Loading...

Knowledge Center


Endpoint Security 10.x Known Issues
Technical Articles ID:   KB82450
Last Modified:  6/12/2018
Rated:


Environment

McAfee Endpoint Security (ENS) Firewall 10.6.x, 10.5.x, 10.2.x
McAfee ENS Threat Prevention 10.6.x, 10.5.x, 10.2.x
McAfee ENS Web Control 10.6.x, 10.5.x, 10.2.x

For ENS supported environments, see KB82761.

For ENS Adaptive Threat Protection (ATP) known issues, see KB88788.
For ENS known issues applicable in ePolicy Orchestrator Cloud, see KB79063.

Summary

Recent updates to this article 
Date Update
June 12, 2018 Updated for ENS 10.6.0, Release to World (RTW) and ENS 10.5.4 June Update, currently Release to Support (RTS).
June 6, 2018 Moved issue 1242104 to the "Issues resolved in 10.5.4" section.
May 31, 2018 Added issue 1218123 to the "Issues resolved in 10.5.4" section.
May 30, 2018 Added issue 1242104 to the "Open issues" section.
May 25, 2018 Added issues 1239725 and 1241673 to the "Open issues" section.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


Contents
Click to expand the section you want to view:

Issue resolutions in patches and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.
ENS Version Release to Support (RTS) Release to World (RTW) Release Notes
10.6.0 May 8, 2018 June 12, 2018 PD27443 (ePO managed)
PD27781 (ePO Cloud managed)
10.5.4 June Update June 12, 2018

NOTE: This update is available only from Technical Support.
See the Related Information section below for contact details.
N/A PD27796
10.5.4 Hotfix 1 N/A May 8, 2018 PD27763
10.5.4 March 29, 2018 April 24, 2018 PD27442 (ePO managed)
PD27598 (ePO Cloud managed)
10.5.3 Hotfix 3 (HF3) March 13, 2018

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
N/A PD27624
10.5.3 Hotfix 2 (HF2) February 13, 2018

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
N/A PD27522
10.5.3 Hotfix 1 (HF1) N/A January 9, 2018 PD27439
10.5.3 October 30, 2017 November 13, 2017 PD27192
10.5.2 Hotfix 2 (HF2) N/A October 17, 2017

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
PD27314
10.5.2 Threat Prevention extension Hotfix 1213762 (HF1213762) N/A October 11, 2017 PD27301
10.5.2 Hotfix 1 (HF1) N/A September 12, 2017

NOTE: This hotfix is available only by contacting Technical Support.
See the Related Information section below for contact details.
PD27252
Profiler 1.3 for ENS 10.5.2 July 19, 2017 August 29, 2017 KB69683
Endpoint Security Threat Intelligence 10.2.3 August 1, 2017 August 8, 2017 PD27157
10.5.2 July 19, 2017 August 28, 2017 PD27025
10.5.1 Hotfix 2 (HF2) - Repost N/A June 23, 2017 PD27121
10.5.1 Hotfix 1 (HF1) N/A May 16, 2017 PD27071
10.5.1  N/A March 30, 2017 PD26909 
10.5.0 N/A December 19, 2016 PD26802
10.2.2 N/A November 13, 2017 PD27193
10.2.1 N/A March 30, 2017 PD26908
10.2.0 Hotfix 1164434 (HF1164434) N/A November 7, 2016 PD26758
10.2.0 N/A August 11, 2016 PD26588

Back to Top
Critical: No critical issues resolved

Non-critical:
 
Reference Number Related Article Found in ENS Version Resolved in ENS Version Issue Description
1235182   10.5.4 10.6.0 Issue: A JavaScript error displays when trying to create an Expert Rule, when using Internet Explorer.

Workaround: Use a different browser, such as Internet Explorer or Google Chrome.

Resolution: This issue is resolved in ENS 10.6.0.
1230704 KB90510 10.5.3 10.6.0 Issue: A Product Deployment for Threat Prevention never expires and remains showing the status Running on the Product Deployment page in ePolicy Orchestrator. The Completion rate shows 0%. But, the endpoint received the Product Deployment task and installed the point product successfully.

