.3
Unable to reproduce
Issue: Access Protection rules for the Threat Prevention module are not visible in the ePolicy Orchestrator console. An export of the policy (to XML) reveals that the value assigned to "APRules.dwAPRuleBlocks" does not match the actual number of rules.
Workaround: Delete the corrupt policy, and create a new policy. Currently the cause of the corruption is unknown.
1229445
10.5.3
Crowdstrike hotfix is available
Issue: A system crash (blue screen error) occurs in mfencbdc.sys when installing ENS with the third-party software Crowdstrike present on the system.
Resolution: A hotfix is available from Crowdstrike to resolve the issue.
1216519
10.5.3
Will Not Fix
Issue: After installation, the ENS Web Control module is not reporting to ePolicy Orchestrator.
Resolution: This issue will not be resolved. To fix the issue, restart the system.
1215828
10.5.3
Will Not Fix
Issue: Microsoft Data Execution Prevention (DEP) integration is working, but events are not reported for buffer overflow attacks with standalone installations.
Resolution: This issue will not be resolved. DEP event reporting works as expected with ePolicy Orchestrator.
1215800
10.5.3
As Designed
Issue: An upgrade of the ENS 10.5.3 Firewall, Threat Prevention, or Web Control modules through an ePolicy Orchestrator (ePO) deployment task from RTS to GA does not automatically upgrade the Host Common module. The Host Common module stays at the RTS version unless explicitly included in the ePO deployment task.
Resolution: This behavior is as designed. Add the Host Common module to the ePO deployment task when upgrading from ENS 10.5.3 RTS to ENS 10.5.3 GA.
1215784
10.5.3
As Designed
Issue: An upgrade fails from VirusScan Enterprise 8.8 Update 4 + Host Intrusion Prevention 8.0 Update 4 + SiteAdvisor Enterprise 3.5 Update 2 to ENS 10.5.3.
Resolution: This behavior is as designed. Update the Host Intrusion Prevention content before the upgrade to avoid this issue.
Issue: On Windows Server operating systems, web protection is not blocking malicious sites in Internet Explorer 11.
Resolution: This behavior is as designed. On Windows Server operating systems, the Internet Explorer browser setting "Enable third-party browser extensions" is disabled by default. ENS Web Control requires this option to be enabled. For instructions to enable this option, see the related articles.
1214616
10.5.3
As Designed
Issue: In an ePolicy Orchestrator (ePO) deployment, the ENS installation is interrupted leaving only the Platform installed.
Cause: Another application restarts the system after the Platform installation. Because of the restart, the McAfee Agent deployment task is abruptly closed, which can cause ePO to not receive any response and then time out.
Resolution: This behavior is as designed. Send another deployment task to the systems with this issue. The ENS installation succeeds.
1209000
10.5.3
As Designed
Issue: Access Protection File execute and Process run subrules and operations are not working.
Resolution: This behavior is as designed. The service "McAfee Validation Trust Protection Service" allows trusted applications to function when needed. This service mitigates the risk of creating a rule accidentally that might potentially prevent an essential process from running, and even impact the normal behavior of the operating system. The validation is applied only to some specific rules that are trusted from McAfee and Microsoft. The validation is applied by default to all rules when created using the Access Protection user interface. But, the validation is not applied by default for expert rules for Exploit Prevention.
10.5.2
As Designed
Issue: Running the migration tool more than once can cause policies to be overwritten and appear to revert.
Resolution: This behavior is as designed. The policy migration task is intended to be run only once and from that point not run again in the environment.
Issue: After you install an ENS update or hotfix that upgrades AMCore, the AMCore scanner fails to initialize. On-Access Scanning and On-Demand Scanning do not work if the AMCore scanner does not initialize.
Resolution: This behavior is as designed. Anytime an ENS update or hotfix upgrades AMCore, it is mandatory to update to current AMContent for the AMCore scanner to initialize. See the related article for more information.
Issue: After installation of ENS 10.5.1 Hotfix 2, the following issues can occur:
The AMCore content version is reported as .5. After the hotfix installation, a content update will run and download new content.
If the ENS 10.5.1 and ENS 10.5.1 Hotfix 2 packages are in the same branch of the Master Repository, the ENS 10.5.1 package is downloaded to the end node at each McAfee Agent agent-server communication interval (ASCI).
Resolution: This behavior is as designed. The new version of AMCore with ENS 10.5.1 Hotfix 2 requires AMContent 3004 or higher (released June 7, 2017). Also, ENS 10.5.1 and ENS 10.5.1 Hotfix 2 can't be in the same branch of the ePolicy Orchestrator Master Repository. See the related article for more information.
Issue: An upgrade from ENS 10.5.0 to ENS 10.5.1 fails if ENS 10.5.1 Hotfix 1 or Hotfix 2 is in the same branch of the ePolicy Orchestrator Master Repository.
Resolution: This behavior is as designed. ENS 10.5.1 and ENS 10.5.1 Hotfix 1 or Hotfix 2 can't be in the same branch of the ePolicy Orchestrator Master Repository. See the related article for more information.
1226114
10.5.1
Unable to reproduce
Issue: ENS Web Control site ratings do not appear on the second page of results when using Internet Explorer 11 and the Bing search engine with the region set to English United States.
Workaround: Refresh the page and the site ratings appear.
1201666
10.5.1
As Designed
Issue: A Potentially Unwanted Program exclusion by detection name is not applied to detections through the scan email attachments feature.
Resolution: This behavior is as designed. Disable the scan email attachments feature if you see too many detections.
1185352
10.5.1
Will Not Fix
Issue: If McAfee Client Proxy is uninstalled and reinstalled on a system with ENS 10.5.1, and "Disable if McAfee Client Proxy is detected" is enabled in the ENS Web Control Options policy, that setting is not honored unless it is disabled and re-enabled.
Resolution: This issue will not be resolved. Disable "Disable if McAfee Client Proxy is detected" in the ENS Web Control Options policy, and check the new policies. Then, re-enable "Disable if McAfee Client Proxy is detected" in the ENS Web Control Options policy, and again check the new policies.
1183560
10.5.1
Will Not Fix
Issue: The RESTORE operation for registry-related Access Protection subrules is not working as expected when it is the only operation enabled on the Access Protection subrule.
Resolution: This issue will not be resolved. Enable REPLACE, DELETE, and WRITE operations with the RESTORE operation when defining a Registry Key or Registry Value Access Protection subrules.
1180078
10.5.1
Will Not Fix
Issue: If the user selects more than 1000 files and performs a right-click on-demand scan on the selection, only 1000 of the files are scanned.
Resolution: This issue will not be resolved. When performing a right-click on-demand scan of more than 1000 items, select the parent folder instead of the files in it.
1175803
10.5.1
As Designed
Issue: The "AMCore Content Compliance Days" property stays empty in all situations, for both Compliant and Noncompliant content.
Resolution: This behavior is as designed. The "AMCore Content Date" property was added to Queries, making the "AMCore Content Compliance Days" property obsolete.
1173540
10.5.1
Will Not Fix
Issue: The following migration issues occur when the ENS Firewall extension is not installed:
Manual migration does not allow you to migrate VirusScan Enterprise Access Protection and Buffer Overflow Protection policies, and Host Intrusion Prevention IPS policies, to ENS Threat Prevention policies.
Auto migration does not migrate trusted applications for IPS to the Access Protection policy as global exclusions.
The policy naming convention is different. The policy is named "Migrated VSE Policy-n" rather than "Merged Policy -n".
Resolution: This issue will not be resolved. Install the ENS Firewall extension even though you do not use the Host Intrusion Prevention firewall features.
1184610
10.5.0
Will Not Fix
Issue: Services protection does not block some services from starting. This issue has been reported with the Security Center Service and Bluetooth Support Service.
Issue: Installation of ENS fails. The installation logs contain error code 0x80096005, -2146869243, or both.
Cause: The required trusted root certificates were not added during installation.