Resolution: This issue is resolved in ENS 10.6.0. See the related article for more information.
1227138
1231176
  10.5.3 10.6.0 Issue: In the Threat Prevention policy (as viewed through ePolicy Orchestrator and the local ENS console), Options, Proactive Data Analysis, there are two options: McAfee GTI Feedback and Safety Pulse. These options are interdependent; but, disabling McAfee GTI Feedback does not necessarily disable the Safety Pulse option.

Workaround: To disable both options, you must disable Safety Pulse before you disable McAfee GTI Feedback because disabling McAfee GTI Feedback immediately hides the check box for Safety Pulse.

Resolution: This issue is resolved in ENS 10.5.4 June Update and ENS 10.6.0.
1213473   10.5.3 10.6.0 Issue: In the ENS About box, the Real Protect engine content version 1.0.0.2817 displays with a date of 1/31/2017. The correct date is 8/14/2017.

Resolution: This issue is resolved in ENS 10.6.0.


Back to Top
 
Click to jump to the section you want to view:
Critical:
 
Reference Number Related Article Found in ENS Version Resolved in ENS Version Issue Description
1228079 KB90301 10.5.3   Issue: A blue screen error can occur when upgrading to ENS 10.5.x from an earlier 10.5.x version and when another McAfee product is installed. Possible other McAfee products are Host Intrusion Prevention 8.0 or Data Loss Prevention Endpoint versions earlier than 10.0.330 and 11.0.130. The issue is timing-related and does not always occur.

Workaround: This issue is timing-related and difficult to encounter. But, you can eliminate the risk of encountering the issue by disabling the Exploit Prevention feature, before you upgrade ENS.

Resolution: This issue is expected to be resolved in ENS 10.7. See the related article for more information.


Non-critical:
 
Reference Number Related Article Found in ENS Version Resolved in ENS Version Issue Description
1240425 KB90664 10.6.0   Issue: On rare occasions, in the presence of Adaptive Threat Protection, an ENS upgrade from 10.5.0 (and later) to 10.6.0 fails, thus causing the system to enter a non-protective state. The following symptoms are observed when the issue occurs:
  • The content update fails continuously and the product properties of the system show the old AMCore that was updated last.
  • Threat Prevention and Adaptive Threat Protection show the previous versions whereas Endpoint Security Platform shows 10.6.0 in the product properties for the respective endpoint.
  • The Endpoint Security Console shows Threat Prevention and Adaptive Threat Protection in a "Not Started" state, and the Threat Prevention and Adaptive Threat Protection version information is not displayed in the About dialog box.
  • The mfetp, mfeatp, and mcshield processes stop running on the endpoint.
  • EICAR or any malware detection fails on the endpoint.
Resolution: To resolve the issue, McAfee has released a tool that can be deployed using ePolicy Orchestrator. See the related article for more information.
1239082   10.6.0   Issue: Upgrading ENS using ePolicy Orchestrator Run Task Now might result in some modules not upgrading. Run Task Now, by default, has a 20-minute task timeout and the task might time out before ENS completes the upgrade.

Workaround: Upgrade ENS using a scheduled deployment task instead of using Run Task Now.
1239082   10.6.0   Issue: Threat Prevention displays the following pop-up error during an upgrade from a previous version of ENS. The issue occurs when a Threat Prevention 10.6.x deployment does not accompany ENS Platform 10.6.x while upgrading ENS 10.5.x.
 
Error 2761. Cannot begin transaction. Global mutex not properly initialized

Workaround: Deploy Threat Prevention 10.6.x with ENS Platform 10.6.x during upgrades.
1238699   10.6.0   Issue: The Firewall Rule policy hangs in ePolicy Orchestrator 5.10 when a non-administrator user submits a policy for approval.
1238665   10.6.0   Issue: Threat Prevention Exploit Prevention exclusions with "Allow any signature" incorrectly match processes that have no signature. "Allow any signature" must only match if the process is signed.
1238526   10.6.0   Issue: If the ePolicy Orchestrator administrator selects an Exploit Prevention event with ID 18056 in the Exploit Prevention Events log, and chooses Action, Add Exclusion, the resulting exclusion does not work. (Event ID 18056 indicates Buffer Overflow detected and blocked (DEP).)

Workaround: The following workaround disables all ENS Buffer Overflow and Illegal API Use protection for the associated process.
  1. Edit the added exclusion in the associated Exploit Prevention policy.
  2. Remove the signature ID (9990) from the exclusion.
  3. Save the exclusion and policy.
1238510   10.6.0   Issue: When creating a Buffer Overflow exclusion where the Signature ID or API is specified and the exclusion is based on an Exploit Prevention event, signer SDN matching does not work.
 
Workaround: Reverse the order of the SDN element provided by the event. For example, if the threat event details specify the SDN as:
 
O=MCAFEE, OU=ENGINEERING, CN=TEST

Reverse the SDN order to:
 
CN=TEST, OU=ENGINEERING, O=MCAFEE
1237915   10.6.0   Issue: Triggering the Threat Prevention Access Protection rule "Executing Windows Subsystem for Linux" references IDS_AP_RULE_PREVENT_WSL_EXECUTEION:IDS_BLADE_NAME_SPB when describing the violated rule.

Workaround: IDS_AP_RULE_PREVENT_WSL_EXECUTEION:IDS_BLADE_NAME_SPB is a reference for the Access Protection rule "Executing Windows Subsystem for Linux" and will be translated in a future release.
1235491   10.6.0   Issue: For Antimalware Scan Interface (AMSI) file detections, where the First Action is Delete and the delete fails, the detection event incorrectly shows the Second Attempted Action as Not Available.

No workaround is required. The Second Attempted Action is Block and correctly blocks the activity.
1228409 KB90374 10.6.0   Issue: If you install ENS Web Control on a system with Application and Change Control 8.1.0.118.1 present, the Google Chrome Endpoint Security Web Control Extension is disabled (it is grayed out). So, no sites are blocked and no ratings are shown.

Workaround: See the related article for instructions to prevent the issue from occurring before installing ENS Web Control. Or, to resolve the issue if you have already installed ENS Web Control and have experienced the issue.
1241673
1241500
KB90625 10.5.4   Issue: In the Mozilla Firefox and Google Chrome browsers, the enforcement message for red and yellow rated sites is not appearing when a red or yellow rated site is browsed. A redirection to the mcafee.com site occurs and a page not found error displays. See the related article for more information.
1239725 KB90601 10.5.4   Issue: Some clients report that the amount of memory used by the ENS Web Control service mfewc.exe is over 1 GB. See the related article for more information.
1235803   10.5.4   Issue: In environments with short living processes with an unknown reputation, such as a compiler, ENS produces a performance penalty on the overall execution. This penalty occurs because the time required to get a reputation is longer than the reputation retrieval.

Workaround: To avoid the performance penalty, you can add an exclusion for the known path where the originator of the short living process resides. For example, the compiler path.
1235170   10.5.3   Issue: Microsoft Explorer, Outlook, or Word, hangs or crashes, when Exploit Prevention is enabled, and you open a document from SharePoint or off a network share, in the presence of Microsoft Application Virtualization.

Workaround: Perform one of the following workarounds:
  • Create an Application Protection Rule exclusion for the affected application.
  • Make Signature 6015 a Repot only event.
  • Add an "Illegal API User – Buffer Overflow" signature exclusion for the affected application where the Caller Module is appventsubsystems32.dll, the Signature is 6015, and the API is LoadLibraryW.  
Resolution: An Exploit Prevention content update will be released in Q2 2018 to address this false positive.
1232358   10.5.3   Issue: Access Protection rules for the Threat Prevention module are not visible in the ePolicy Orchestrator console. An export of the policy (to XML) reveals that the value assigned to "APRules.dwAPRuleBlocks" does not match the actual number of rules.

Workaround: Delete the corrupt policy, and create a new policy. Currently the cause of the corruption is unknown.
1225364 KB90362 10.5.3   Issue: The Web Gateway Interlock policy allows ENS Web Control to become disabled on an internal network protected by an Internet appliance like Web Gateway. After a network change to an external network, ENS Web Control becomes enabled in the browsers. Currently ENS Web Control is not changing status until the first policy enforcement after the network change. See the related article for more information.
1225852
1227530
  10.5.3   Issue: Installing Data Exchange Layer on a system with ENS Exploit Prevention enabled generates an ENS detection by Exploit Prevention rule 6073.
1215521   10.5.3   Issue: An upgrade to ENS Firewall 10.5.3 hangs.

Workaround: Perform the relevant option below:
  • For an ePolicy Orchestrator (ePO) managed environment: Create an ePO deployment task for the upgrade, and specify the following command-line parameter in the Command line text field:

    -nopreservesettings

    The parameter skips preserving settings during the upgrade and installs with the default policy. The client gets the customized policy in the next policy enforcement interval.
     