Resolution: This behavior is as designed. Address the issue preventing the automatic update of root certificates, or import the required root certificates. See the related article for more information.
1167969
10.5.0
As Designed
Issue: Services protection has the following limitations (that also exist in Host Intrusion Prevention):
User and executable parameters are not distinguished; although they are available in the UI, they are not valid parameters.
Services protection is valid up to Windows 8.0; later releases are not supported.
The enable or disable hardware profile operation is not supported.
Resolution: This behavior is as designed.
1165257
10.5.0
As Designed
Issue: A user can continue to change settings after a time-based password has expired if the console to the settings is still open before the password expires. The next policy enforcement will override the changed settings.
Resolution: This behavior is as designed.
1163884
10.5.0
As Designed
Issue: After you disable firewall timed groups, time ticking is paused when the firewall is disabled, and starts from the point in time when the firewall is re-enabled. Even though timed groups are enabled, they are not functional because the firewall is disabled.
Resolution: This behavior is as designed. When the firewall is re-enabled, re-enable the timed group and change its running time in the policy. To stop the timed group, use the Disable Firewall Timed Group option in the McTray Quick Settings.
Issue: When ENS Web Control is installed on an operating system that has Internet Explorer with the Enhanced Protected Mode setting enabled, it fails to block malicious sites and file downloads. ENS Web Control is not compatible with Internet Explorer Enhanced Protected Mode.
Resolution: This issue will not be resolved. See the related article for instructions to disable Enable Enhanced Protected Mode in Internet Explorer.
1157387
10.5.0
As Designed
Issue: You install ENS, enable Disable if McAfee Client Proxy is detected in the Options policy of ENS Web Control, enforce the policy, and then install McAfee Client Proxy. But, ENS Web Control is not disabled immediately after the installation of McAfee Client Proxy.
Resolution: This behavior is as designed. Use either of the following workarounds:
Wait for about five (5) minutes, and ENS Web Control is disabled.
Change any ENS Web Control policy and enforce the new policy, and ENS Web Control is disabled.
1154452
10.5.0
Will Not Fix
Issue: When you select a sub System Tree ENS migration, select some groups, click Actions, choose columns, and save, the selection of groups is reset.
Resolution: This issue will not be resolved.
1151514
10.5.0
Will Not Fix
Issue: Block and Report settings of the Exploit Prevention policy are not set when the Host Intrusion Prevention Rules Policy is not edited, but the IPS Protection policy is changed. When the Host Intrusion Prevention Rules Policy is not edited, but the IPS Protection policy is changed with the Reaction as either Log or Ignore, the Migration Assistant does not migrate Host Intrusion Prevention Rules. The ENS settings are set to the default behavior.
Resolution: This issue will not be resolved. This issue is an unlikely scenario where the Host Intrusion Prevention Rules policy is not edited and the dependent IPS Protection policy is changed to a lower Reaction for high severity signatures. Even though this configuration would have been made by mistake, ENS defaults to correct the behavior with setting the Block setting.
1077660
10.5.0
Will Not Fix
Issue: If a McAfee Agent update task is configured to show the update progress window, and the user is allowed to postpone the task, the "Update in Progress" window might appear for a short time. It appears even though the update is not actually occurring. If the user postpones the task, an "Update finished" window might appear, even though the update did not occur.
Issue: A scan exclusion configured for multiple mount points does not work.
Workaround: Configure the scan exclusion with the full path for the mount point. If you experience this issue, contact Technical Support. See the related article for more information.
1163246
10.5.0
Will Not Fix
Issue: McAfee Agent 5.0.2.132 does not upload the ENS 10.x events.
Resolution: This issue will not be resolved. Use McAfee Agent 5.0.2.333 or later.
1144915
10.5.0
Will Not Fix
Issue: After all ENS modules are uninstalled, the Common module (Endpoint Security Platform) uninstallation is automatically started. Sometimes the user interface for this uninstallation is minimized, which can make it harder for a user to tell when this uninstallation is occurring.
Cause: The Endpoint Security Platform is a support module that is needed for the ENS protection modules to function. When all other modules are uninstalled, the Endpoint Security Platform module is automatically removed. But, Windows sometimes starts this process in a minimized mode or show the window behind the other windows on the screen. If the user does not know that this uninstallation is happening, they could inadvertently restart the system in the middle of that uninstallation.
Resolution: This issue will not be resolved. Before you uninstall ENS products, make sure that any current work is saved, and close running desktop programs. The user can likely see that the Endpoint Security Platform uninstallation is occurring.
1148403
10.5.0
Will Not Fix
Issue: If you upgrade the Threat Prevention extension version, the ENS client UI might fail to display Exploit Prevention exclusions, indicate erroneous validation errors, and generate errors in EndpointSecurityPlatform_Errors.log such as the following:
Failed to retrieve GPEP setting for Exploit Prevention.
Failed to enforce Exploit Prevention policies.
Resolution: This issue will not be resolved. Edit and save the assigned Exploit Prevention policy, and send an agent wake-up call to the affected systems.
Issue: On Windows 7, user roaming profiles are not saved to a network share on user logoff.
Workaround: Create an exclusion in Threat Prevention to not scan the roaming profile folders on the server. See the related article for more information. Currently a root cause can't be found on Windows 7. If you experience the issue with Windows 8 or Windows 10, collect the information described in the related article and provide the results to Technical Support.
1137118
10.5.0
Will Not Fix
Issue: During upgrade from a previous version of ENS, when Save my settings if upgrading is deselected, the user provided Access Protection exclusions remain on the system.
Resolution: This issue will not be resolved. Remove unwanted Access Protection exclusions; use the ENS Console before the upgrade to the latest version of ENS.
1137117
10.5.0
Will Not Fix
Issue: During upgrade from a previous version of ENS, when Save my settings if upgrading is deselected, the user provided Exploit Prevention exclusions partially remain on the system.
Resolution: This issue will not be resolved. Remove unwanted Exploit Prevention exclusions; use the ENS Console before the upgrade to the latest version of ENS.
1134953
10.5.0
Will Not Fix
Issue: If you use Firefox, when ENS Web Control blocks the download of a malicious file, a zero-byte file is left in the folder in which the file was being downloaded.
Resolution: This issue will not be resolved. Use a different browser, such as Internet Explorer or Chrome.
1132923
10.5.0
As Designed
Issue: When you select the IPS Rules policy for migration, the IPS Protection policy category lists all policies from the Policy Catalog including McAfee defined and unmodified My Default policies.
Resolution: This behavior is as designed.
1132406
10.5.0
Will Not Fix
Issue: SiteAdvisor Enterprise policies named Typical Corporate Environment are not migrated in a manual migration or one-to-one auto migration. Typical Corporate Environment is a default policy name for a few products that are not migrated. The Migration Assistant does not migrate policies with this name for any products.
Resolution: This issue will not be resolved. Rename the SiteAdvisor Enterprise policy from Typical Corporate Environment to any other name and then perform the migration.
1132404
10.5.0
Will Not Fix
Issue: Manual migration is allowed to continue when only the IPS protection policy is selected.
Resolution: This issue will not be resolved.
1132212
10.5.0
Will Not Fix
Issue: Auto-migrated Threat Prevention Access Protection and XP policies do not include the IPS Protection policy in their notes section.
Resolution: This issue will not be resolved.
1131595
10.5.0
Will Not Fix
Issue: Executable notes from Host Intrusion Prevention Exceptions do not migrate to the Exploit Prevention executable notes section.
Resolution: This issue will not be resolved.
1129727
10.5.0
Will Not Fix
Issue: If a Host Intrusion Prevention file, reg, or program rule exception contains multiple parameter types, such as user name and executable, the exception applies when all parameters are true. After migration to an ENS Access Protection rule, the exception applies when any of the parameters are true.
Resolution: This issue will not be resolved. In ENS, create one rule per parameter type.
1127732
10.5.0
As Designed
Issue: The TIE client sends only TIER 1 requests for known trusted files signed by a certificate.
Resolution: This behavior is as designed.
1120973
10.5.0
As Designed
Issue: When you perform a Secure Search from the search bar, it does not automatically use the configured Secure Search engine.
Resolution: This behavior is as designed. Manually set McAfee Secure Search as the default search provider.
1110634
10.5.0
As Designed
Issue: When a deployment task for ENS fails because of an insufficient version of McAfee Agent, the McAfee Agent Monitor displays a message that says the task is successful.
Resolution: This behavior is as designed. Ending the deployment process during the prerequisite software check is not considered a failure state by McAfee Agent. The deployment does not continue to the download phase. As far as McAfee Agent is concerned, the task itself was successful in running, even though it ended prematurely. This behavior is different from when the deployment fails while running the installation program after it has been downloaded to the endpoint.
1109943
10.5.0
Will Not Fix
Issue: TIE Module (TIEm) for VirusScan Enterprise (VSE) 1.0 incorrectly displays as installed alongside ENS.
Resolution: This issue will not be resolved. Remove the registry key that causes McAfee Agent to report that TIEm for VSE is still installed:
Make sure that TIEm for VSE 1.0 files are not present on the endpoint.
Remove the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ Network Associates\ePolicy Orchestrator\Application Plugins\JTIC____1000].
1099253
10.5.0
Will Not Fix
Issue: ENS fails to preserve custom settings for features that are not installed in VirusScan Enterprise 8.8 when you upgrade to ENS 10.5.
Resolution: This issue will not be resolved.
1097395
Will Not Fix
Issue: The Action Taken properties from "Contains pattern" values in the Threat Event Log, show Intrusion Detection System (IDS) strings, for example, “IDS_ALERT_ACT_TAK_DEN”. These strings are instead of natural language strings, for example, “deny access”.
Resolution: This issue will not be resolved.
1094383
10.5.0
Will Not Fix
Issue: The VirusScan Enterprise Buffer Overflow Protection (BOP) exclusion API value is not migrated if either the module or API name contains a period (for example, dll.socket or fakeAPI.abc).
Resolution: This issue will not be resolved. Make sure that the module or API name does not contain a period.
1089748
10.5.0
Will Not Fix
Issue: Sometimes there is a delay in the display of the email annotation in Outlook.
Issue: On Windows Server operating systems, the Internet Explorer browser setting Enable third-party browser extensions is disabled by default. ENS Web Control requires this option to be enabled. After ENS Web Control is installed, the user can't enable the setting Enable third-party browser extensions.
Resolution: This issue will not be resolved. Enable the setting Enable third-party browser extensions in Internet Explorer. See the related article for more information.
1083135
10.5.0
As Designed
Issue: The list of assigned tasks in one group is not moved to another group when a major upgrade is deployed from ePolicy Orchestrator (for example, ENS 10.5 to 10.6).
Resolution: This behavior is as designed.
1075106
10.5.0
Will Not Fix
Issue: Firewall DNS blocking is not enforced for Internet Explorer running on Windows 7 64-bit, and Windows Server 2008 R2 systems.
Resolution: This issue will not be resolved. This issue is intermittent and occurs only for a short time after you upgrade ENS.
1074557
10.5.0
Will Not Fix
Issue: The McTray icon is distorted after you install ENS in a TPS environment.
Resolution: This issue will not be resolved.
1070400
10.5.0
As Designed
Issue: The client UI does not start in Safe Mode.
Resolution: This behavior is as designed.
1070739
10.5.0
Will Not Fix
Issue: Natural language descriptions are not properly translated.
Resolution: This issue will not be resolved. To resolve the issue, restart the system.
Issue: The service start process times out while waiting for a dependent service to start. If the service does not respond in 30 seconds, Windows stops the service.
Resolution: This issue will not be resolved. Log on and start the service manually from the Services user interface (Services.MSC). The service also starts automatically from a COM ping when a browser window is left open for a few minutes. See the related article for more information.
1070189
10.5.0
Will Not Fix
Issue: Even if you choose another language for the client interface language, the interface language of ENS Web Control is written in the default language.
Resolution: This issue will not be resolved. The language of the ENS Web Control interface in the browser does not depend on the client user interface language that is set. The language is localized based on system locale.
996973
10.5.0
As Designed
Issue: A manual installation generates an Unidentified Publisher error.
Resolution: This behavior is as designed. Check Event Viewer, Windows Logs, Application log for the latest event from source Certificate Services Client to verify that it has been started successfully. Certificate Services Client is a core part of Windows that manages certificate handling, such as certificate enrollment, including auto-enrollment and credential roaming.
996375
10.5.0
As Designed
Issue: A Windows Security Audit failure occurs because of mfeelamk.sys.
Resolution: This behavior is as designed. A driver developed for Windows 8 and signed by "Microsoft Windows Early Launch Anti-malware Publisher" is generating audit errors on Windows 7. Depending on how often your system is designed to run an audit, you might see several of these errors in the Windows Event Log.
993212
10.5.0
As Designed
Issue: ENS client help is not enabled for screen readers, such as JAWS.
Resolution: This behavior is not supported.
991842
10.5.0
As Designed
Issue: By default, Use system proxy settings is selected in the Common setting for a self-managed system.
Resolution: This behavior is as designed. Use the local UI to change the setting.
990974
10.5.0
As Designed
Issue: Some informational common settings for modules still exist in the Common settings page even though the module is not installed. For example, Threat Prevention events are not removed after the related blades are uninstalled from the system.
Resolution: This behavior is as designed. No problems occur because of the existence of these settings.
990805
10.5.0
Will Not Fix
Issue: The local update task does not run at the specified time, but instead runs later.
Resolution: This issue will not be resolved. To avoid a network storm, the local update task uses a randomization of 60 minutes when setting up the schedule. So, the update task runs within 60 minutes of the scheduled time. The randomization setting is not available from the local UI and can't be changed.
982238
10.5.0
As Designed
Issue: A sharing violation error is logged in the local log file after scanning the C:\Windows folder. The sharing violation is expected because of the files being open exclusively (no shared read) in Windows processes.
Resolution: This behavior is as designed. The sharing violation error severity is set to Informational, which means by default the error is not sent to ePolicy Orchestrator. Also, the error does not display in the Windows Event Log by default.
976918
10.5.0
As Designed
Issue: Some Access Protection rules protect against remote access, such as the Remotely accessing local files or folders rule. When these rules are enabled and an access is reported or blocked, the target path value in the Event Log might report the pipe connection. It can report the pipe connection rather than the file path that was requested in the access that was tried. For example, the Event Log might report \\.\pipe\srvsvc rather than \\computer\share\filename.
Resolution: This behavior is as designed, and is a reflection of how the Windows file system works.
949580
10.5.0
As Designed
Issue: An erroneous summary is displayed in the Threat Summary: Threat free for last 30 days if ENS was installed in the last 30 days.
Resolution: This behavior is as designed. If there have been no threats in the last 30 days, ENS displays this message. If there were threats in the last 30 days, ENS displays the exact number of threat-free days.
922465
10.5.0
As Designed
Issue: The Firewall Rules table does not allow a new rule to be added to a new empty group in one step.
Resolution: This behavior is as designed. To move a newly added firewall rule to an empty group, first drag the rule above the group, and then drag and drop the rule inside the new group.
919855
10.5.0
As Designed
Issue: When running some ePolicy Orchestrator ENS event queries, and you drill down on a specific event's details, not all details of the event display.
Resolution: This behavior is as designed. Select the Go to related Event Log link to see the complete event details.
912588
10.5.0
As Designed
Issue: There are no Self-Protection events in the Windows Event Viewer, the ENS Client Event Viewer, or ePolicy Orchestrator Threat Events.
Resolution: This behavior is as designed. Self-Protection events are set to Informational by default and they are tied to the Event Filtering of Access-Protection. All event filtering is set to Major and Critical by default in ePolicy Orchestrator and in the client UI. To see Self-Protection events in the Windows Event Viewer, the ENS Client Event Viewer, or ePolicy Orchestrator Threat Events, you must change the Event Filtering for Access-Protection to All. Because All includes informational events, Self-Protection events display in the three areas mentioned.