  • For a standalone environment: Do not select the Preserve Settings checkbox in the installation wizard during the upgrade.
1214616   10.5.3   Issue: In an ePolicy Orchestrator (ePO) deployment, the ENS installation is interrupted leaving only the Platform installed.

Cause: Another application restarts the system after the Platform installation. Because of the restart, the McAfee Agent deployment task is abruptly closed, which can cause ePO to not receive any response and then time out.

Workaround: Send another deployment task to the systems with this issue. The ENS installation succeeds.
1213517   10.5.3   Issue: Communication is blocked for Microsoft Edge with Application Guard when you use ENS Firewall.

Workaround: Create a firewall rule with the following criteria: Allow Inbound TCP/IPv4 and TCP/IPv6, Local Ports 80 and 443 (or just the proxy port, when appropriate), Remote Ports 49700-65535, Virtual Media. McAfee is investigating whether further qualifying criteria can be set for this rule to avoid the issue; this article will be updated if new information becomes available.

NOTE: This rule also matches for VPN adapters. VPN traffic matching is disrupted.
1212361   10.5.3   Issue: After installation the ENS Web Control module reports as "Not started" in the ENS console.
 
Workaround: To fix the issue, restart the system.
1212782 KB89845 Profiler 1.3 10.5.4 June Update Issue: When you select the "Configure different settings for High Risk and Low Risk processes" option, the Profiler tool reports all processes that are scanned with the High Risk profile. The expected behavior is for the Profiler tool to show processes under High Risk to be scanned under High Risk, and processes under Low Risk to be scanned under Low Risk.

Resolution: This issue is resolved in ENS 10.5.4 June Update and is expected to be resolved in ENS 10.6.1. See the related article for more information.
1203341 KB89678 10.5.2   Issue: A compatibility issue exists between McAfee Application and Change Control (MACC) and ENS that might cause ENS install or upgrades to fail.

Workaround: To ensure that MACC and ENS can coexist on an endpoint, disable the MACC memory protection and script as updater features. See the related article for instructions to disable these features and for direction on how to install or upgrade the ENS and MACC software.
    10.5.1   Issue: The Threat Prevention Help topic "Deploy an Extra.DAT file to client systems from McAfee ePO Cloud" incorrectly appears in ePO Cloud. ePO Cloud does not support the deployment of Extra.DAT files.

Resolution: This Help topic will be removed in the next major release of Endpoint Security.
    10.5.1   Issue: ENS 10.5.1 does not include Help for the Exploit Prevention Events page under Reporting.

Workaround: This feature is described in the Endpoint Security 10.5.1 Release Notes.

Resolution: This Help topic will be available in the next major release of Endpoint Security.
1226114   10.5.1   Issue: ENS Web Control site ratings do not appear on the second page of results when using Internet Explorer 11 and the Bing search engine with the region set to English United States.

Workaround: Refresh the page and the site ratings display.
1182362   10.5.1   Issue: Email annotations do not appear in messages opened with Outlook 2016. Email annotations appear only in the preview pane.
1173540   10.5.1   Issue: The following migration issues occur when the ENS Firewall extension is not installed:
  • Manual migration does not allow you to migrate VirusScan Enterprise Access Protection and Buffer Overflow Protection policies, and Host Intrusion Prevention IPS policies, to ENS Threat Prevention policies.
  • Auto migration does not migrate trusted applications for IPS to the Access Protection policy as global exclusions.
  • The policy naming convention is different. The policy is named "Migrated VSE Policy-n" rather than "Merged Policy -n".
Workaround: Install the ENS Firewall extension even though you do not use the Host Intrusion Prevention firewall features.
1151514   10.5.0   Issue: Block and Report settings of the Exploit Prevention policy are not set when the Host Intrusion Prevention Rules Policy is not edited, but the IPS Protection policy is changed. When the Host Intrusion Prevention Rules Policy is not edited, but the IPS Protection policy is changed with the Reaction as either Log or Ignore, the Migration Assistant does not migrate Host Intrusion Prevention Rules. The ENS settings are set to the default behavior.