NOTE: Regardless of the Event Filtering settings, Self-Protection events are logged to the SelfProtection_Activity.log file located in %PROGRAMDAT%\McAfee\Endpoint or %allusersprofile%\application data\McAfee\Endpoint. You can view this information at any point if needed.
898131
10.5.0
Will Not Fix
Issue: Clicking Update Now reports a successful update when the system is already up to date.
Resolution: This issue will not be resolved. When you click Update Now, the updater is initiated and the repository is checked for new updates. This behavior occurs regardless of whether the system is already up to date. Even in the case where no update is applied, the updater reports that the update was successful.
10.5.5 July Update Repost
10.6.1 July Update Repost
Issue: A reboot loop can occur after you install or upgrade to ENS 10.5.5 July Update or ENS 10.6.1 July Update. The issue occurs only if other Subject Interface Package (SIP) providers are present and Exploit Prevention is enabled.
Resolution: This issue is resolved in ENS 10.5.5 July Update Repost and 10.6.1 July Update Repost. See the related article for more information.
Issue: Users are unable to log on to Windows if ENS 10.2 (or earlier) is installed, Exploit Prevention is enabled, and Exploit Prevention content version 9418 is used. NOTE: ENS 10.2 (and earlier) are End of Life (EOL).
Resolution: Exploit Prevention content version 9419, which was posted July 10, 2019, corrects this issue. For more information, and for instructions to recover a system that does not allow users to log on, see the related article.
Issue: A blue screen error with bug check SYSTEM_SERVICE_EXCEPTION (3b) can occur after installing ENS 10.5.4 August Update. Because of this issue, McAfee has removed ENS 10.5.4 August Update from the Product Downloads site. For those customers that have already downloaded ENS 10.5.4 August Update, McAfee recommends to not install this update.
Resolution: This issue is resolved in ENS 10.5.4 September Update. See the related article for more information.
1235182
10.5.4
10.6.0
Issue: A JavaScript error displays when trying to create an Expert Rule, when using Internet Explorer.
Workaround: Use a different browser, such as Mozilla Firefox or Google Chrome.
Issue: A Product Deployment for Threat Prevention never expires and remains showing the status Running on the Product Deployment page in ePolicy Orchestrator. The Completion rate shows 0%. But, the endpoint received the Product Deployment task and installed the managed product successfully.
Resolution: This issue is resolved in ENS 10.6.0. See the related article for more information.
1227138
1231176
10.5.3
10.6.0
Issue: In the Threat Prevention policy (as viewed through ePolicy Orchestrator and the local ENS console), Options, Proactive Data Analysis, there are two options: McAfee GTI Feedback and Safety Pulse. These options are interdependent; but, disabling McAfee GTI Feedback does not necessarily disable the Safety Pulse option.
Workaround: To disable both options, you must disable Safety Pulse before you disable McAfee GTI Feedback because disabling McAfee GTI Feedback immediately hides the checkbox for Safety Pulse.
Resolution: This issue is resolved in ENS 10.5.4 June Update and ENS 10.6.0.
Issue: A rare system crash (blue screen error) with bug check 133 involving the mfefirek.sys firewall driver can be encountered on high-demand server class systems.
Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
Issue: Under a specific and rare race condition, a system crash (blue screen error) might occur during an upgrade from an earlier (older) ENS version to ENS 10.5.3.
Workaround: If a system has encountered this issue and does not automatically restart, see the related article for the workaround procedure.
Resolution: The repost of ENS 10.5.3 corrects this issue. See the related article for more information.
If you currently have ENS 10.5.3 installed, you can continue to run ENS 10.5.3 on the system because the issue occurs only during the initial upgrade.
For any new installations of ENS 10.5.3, we recommend that you use the ENS 10.5.3 repost.
1213473
10.5.3
10.6.0
Issue: In the ENS About box, the Real Protect engine content version 1.0.0.2817 displays with a date of 1/31/2017. The correct date is 8/14/2017.
Issue: On 64-bit systems, upgrades from previous versions of ENS that were installed by explicitly providing the custom installation path "c:\Program Files (x86)\" do not update the ENS Platform files.
Workaround: Uninstall ENS from the custom installation path and then install the latest version of ENS.
Resolution: This issue is resolved in ENS 10.5.3. But, this issue could not be fixed for systems that are already installed and upgrading from ENS 10.5.2 or earlier. Only a clean installation of ENS 10.5.3 will address the issue and prevent it from happening in the future. See the related article for more information.
Issue: When ENS Exploit Prevention policies are backed up or exported, the backup copy contains only the Exploit Prevention content signatures from the content version when the backup was created. When the backup policy is restored on an ePolicy Orchestrator server with newer ENS Exploit Prevention content, the imported policy is missing any new content signatures until the next Exploit Prevention content update.
Workaround: Workaround steps are outlined in the related article.
Resolution: This issue is resolved in ENS 10.5.3.
1179148
10.5.1
10.5.3
Issue: The Access Protection rule "Changing any file extension registrations" is not effective at preventing changing file extension registrations.
Issue: After Exploit Prevention content is updated, the Application Protection Rules policies are set back to the default configuration. This set back means that any previously configured user-defined rules (also called custom rules) must be re-created.
Resolution: This issue is resolved in ENS 10.5.2 Threat Prevention extension Hotfix 1213762 and ENS 10.5.3. See the related articles for more information.
1184551
10.5.1
10.5.3
Issue: AMCore content is not retained on client systems after upgrading ENS.
Issue: If Device Guard or Credential Guard is enabled on a Windows 10 Creators Update 64-bit system, you must make sure that Microsoft KB4016251 is installed on the system before you install McAfee products. For more information, see KB89029.
Because of an issue in Windows 10 Creators Update, if Microsoft KB4016251 is not installed and you install McAfee products, the system experiences a system crash (blue screen error) and is no longer bootable. Currently, there is no known workaround for this issue.
Resolution: The issue does not occur if you install ENS 10.5.1 with Hotfix 1 on the Windows 10 Creators Update system. See the related article for more information.
Issue: Systems might experience a random system crash (blue screen error) with bug check 7E when Threat Prevention 10.5.0, 10.5.1, or 10.5.2 is installed.
Resolution: This issue is resolved in ENS 10.5.3 and later. See the related article for the steps to resolve the issue.
1186563
10.5.0
10.5.1
Issue: After the ENS Exploit Prevention content is updated, some systems might not display new or updated content signatures in the Endpoint Security Threat Prevention - Exploit Prevention policy, or when the standalone client is used.
Issue: After Threat Prevention is installed, Windows Server 2012 or Windows Server 2012 R2 servers with Cluster Shared Volumes randomly experience a system crash (blue screen error).
Workaround: The issue does not occur with Windows Server 2016.
Issue: The firewall is unable to communicate with the Global Threat Intelligence (GTI) server through a proxy.
Resolution: This issue is resolved in ENS 10.5.1.
1172948
1173107
10.5.0
10.5.1
Issue: The firewall blocks all traffic if the Global Threat Intelligence (GTI) server is unavailable.
Resolution: This issue is resolved in ENS 10.5.1. Traffic is no longer blocked if ENS is unable to access the GTI server.
1164824
10.5.0
10.5.3
Issue: If you edit the block or report settings for an Exploit Prevention signature, the client UI might display that signature at the bottom of the list of signatures. This display might happen even though the list is sorted numerically otherwise.
Workaround: In the client UI, scroll to the bottom of the list of Exploit Prevention signatures to find signatures whose block or report settings have been changed from their default value.
Resolution: This issue is resolved in ENS 10.5.3.
1163245
10.5.0
10.5.3
Issue: When ENS is installed, it creates the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\RealProtect" for the Real Protect component. Uninstallation of ENS does not delete this registry key. This registry key is a subkey of "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee" so it does not interfere with any other products.