Workaround: This issue is an unlikely scenario where the Host Intrusion Prevention Rules policy is not edited and the dependent IPS Protection policy is changed to a lower Reaction for high severity signatures. Even though this configuration would have been made by mistake, ENS defaults to correct the behavior with setting the Block setting.
1155117   10.2.0   Issue: You cannot create a Threat Prevention Access Protection custom rule to include or exclude files that have no extension. ENS does not allow the administrator to distinguish between a file or folder when creating Threat Prevention Access Protection custom rules. This fact prevents the creation of custom rules that include or exclude files that have no extension.
1147465   10.2.0   Issue: There is no option to set a warn action for a website rated with a specific Web Category present in the Content Actions policy. (A warn action to display a warning page to the end user to either continue or cancel the navigation of a website.) Only allow or block actions are available to configure for any website rated with a specific Web Category.
1153577 KB87640 10.2.0   Issue: ENS Web Control search annotation ratings might not be displayed in the search engine results when search engines change their search results pages. For example, www.yahoo.tw does not currently display search annotations with Web Control. See the related article for more information.
    10.2.0   Issue: You cannot log off from of a Google account in Chrome.

Workaround: Use Firefox or Internet Explorer to sign out of a Google account.
1109943   10.2.0   Issue: TIE Module (TIEm) for VirusScan Enterprise (VSE) 1.0 incorrectly displays as installed alongside ENS.

Workaround: Remove the registry key that causes McAfee Agent to report that TIEm for VSE is still installed:
  1. Verify TIEm for VSE 1.0 files are not present on the endpoint.
  2. Remove the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\
    Network Associates\ePolicy Orchestrator\Application Plugins\JTIC____1000].
1106888   10.2.0   Issue: Exclusions are not added to allow System Information Reporter 1.0 to work properly when the SIR Set Registry policy is changed.


Back to Top

Issues that are not expected to be resolved:
 
Reference Number Related Article Found in ENS Version Resolved in ENS Version Issue Description
1234588   10.6.0 As Designed Issue: PowerShell script invocation can enter a hung state on Windows Server 2016 after installing ENS Threat Prevention 10.6.x.

Cause: ENS 10.6.x supports Antimalware Scan Interface (AMSI) and PowerShell script invocation is subjected to AMSI examination. This issue occurs when ENS is not the only AMSI provider on a Windows Server 2016 system. The ENS 10.6.x installation does not remove Windows Defender on Windows Server 2016 (see known issue 1149046). This fact results in both ENS and Windows Defender being active AMSI providers and causes AMSI to malfunction.

Resolution: This behavior is as designed. Perform the following steps:
  1. Use the following PowerShell command to manually uninstall Windows Defender before installing ENS:

    Uninstall-WindowsFeature -Name Windows-Defender

    For more information, see https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.
     
  2. Ensure that the following AMSI registry keys do not have the Windows Defender GUID {2781761E-28E0-4109-99FE-B9D127C57AFE} registered. The Windows Defender uninstall does not automatically perform this cleanup.

    HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}
    HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\{2781761E-28E0-4109-99FE-B9D127C57AFE}
     
  3. Confirm that Windows Defender is not active using the following command:

    sc query Windefend
1239337   10.6.0 Will Not Fix Issue: If using the Mozilla Firefox or Edge browser, ENS Web Control email annotation banners do not appear when malicious URLs are present in the body of the email.
 
Resolution: This issue will not be resolved. To see ENS Web Control email annotation banners when malicious URLs are present in the body of an email, use the browser Internet Explorer or Google Chrome.
1235963   10.6.0 Will Not Fix Issue: When upgrading from ENS Web Control 10.2.x to ENS Web Control 10.6.x, a one-time application crash might be observed in Dwm.exe, OneDrive.exe, and conhost.exe.
 
Resolution: This issue will not be resolved.
1233664   10.6.0 As Designed Issue: ENS Web Control does not allow a clean file to download from a malicious URL based on reputation, if McAfee Client Proxy is in redirection mode.

Resolution: This behavior is as designed. The file is not downloaded because of a double enforcement by ENS Web Control and McAfee Client Proxy. The recommendation is to enable the setting Disable if McAfee Client Proxy is detected in the ENS Web Control Options policy.
1228925   10.6.0 As Designed Issue: ENS installation might fail on a system with older patch levels of Host Intrusion Prevention 8.0.

Resolution: This behavior is as designed. Upgrade Host Intrusion Prevention 8.0 to one of the following:
  • Host Intrusion Prevention 8.0 Patch 11
  • February 2018 content release 8231 (or later) if using Host Intrusion Prevention 8.0 Patch 7 or earlier
  • March 2018 content release 8274 (or later) if using Host Intrusion Prevention 8.0 Patch 8 through 10
  KB88765 10.5.3 As Designed Issue: If the ENS Web Control iFrames support feature blocks a site, adding the site to the ENS Web Control Allow List does not allow access to the site.

Resolution: This behavior is as designed. See the related article for more information. Use any of the following options to allow access to sites that the iFrames support feature blocks:
  • Add the IP address of the web server to the Exclusions list in the ENS Web Control Options policy.
  • Change the action specified for sites that are rated as Yellow and Unrated to Allow in the ENS Web Content Actions policy. Sites that are rated as Yellow and Unrated are blocked if the action specified for these sites is set to Warn and they appear in an HTML iFrame.
  • Disable the option Enable HTML iFrames support in the ENS Web Control Options policy.
1229445   10.5.3 Crowdstrike hotfix is available Issue: A system crash (blue screen error) occurs in mfencbdc.sys when installing ENS with the third-party software Crowdstrike present on the system.

Resolution: A hotfix is available from Crowdstrike to resolve the issue.
1216519   10.5.3 Will Not Fix Issue: After installation, the ENS Web Control module is not reporting to ePolicy Orchestrator.
 
Resolution: This issue will not be resolved. To fix the issue, restart the system.
1215828   10.5.3 Will Not Fix Issue: Microsoft Data Execution Prevention (DEP) integration is working, but events are not reported for buffer overflow attacks with standalone installations.
 
Resolution: This issue will not be resolved. DEP event reporting works as expected with ePolicy Orchestrator.
1215800   10.5.3 As Designed Issue: An upgrade of the ENS 10.5.3 Firewall, Threat Prevention, or Web Control modules through an ePolicy Orchestrator (ePO) deployment task from RTS to RTW does not automatically upgrade the Host Common module. The Host Common module stays at the RTS version unless explicitly included in the ePO deployment task.

Resolution: This behavior is as designed. Add the Host Common module to the ePO deployment task when upgrading from ENS 10.5.3 RTS to ENS 10.5.3 RTW.
1215784   10.5.3 As Designed Issue: An upgrade fails from VirusScan Enterprise 8.8 Patch 4 + Host Intrusion Prevention 8.0 Patch 4 + SiteAdvisor Enterprise 3.5 Patch 2 to ENS 10.5.3.
 
Resolution: This behavior is as designed. Update the Host Intrusion Prevention content before the upgrade to avoid this issue.
1215537 KB89293
KB86948
10.5.3 As Designed Issue: On Windows Server operating systems, web protection is not blocking malicious sites in Internet Explorer 11.

Resolution: This behavior is as designed. On Windows Server operating systems, the Internet Explorer browser setting "Enable third-party browser extensions" is disabled by default. ENS Web Control requires this option to be enabled. For instructions to enable this option, see the related articles.
1209000   10.5.3 As Designed Issue: Access Protection File execute and Process run subrules and operations are not working.
 
Resolution: This behavior is as designed. The service "McAfee Validation Trust Protection Service" allows trusted applications to function when needed. This service mitigates the risk of creating a rule accidentally that might potentially prevent an essential process from running, and even impact the normal behavior of the operating system. The validation is applied only to some specific rules that are trusted from McAfee and Microsoft. The validation is applied by default to all rules when created using the Access Protection user interface. But, the validation is not applied by default for expert rules for Exploit Prevention.
    10.5.2 As Designed Issue: Running the migration tool more than once can cause policies to be overwritten and appear to revert.

Resolution: This behavior is as designed. The policy migration task is designed to be run only once and from that point not run again in the environment.
  KB89510 10.5.1 Hotfix 2 As Designed Issue: After you install an ENS patch or hotfix that upgrades AMCore, the AMCore scanner fails to initialize. On-Access Scanning and On-Demand Scanning do not work if the AMCore scanner does not initialize.