Workaround: Manually delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\RealProtect".
Resolution: This issue is resolved in ENS 10.5.3.
1137347
10.5.0
10.5.3
Issue: An upgrade of the TIE for VirusScan Enterprise extension to TIE for Endpoint Security did not update the event descriptions. The upgraded extension is still able to manage clients with Threat Intelligence Exchange for VirusScan Enterprise.
Issue: After applying the Windows 2019 August Update, you observe high non-paged memory consumption in mfetp.exe. Over time, system performance degrades on systems, creating large numbers of short-lived processes.
Resolution: This issue is resolved in ENS 10.5.5 October Update and ENS 10.6.1 October Update. See the related article for more information.
10.5.5 July Update Repost
10.6.1 July Update Repost
Issue: Opening PDFs in Adobe Reader X Protected Mode is blocked with ENS 10.5.5/10.6.1 July Update installed and Exploit Prevention enabled. When opening the document, the Adobe Reader application either becomes unresponsive or displays the following error:
Adobe Reader cannot open in Protected Mode due to a problem with your system configuration. Would you like to open Adobe Reader with Protected Mode disabled?
Workaround: Set the Adobe Acrobat Reader Application Protection rule to Exclude.
Resolution: This issue is resolved in ENS 10.5.5 July Update Repost and 10.6.1 July Update Repost. See the related article for more information.
1267942
10.6.1 February Update
10.6.1 July Update
Issue: ENS 10.6.1 February Update through ENS 10.6.1 May Update do not work with Dell CAVA.
Workaround: Stay on ENS 10.6.1 December Update (or earlier).
Resolution: This issue is resolved in ENS 10.6.1 July Update.
Issue: After an upgrade to ENS 10.6.1, scheduled on-demand scan (ODS) tasks do not run.
Resolution: This issue is resolved in ENS 10.6.1 December 2019 Update. See the related article for more information.
TSDE-522
10.6.1
10.6.1 July Update Repost
Issue: In "Programs and Features," the entry for McAfee Endpoint Security Platform shows garbled characters rather than the correct Japanese translation.
Resolution: This issue is resolved in ENS 10.6.1 July Update Repost.
Issue: If you select the Allow checkbox in the Certificates section of the ENS Common, Options policy, it does not remain selected after you save the ENS Common policy and later reopen it. This issue is cosmetic. The Allow checkbox is correctly set in the ENS Common policy when saved. It is also accurately transferred to any client with the policy applied.
Resolution: This issue is resolved in ENS 10.6.1 October Update. See the related article for more information.
1263450
10.6.1
10.6.1 October Update
Issue: There can be high memory consumption by mfeatp.exe if debug logging is enabled for ENS Adaptive Threat Protection under load over an extended period.
Workaround: Disable debug logging for ENS Adaptive Threat Protection and the high memory consumption stops.
Resolution: This issue is resolved in ENS 10.6.1 October Update.
1254894
10.6.1
10.6.1 October Update
Issue: Client systems are not unlocked if you try to unlock them by selecting all systems after you run the following ePolicy Orchestrator query: Endpoint Security: Locked Client Systems Due to Failed Password Attempts.
Workaround: Instead of selecting all systems, select multiple systems and unlock the systems.
Resolution: This issue is resolved in ENS 10.6.1 October Update.
Issue: Installations of McAfee products initiated from McAfee Agent 5.5.1 can fail after a second chance exception occurs in msiexec. If a debugger is enabled on the system, the chance of encountering the issue is much more likely.
The dump of the msiexec crash shows the following exception code:
FAILURE_EXCEPTION_CODE: c0000008
Resolution: This issue is resolved in McAfee Agent 5.5.1 (Repost). See the related article for more information.
1239082
10.6.0
10.6.1
Issue: Threat Prevention displays the following pop-up error during an upgrade from a previous version of ENS. The issue occurs when a Threat Prevention 10.6.0 deployment does not accompany ENS Platform 10.6.0 while upgrading ENS 10.5.x.
Error 2761. Cannot begin transaction. Global mutex not properly initialized
Workaround: Deploy Threat Prevention 10.6.0 with ENS Platform 10.6.0 during upgrades.
10.5.5 July Update Repost
10.6.1 July Update Repost
Issue: A system crash (blue screen) error with Bug Check 19 "BAD_POOL_HEADER" might occur sporadically when ENS Threat Prevention 10.5.5/10.6.1 May/July Update is present and AMCore content is installed.
Resolution: This issue is resolved in ENS 10.5.5 July Update Repost and ENS 10.6.1 July Update Repost. See the related article for more information.
10.5.5 July Update Repost
10.6.1 July Update Repost
Issue: A system crash (blue screen) error with Bug Check 19 "BAD_POOL_HEADER" might occur sporadically when Exploit Prevention is enabled and there is a mapped network drive that points to a non-drive letter.
Workaround: The following workarounds exist to avoid this issue:
Remove the mapped drives that point to a non-drive letter, or reassign the mapped drives to a drive letter.
Disable Exploit Prevention.
Resolution: This issue is resolved in ENS 10.5.5 July Update Repost and ENS 10.6.1 July Update Repost. See the related article for more information.
10.5.5 December 2019 Update
10.6.1 December 2019 Update
Issue: After upgrading ENS, the installation client might encounter an exposed Windows kernel bug. This bug corrupts XML files and the system local console GUI might display abnormal behavior including one of the following:
One or more modules report as "Unknown".
A password prompt displays, but there is no password policy in place.
Systems report as out of compliance in ePolicy Orchestrator (ePO) despite the update tasks appearing successful.
Workaround: To restore functionality, run the ENS RepairCache utilities against all impacted modules and then restart the system. See the related article for more information.
Resolution: This issue is resolved in ENS 10.5.5 December 2019 Update and ENS 10.6.1 December 2019 Update.
Issue: When you upgrade from a previous ENS version to 10.5.5 or 10.6.1, the installation becomes stuck in an infinite restart loop. In the McAfee_Common_Bootstrapper.log, you see the following:
05/02/2019 08:00:43.872 [3532] [BootstrapperMain] Common:Product version :10.6.1
05/02/2019 08:00:48.530 [3532] [BootstrapperMain] Check if installed common is 10.5.3, need to install a HF for 10.5.3 before upgrade
05/02/2019 08:00:48.530 [3532] [BootstrapperMain] Installed ENS Common Product Version : 10.5.3
05/02/2019 08:01:39.843 [3532] [BootstrapperMain] Utility to update ENS exp driver returned reboot required.
05/02/2019 08:01:39.858 [3532] [BootstrapperMain] Common failed during install or Upgrade!!!
Workaround: Delete the McAfeeEndpointSecurity_100 registry key on the client.
Resolution: This issue is resolved in ENS 10.5.5 July Update Repost and ENS 10.6.1 July Update Repost. See the related article for more information.
1260017
10.5.5
10.6.1 February Update
10.5.5 February Update
Issue: The following error displays when editing the ENS Firewall policy using ePolicy Orchestrator 5.10:
Unexpected error occurred
Resolution: This issue is resolved in the ENS 10.5.5 February Update and ENS 10.6.1 February Update Firewall extension.
Issue: After switching between ENS Firewall and Host IPS Firewall, WSC incorrectly reports the status of ENS Firewall and Host IPS Firewall. For example, after you disable Host IPS Firewall and enable ENS Firewall, WSC reports the status of ENS Firewall as disabled.
Resolution: This issue is resolved in ENS 10.6.1 February Update. See the related article for more information.
Issue: Upgrading from ENS 10.5.4 August Update to ENS 10.6.0 completes successfully, but there are missing Endpoint Security Platform (ESP) files. The ESP and Adaptive Threat Protection (ATP) services are also unable to start because of Validation Trust Protection (VTP) failures.
Workaround: Repair the Common module from the repair cache or reinstall ENS 10.6.0.
Resolution: This issue is resolved in ENS 10.6.1. See the related article for more information.