Resolution: This behavior is as designed. Any time an ENS patch or hotfix upgrades AMCore, it is mandatory to update to current AMContent for the AMCore scanner to initialize. See the related article for more information.
  KB89509 10.5.1 Hotfix 2 As Designed Issue: After installation of ENS 10.5.1 Hotfix 2, the following issues can occur:
  • The AMCore content version is reported as .5. After the hotfix installation, a content update will run and download new content.
  • If the ENS 10.5.1 and ENS 10.5.1 Hotfix 2 packages are in the same branch of the Master Repository, the ENS 10.5.1 package is downloaded to the end node at each McAfee Agent agent-server communication interval (ASCI).
Resolution: This behavior is as designed. The new version of AMCore with ENS 10.5.1 Hotfix 2 requires AMContent 3004 or higher (released June 7, 2017). Also, ENS 10.5.1 and ENS 10.5.1 Hotfix 2 cannot be in the same branch of the ePolicy Orchestrator Master Repository. See the related article for more information.
  KB89534 10.5.1 Hotfix 2 As Designed Issue: An AMCore content update fails if you check in ENS hotfix packages to a different branch than Current in the ePolicy Orchestrator Master Repository.

Resolution: This behavior is as designed. The next scheduled content update task from ePolicy Orchestrator will resolve the issue. To avoid this issue, ensure that there is a copy of AMCore content in both of the branches. See the related article for more information.
  KB89469 10.5.1 Hotfix 1 As Designed Issue: An upgrade from ENS 10.5.0 to ENS 10.5.1 fails if ENS 10.5.1 Hotfix 1 or Hotfix 2 is in the same branch of the ePolicy Orchestrator Master Repository.

Resolution: This behavior is as designed. ENS 10.5.1 and ENS 10.5.1 Hotfix 1 or Hotfix 2 cannot be in the same branch of the ePolicy Orchestrator Master Repository. See the related article for more information.
1201666   10.5.1 As Designed Issue: A Potentially Unwanted Program exclusion by detection name is not applied to detections through the scan email attachments feature.

Resolution: This behavior is as designed. Disable the scan email attachments feature if you see too many detections.
1185352   10.5.1 Will Not Fix Issue: If McAfee Client Proxy is uninstalled and reinstalled on a system with ENS 10.5.1, and "Disable if McAfee Client Proxy is detected" is enabled in the ENS Web Control Options policy, "Disable if McAfee Client Proxy is detected" is not honored, unless it is disabled and re-enabled.

Resolution: This issue will not be resolved. Disable "Disable if McAfee Client Proxy is detected" in the ENS Web Control Options policy, and check the new policies. Then, re-enable "Disable if McAfee Client Proxy is detected" in the ENS Web Control Options policy, and again check the new policies.
1184531   10.5.1 Will Not Fix Issue: The Threat Prevention status is shown as unknown on Windows 10 Creators Update systems. This display is because of a change in the Windows API behavior that causes the AMCore driver installer to misinterpret one of the installer components as untrusted. This issue is a random failure and is not encountered on all Windows 10 Creators Update systems. As a result, the Threat Prevention module might not be fully functional because a restart is needed for the driver upgrade to complete.

Resolution: This issue will not be resolved. Perform one of the following:
  • Restart the system to allow the new drivers to load successfully.
  • Install ENS 10.2.0 Hotfix 1164434 before upgrading to ENS 10.5.x.
  • Upgrade to ENS 10.2.1 before upgrading to ENS 10.5.x.
1183560   10.5.1 Will Not Fix Issue: The RESTORE operation for registry-related Access Protection subrules is not working as expected when it is the only operation enabled on the Access Protection subrule.

Resolution: This issue will not be resolved. Enable REPLACE, DELETE, and WRITE operations with the RESTORE operation when defining a Registry Key or Registry Value Access Protection subrules.
1180078   10.5.1 Will Not Fix Issue: If the end user selects more than 1000 files and performs a right-click On-Demand Scan on the selection, only 1000 of the files are scanned.

Resolution: This issue will not be resolved. When performing a right-click On-Demand Scan of more than 1000 items, select the parent folder instead of the files in it.
1175803   10.5.1 As Designed Issue: The "AMCore Content Compliance Days" property stays empty in all situations, for both Compliant and Non-Compliant content.

Resolution: This behavior is as designed. The "AMCore Content Date" property was added to Queries, making the "AMCore Content Compliance Days" property obsolete.
1184610   10.5.0 Will Not Fix Issue: Services protection does not block some services from starting. This issue has been reported with the Security Center Service and Bluetooth Support Service.