1253664
10.5.4 June Update
10.6.1
Issue: An upgrade might cause a blue screen error with bug check 3b.
Resolution: This issue is resolved in ENS 10.6.1.
1270581
10.5.4
10.6.1
10.5.5
Issue: A blue screen error (bug check 3b) might occur because of failing pool allocations, eventually leading to a NULL pointer de-reference involving mfehidk.sys.
Resolution: This issue is resolved in ENS 10.5.5 and ENS 10.6.1.
1252046
10.5.4
10.6.1 February Update
10.5.5 February Update
Issue: Web Control events on URLs over 4,000 characters long are not parsed by ePolicy Orchestrator. Any character after 3,999 is truncated in the event.
Resolution: This issue is resolved in ENS 10.5.5 February Update and ENS 10.6.1 February Update.
Issue: In the Mozilla Firefox and Google Chrome browsers, the enforcement message for red- and yellow-rated sites does not appear when a red- or yellow-rated site is browsed. A redirection to the mcafee.com site occurs and a page not found error appears.
Resolution: This issue is resolved in ENS 10.5.5 and ENS 10.6.1. See the related article for more information.
1236546
10.5.3
10.5.5
10.6.1
Issue: The McAfee Security Status dialog box sometimes shows ENS modules as not responding.
Resolution: This issue is resolved in ENS 10.5.5 and ENS 10.6.1.
Issue: The Web Gateway Interlock policy allows ENS Web Control to become disabled on an internal network that is protected by an internet appliance like Web Gateway. After a network change to an external network, ENS Web Control becomes enabled in the browsers. Currently ENS Web Control is not changing status until the first policy enforcement after the network change.
Resolution: This issue is resolved in ENS 10.5.4 June Update and ENS 10.6.1. See the related article for more information.
Issue: Installing ENS might fail if the system has not rebooted since the last installation of an ENS version.
Workaround: Reboot the system and run the ENS installation again.
Resolution: This issue is resolved in ENS 10.5.5 and ENS 10.6.1. See the related article for more information.
10.5.0
10.6.1
Issue: You can't log off from of a Google account in Chrome.
Workaround: Use Firefox or Internet Explorer to sign out of a Google account.
Resolution: This issue is resolved in ENS 10.6.1.
1241262
10.6.0 with ePO 5.3.3
ePO versions later than 5.3.3
Issue: The following error displays when clicking Adaptive Threat Protection dashboard events:
An unexpected error occurred.
This error is the result of an issue that exists with ePolicy Orchestrator 5.3.3.
Workaround: Perform the following:
Contact Technical Support and obtain ePolicy Orchestrator 5.3.3 Proof of Concept 1219524.
Add the following line to the file C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\conf\context.xml. Put this line at the end of the file just before the </Context> tag.
Issue: When you run a right-click scan through the context menu and choose Scan for threats, the resulting window might appear blank with only a white background displayed. The window title says McAfee Endpoint Security. The window can be closed without any problem; click the red X in the top-right corner of the window. Scan activity does not appear to take place. Also, when you try to run a right-click scan and then close the blank window multiple times, mfeconsole processes remain in the list of active processes until you kill them or restart the system.
Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
Issue: The ENS About box does not display the Extra.DAT version information if the Extra.DAT is applied through an ePolicy Orchestrator update task. An Extra.DAT installed on the local system reports correctly.
Resolution: A change made to the Extra.DAT detection scripts corrected the issue. See the related article for more information.
1240394
1234679
1230833
10.5.3
Microsoft fix available
Issue: Bug check KMODE_EXCEPTION_NOT_HANDLED (1e) occurs. This issue is typically found on Windows 10 kernels, such as Windows Server 2016, and the process is typically the cluster service clussvc.exe. Disabling Real Protect might resolve the issue. The stack text is similar to the following:
Issue: Microsoft Internet Explorer, Outlook, or Word hangs or crashes when Exploit Prevention is enabled, and you open a document from SharePoint or off a network share in the presence of Microsoft Application Virtualization.
Workaround: Perform one of the following workarounds:
Create an Application Protection Rule exclusion for the affected application.
Make Signature 6015 a Repot only event.
Add an "Illegal API User – Buffer Overflow" signature exclusion for the affected application where the Caller Module is appventsubsystems32.dll, the Signature is 6015, and the API is LoadLibraryW.
Resolution: This issue is resolved in Exploit Prevention Content version update 8479.
1232927
10.5.3
10.5.4
Issue: After you create an Exploit Prevention exclusion using ePolicy Orchestrator, when you open the exclusion in the ENS console, Type must be specified is displayed in red color and Type is specified as No type.
Issue: Installation of ENS fails during the ENS Common module installation. See the related article for more information.
The McAfee Agent log records the following:
Run now task McAfee Agent > Product Deployment failed. Details: Product "ENDP_GS_1050" installation failed, reason "Unknown error".
The McAfee_Common_VSCore_Install_All_<timestamp>.log record errors similar to the following:
[09:40:33:312] - Wait for MMS Service mfehcs to report RUNNING
...[09:41:02:766] - MMS Service mfehcs: [09:41:02:766] - SERVICE_START_PENDING
[09:41:03:781] - MMS Service mfehcs: [09:41:03:781] - SERVICE_STOPPED. Stop waiting for service to run
[09:41:03:781] - StartMMSService: exit=0
...
[09:41:03:781] - Code [0x20003051] : Error while starting McAfee service.
[09:41:03:781] - Exit code will be 4294967295
...
[09:41:03:781] - Returning 4294967295
Issue: The same version of the ENS 10.5.3 Common Platform module is reinstalled multiple times, although the previous installation was successful. This issue occurs only with the reposted version of ENS 10.5.3 Common Platform version 10.5.3.3178_7.
Workaround: Change the product deployment task to run the deployment for the ENS 10.5.3 Common Platform module only once.
Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
1221732
10.5.3
10.5.4
Issue: When Network Exploit Prevention is enabled, ENS Firewall does not log some blocked traffic.
Issue: The system restarts and a system crash (blue screen error) occurs when you upgrade from ENS 10.5.2 to ENS 10.5.3 in the presence of third-party injectors.
Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
1218771
10.5.3
10.5.4
Issue: If an ePolicy Orchestrator (ePO) repository branch contains many previous ENS updates and hotfixes, checking in the 10.5.3 update into the same repository branch might result in ePO becoming unresponsive.
Workaround: To prevent the issue, remove all updates and hotfixes except for the previous version, before checking in the 10.5.3 update. If you already encountered this issue and ePO is unresponsive, stop and restart the ePO service to resolve the issue.
Issue: After you disable Access Protection via policy in ePolicy Orchestrator (ePO), once enforced on the client, the ENS console still shows that Access Protection is enabled. This information is then reported incorrectly back to ePO. This issue is cosmetic. When the policy is enforced, Access Protection is successfully disabled on the client.
Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
1215500
10.5.3
10.5.4
Issue: The driver mfeepmpk does not load after a system restart.
Workaround: Perform the following steps:
Disable ENS Self-Protection.
Press Windows+R, type regedit.exe, and click OK.
Delete the entry "INITSTARTFAILED" if present at: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\services\mfeepmpk\Enum
Delete the entry "DriverEntry" if present at: HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\services\mfeepmpk
Set the entry "Start" to 3 at: HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\services\mfeepmpk
Set the entry "VTPOptions" to 0x20 (32 in decimal) at:
HKEY_LOCAL_MACHINE\SYSTEM\
CurrentControlSet\services\mfeepmpk
Enable ENS Self-Protection.
Restart the system.
Resolution: This issue is resolved in ENS 10.5.4.
1214624
10.5.3
10.5.4
Issue: An upgrade to ENS 10.5.3 fails if Threat Intelligence Exchange (TIE) Client 10.2 is installed. This result is an intermittent issue.
Cause: There is a timing issue. The TIE Client tries to validate the installer utility before it is written to disk. This fact causes the McAfee trust verifier to treat the installer utility as untrusted.
Workaround: Perform one of the following options:
Attempt to send another deployment task to the systems with this issue. The chance of the upgrade succeeding in the second attempt is higher.
Uninstall TIE Client 10.2 before upgrading to a later version or update. The deployment task for 10.5.x must include the Adaptive Threat Protection module to match the parity with TIE Client 10.2.x.
Resolution: This issue is resolved in ENS 10.5.4.
1213474
10.5.3
10.5.4
Issue: After selecting an expert rule and clicking the "Expert rule checker" button, sometimes the rule data is not populated.
Workaround: Order the table rows by ID before selecting expert rules.
Resolution: This issue is resolved in ENS 10.5.4.
1212160
10.5.3
10.5.4
Issue: Threat Prevention is disabled, or missing, after an upgrade attempt to ENS 10.5.3. The mfetp.exe process is not running.
Resolution: This issue is resolved in ENS 10.5.4. McAfee recommends that you upgrade to ENS 10.5.4 or later.
1218123
10.5.2
10.5.4
Issue: Services are deleted during an upgrade if they fail to stop in a timely manner. The services are left in a "not responding" state.
Resolution: This issue is resolved in ENS 10.5.4.
1217352
10.5.2
10.5.4
10.5.3 Hotfix 3
Issue: When the Firewall Options policy Allow bridged traffic option is enabled and you apply the policy to a virtual machine, Firewall rules are not enforced and traffic to and from the virtual machine is allowed.
Resolution: This issue is resolved in ENS 10.5.3 Hotfix 3 and ENS 10.5.4.
Issue: When you select the "Configure different settings for High Risk and Low Risk processes" option in the On-Access Scan policy, and all High Risk processes are removed, the High Risk processes are still enforced.
Workaround: Make sure that there is at least one High Risk process in the policy.
Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
10.5.2
10.5.3
Issue: When performing a right-click on-demand scan for a network share, the scan completes in seconds and 0 files were scanned. This issue happens even though you are logged on to the client system, with credentials that have local administrator rights to the network share.
Issue: During an installation or upgrade to ENS 10.5.2, an error occurs during the installation process that causes an MSI pop-up error. Installation is successful, but systems occasionally get the following pop-up error:
Error 1336. There was an error creating a temporary file that is needed to complete this installation. Folder: C:\Program Files\McAfee\
Endpoint Security\Threat Prevention. System error code: 5.
Workaround: Use the following steps to work around this issue. See the related article for more information.
Disable ENS Self-Protection. From the local console, navigate to Settings, Common, and disable Self-protection.
Issue: When you install ENS using a custom policy that specifies a custom quarantine path, the quarantine is created in the default folder C:\Quarantine instead of the specified custom path.
Workaround: For ePO managed systems, the quarantine folder is automatically reset to the custom path specified in the policy on the next policy enforcement. Either wait for the next policy enforcement to occur, or manually trigger policy enforcement using one of the options in the related article.
Resolution: This issue is resolved in ENS 10.5.4.
1205792
10.5.2
10.5.3
Issue: A small long-term memory leak with McShield.exe might be observed each time a policy enforcement occurs.
Resolution: This issue is resolved in ENS 10.5.3.
1204625
10.5.2
Host IPS 8.0 Update 11
Issue: If the Host Intrusion Prevention IPS feature is enabled, ENS installs or update upgrades fail on about 20% of systems.
Workaround: Disable the IPS feature before the ENS install or upgrade; re-enable the IPS feature after the ENS install or upgrade completes.
Resolution: Use one of the following options:
Upgrade Host Intrusion Prevention to 8.0 Update 11 before the ENS install or upgrade.
Remove Host Intrusion Prevention when you deploy ENS.
10.5.2 (RTS)
10.5.2 (GA)
Issue: When you install the Endpoint Security 10.5.2 Profiler Tool, you need to create an exclusion for mcprofiler.exe in the Endpoint Security Common policy, Show Advanced, Self Protection, Exclude these processes.
Resolution: This issue is resolved in ENS 10.5.2 (GA).
1193471
10.5.1
10.5.4
Issue: Threat Prevention reports that it is not responding. The issue is the result of a timeout when trying to enumerate users when the service starts.
Resolution: This issue is resolved in ENS 10.5.4. With ENS 10.5.4, the service starts before timing out.
1192352
10.5.1
10.5.2
Issue: Scheduled scans configured to run when idle, sometimes fail to run when the system is idle, or sometimes resume unexpectedly when the system is not idle.
Resolution: This issue is resolved in ENS 10.5.2.
1182718
10.5.1
10.5.1 Hotfix 2
Issue: On-demand scan "files scanned" might not increment in the on-demand scan activity log, nor does "items scanned" increment in the on-demand scan pop-up dialog box, for files that are not detected as malware.
Resolution: This issue is resolved in ENS 10.5.1 Hotfix 2.
1180401
10.5.1
10.5.2
Issue: ENS installation fails when any injector software with an unsigned DLL tries to hook or inject into any McAfee process.
Workaround: Perform one of the following:
Get the unsigned DLL certified or signed from the software vendor.
Remove the software and then install ENS.
Resolution: This issue is resolved in ENS 10.5.2.
1179065
10.5.1
10.5.2
Issue: A system crash (blue screen error) occurs after restarting a system when ENS is installed with some McAfee products. These products include VirusScan Enterprise, Host Intrusion Prevention, Data Loss Prevention, and Drive Encryption with File and Removable Media Protection (FRP).
Cause: The kernel is running out of stack space during a file operation because there are more than the usual number of filters on the file stack. This fact causes a CPU double fault and the blue screen error. FRP currently uses the minimum kernel stack needed for a call, which is 4 K.
Workaround: Increase this stack size as suggested below:
Start the system in Windows Safe Mode.
Navigate to the registry location HKLM/System/CurrentControlSet/Services/mfeeeff.
Create a DWORD value with the name MinKernelStack and set it to 16384.
Issue: A system crash (blue screen) occurs after you successfully install or upgrade to ENS 10.5.x (and later) or VirusScan Enterprise 8.8 Patch 10 (and later).
After a system restart, the computer enters a reboot cycle after it shows a system crash (blue screen) with the following crash details:
CLASSPNP.SYS - Address FFFFF8800217F198 base at FFFFF8800217E000, DateStamp 4ce7929b MER mfeclnk.sys
The issue is seen on Citrix XenApp clients running the Citrix File System Minifilter PVS driver.
Resolution: Upgrade Citrix PVS to version 7.6 or later before you install or upgrade your ENS or VirusScan Enterprise installation. See the related article for more information.
Issue: In ePolicy Orchestrator, when the total number of characters in the path for the On-Access Scan exclusions plus the internal separators exceeds 5000, the policy does not enforce on the end node.
Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
Issue: ENS Web Control does not work in Firefox 51.
Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1173342
10.5.0
10.5.1
Issue: In the Exploit Prevention policy, after editing a McAfee Defined Application Protection Rule with a name that has more than one word, the name is cut off leaving only the first word in the name.
Resolution: This issue is resolved in ENS 10.5.1.
1172855
10.5.0
10.5.1
Issue: Automatic Migration fails for edited VirusScan Enterprise My Default Policies for on-demand scan when the Both Workstation and Server settings migration option is selected. After the Automatic Migration "MyDefault 2" policies are created twice, one each for workstation and server-specific policies. This action then causes the policy migration to Threat Prevention to fail.
Workaround: In the policy preview page, manually rename the Threat Prevention on-demand scan policy that has the duplicate name to a unique name.
Resolution: This issue is resolved in ENS 10.5.1.
1171976
10.5.0
10.5.1
Issue: When you upgrade an endpoint with ENS 10.5 installed from Windows 7 x64 to Windows 10 x64, Exploit Prevention fails to initialize and remains disabled.
Cause: A race condition between mfetp and the VSCore driver, ESP, or MA Service during the installation flow causes this issue. This race condition leaves the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mfeepmpk\Enum set to 1 by mistake, and indicates a failure during initialization. The result is that Exploit Prevention remains disabled and can't be initialized.
Workaround: To avoid the issue, perform the following steps:
Before you start the Windows 10 upgrade process, disable ENS Self-Protection.
Press Windows+R, type regedit, and click OK.
Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mfeepmpk\Enum
Set INITSTARTFAILED to 0.
Enable ENS Self-Protection.
Start the Windows 10 upgrade process.
Resolution: This issue is resolved in ENS 10.5.1.
1170938
10.5.0
10.5.1
Issue: When ENS Web Control interlock Disable if a web gateway appliance is detected is enabled with more than one detect gateway option selected, ENS Web Control fails to stand down when any one of the selected detect gateway conditions fails to match. The detect gateway options can be organization default gateway, web gateway enforcement, or internal landmark.
Workaround: Do not select multiple detect gateway options, select one of the options that best suits the environment.
Resolution: This issue is resolved in ENS 10.5.1.
1164347
10.5.0
10.5.1
Issue: In the Host Intrusion Prevention catalog network, you add an IP address with a fully qualified domain name without a dot. After migration to the ENS Catalog, if you try to open the migrated catalog in ENS, an unexpected error appears. (For example, a name without a dot is Google.)
Workaround: Before migration, delete all networks in the Host Intrusion Prevention catalog without a dot.
Resolution: This issue is resolved in ENS 10.5.1.
1164345
10.5.0
10.5.1
Issue: An exception error displays when you open an ENS firewall rule for editing in the Rules policy migrated from Host Intrusion Prevention. And, the same rule from the same Host Intrusion Prevention Rule policy is open in another tab.
Workaround: To compare the migrated Host Intrusion Prevention rule and the original Host Intrusion Prevention rule, use the rule summary or open rules in different browsers.
Resolution: This issue is resolved in ENS 10.5.1.
1162890
10.5.0
10.5.2
Issue: Boot times for some systems might be longer after you install ENS 10.5.0.
Resolution: This issue is resolved in ENS 10.5.2.
1143866
1127671
1127669
10.5.0
10.5.2
Issue: Code compiling programs like Cygwin can take longer to build projects with out-of-box configurations of ENS 10.5.0.
Resolution: The issue is resolved in ENS 10.5.2.
1141112 1134927
1252359
10.5.0
Host IPS 8.0 Update 11
Issue: When you edit an object in the Host Intrusion Prevention (Host IPS) catalog, a list displays with all affected policies that the change will propagate to. The list includes an ENS Firewall policy that was migrated from Host IPS using the Migration Assistant. If you change the object in the Host IPS catalog, the ENS Firewall policy becomes corrupted.
Resolution: This issue is resolved in Host IPS 8.0 Update 11. If you already encountered the issue, remigrate the ENS Firewall policy after modifying the object in the Host IPS Catalog.
1204316
10.5.0
10.5.3
Issue: An AMCore content update succeeded, but the AMCore content version is not shown in the ENS Console or ePolicy Orchestrator. The correct AMCore content version is shown in the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVSolution\DS\DS]. The ThreatPrevention_Debug.log shows the following error:
07/13/2017 11:22:36.916 AM mfetp(4472.4508) AvContentMgr.AVCMGR.Error: Failed to load container: Failed to load xml document, 0x00000001
Issue: If Threat Prevention Exploit Prevention is enabled, the dllhost.exe process will generate a crash dump after it performs a Cortana search on a Windows 10 Creators Update system. The issue occurs when Exploit Prevention fails to inject into the dllhost.exe process; the result is the process does not load and generates a crash dump.
Workaround: Add a global Exploit Prevention exclusion for the dllhost.exe process. The exclusion stops injection from being performed on the dllhost.exe process, and crash dumps are not generated. See the related article for more information.
Issue: A Location Aware Group (LAG) with a local network and with connection isolation enabled blocks traffic by isolation. The issue occurs when the address specified in the local network of the LAG does not match an active network adapter on the system.
Workaround: Reconfigure the LAG without a local network as a location criteria; use other location criteria that is suitable in the environment.
Resolution: This issue is resolved in ENS 10.5.1 Hotfix 1. See the related article for more information.
1177881
1175503
10.5.0
10.5.1
Issue: Clients do not send metadata, such as file names, to the Threat Intelligence Exchange server when the option Allow the Threat Intelligence Exchange server to collect anonymous diagnostic and usage data is disabled.
Resolution: This issue is resolved in ENS 10.5.1. The option Allow the Threat Intelligence Exchange server to collect anonymous diagnostic and usage data now applies only to optional statistics collection by clients. Metadata is sent to the Threat Intelligence Exchange server.
Issue: When ENS Web Control enforces an action in the browser, an enforcement message is displayed in the browser. The enforcement message is blank even though the policy for the enforcement message has text. See the related article for more information.
Workaround: Remove any carriage returns from the enforcement message. Use HTML code for paragraph or break to make line spaces in the enforcement message.
Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
Issue: ENS Web Control search annotation ratings might not be displayed in the search engine results when search engines change their search results pages. For example, www.yahoo.tw does not display search annotations with Web Control.
Resolution: This issue is resolved in ENS 10.5.2. See the related article for more information.
1148888
10.5.0
10.5.1
Issue: Packages created with ENS Package Designer do not honor the license type, which causes the ePolicy Orchestrator server to always display the package as Licensed. This issue does not impact the licensed General Availability (GA) packages being customized. It impacts only the ENS evaluation builds when used to create custom packages. There is no functional impact on the client. The client About dialog box still displays it as Trial only. Only the ePolicy Orchestrator Master Repository displays as Licensed for trial packages.
Issue: After you upgrade ENS, permission set data is not retained accurately for the Firewall extension, if it had two categories of permissions sets before the upgrade. These two categories are, Endpoint Security Firewall Catalog and Client and Endpoint Security Firewall.
Workaround: Run the SQL script attached in the related article on the ePolicy Orchestrator server after you upgrade ENS to restore the Firewall extension permission set data.
Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1132889
10.5.0
10.5.1
Issue: IP addresses in CIDR format are not supported in private IP address exclusions in the Options policy.
Workaround: Use a supported format in private IP address exclusions: IP address range (at each octet level), IPv4, and IPv6 formats in comma-separated values.
Resolution: This issue is resolved in ENS 10.5.1.
1129484
10.5.0
10.5.1
Issue: When you use the Web Gateway Interlock feature in ENS Web Control, if you use the option Specify internal landmark to use from the ENS Web Control ePolicy Orchestrator extension, you can't specify IPv6 addresses and DNS names that resolve only to IPv6 addresses in the corresponding input fields.
Workaround: Use IPv4 addresses and DNS names that resolve to IPv4 addresses.
Issue: There are compatibility issues with ENS and Entrust 9.3, including the following:
Performance issues
After installation of ENS on a system with Entrust 9.3, the system will not start after a restart.
Resolution: Contact Entrust to obtain a hotfix and quote Entrust reference number ref:_00D301H7DR._5001412ZkNK:ref. The hotfix is available only through Entrust support. See the related article for more information.
Issue: After you install ENS on a Windows 7 system with Forcepoint (formerly Websense) Data Loss Prevention (DLP) 7.8 installed, a system crash (blue screen error) occurs.
Workaround: Either remove the Forcepoint software or upgrade to Windows 10.
Resolution: McAfee has determined that the cause of this issue is the Forcepoint software that uses the QIP.sys driver on Windows 7 systems. Any solution must come from Forcepoint. If you experience this issue, McAfee recommends that you contact Forcepoint Technical Support for assistance. This issue has not been reported to occur with newer versions of Forcepoint DLP 8.2. See the related article for more information.
Issue: Installation of ENS fails when Entrust Entelligence 9.2 is installed.
Resolution: Upgrade to Entrust Entelligence 9.3. Installations of ENS are successful with the latest Entrust Entelligence version. See the related article for more information.
If you are a registered user, type your User Id and Password, and then click Log In.
If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