Resolution: This issue will not be resolved.
1180296 KB87096 10.5.0 As Designed Issue: Installation of ENS fails. The installation logs contain error code 0x80096005, -2146869243, or both.

Cause: The required trusted root certificates were not added during installation.

Resolution: This behavior is as designed. Address the issue preventing the automatic update of root certificates, or import the required root certificates. See the related article for more information.
1172735   10.5.0 Will Not Fix Issue: An upgrade from ENS 10.2 to ENS 10.5 through ePolicy Orchestrator that uses the "Run Task Now" option times out, and leaves some components of ENS in their 10.2 state. This issue is most likely to occur if you install multiple products one after the other and do not restart between installations.

Resolution: This issue will not be resolved. Restart the system before installing ENS 10.5.
1167969   10.5.0 As Designed Issue: Services protection has the following limitations (that also exist in Host Intrusion Prevention):
  • User and executable parameters are not distinguished; although they are available in the UI, they are not valid parameters.
  • Services protection is valid up to Windows 8.0; later releases are not supported.
  • The enable or disable hardware profile operation is not supported.
Resolution: This behavior is as designed.
1165590   10.5.0 Unable to reproduce Issue: When a client receives an ENS 10.2 policy, Exploit Prevention shows a message that says that it is not enabled due to Host Intrusion Prevention being installed, even though Host Intrusion Prevention is not enabled. Exploit Prevention works fine irrespective of the message.

Workaround: Change the ENS 10.2 policy for the ENS 10.5 extension to properly save it with the ENS 10.5 policy format.
1165257   10.5.0 As Designed Issue: A user can continue to change settings after a time-based password has expired if the console to the settings is still open before the password expires. The next policy enforcement will override the changed settings.

Resolution: This behavior is as designed.
1163884   10.5.0 As Designed Issue: After you disable firewall timed groups, time ticking is paused when the firewall is disabled, and starts from the point in time when the firewall is re-enabled. Even though timed groups are enabled, they are not functional because the firewall is disabled.

Resolution: This behavior is as designed. When the firewall is re-enabled, re-enable the timed group and change its running time in the policy. To stop the timed group, use the Disable Firewall Timed Group option in the McTray Quick Settings.
1162830   10.5.0 Will Not Fix Issue: When ENS Web Control is installed on an operating system that has Internet Explorer (IE) 11 with the Enhanced Protected Mode setting enabled, it fails to block malicious sites and file downloads. ENS Web Control is not compatible with IE Enhanced Protected Mode.

Resolution: This issue will not be resolved. Disable Enable Enhanced Protected Mode in IE at Tools, Internet options, Advanced, Security. Or, you can disable it at the zone level at Tools, Internet options, Security, Security level for this zone.
1157387   10.5.0 As Designed Issue: After you install ENS, enable Disable if McAfee Client Proxy is detected in the Options policy of ENS Web Control, enforce the policy, and then install McAfee Client Proxy, ENS Web Control is not disabled immediately after the installation of McAfee Client Proxy.

Resolution: This behavior is as designed. Use either of the following workarounds:
  • Wait for about five (5) minutes, and ENS Web Control is disabled.
  • Change any ENS Web Control policy and enforce the new policy, and ENS Web Control is disabled.
1154452   10.5.0 Will Not Fix Issue: When you select a sub System Tree ENS migration, select some groups, click Actions, choose columns, and save, the selection of groups is reset.

Resolution: This issue will not be resolved.
1077660   10.2.1 Will Not Fix Issue: If a McAfee Agent update task is configured to show the update progress window, and the end user is allowed to postpone the task, the "Update in Progress" window might appear for a short time. It appears even though the update is not actually occurring. If the end user postpones the task, an "Update finished" window might appear, even though the update did not occur.

Resolution: This issue will not be resolved.
  KB87568 10.2.0 As Designed Issue: The ENS Web Control browser extensions must be enabled in the browser before ENS Web Control is operational in the browser.

Resolution: This behavior is as designed. See the related article for more information.
1179636 KB88568 10.2.0 Unable to reproduce Issue: A scan exclusion configured for multiple mount points does not work.

Workaround: Configure the scan exclusion with the full path for the mount point. If you experience this issue, contact Technical Support. See the related article for more information.
1163246   10.2.0 Will Not Fix Issue: McAfee Agent 5.0.2.132 does not upload the ENS 10.x events.

Resolution: This issue will not be resolved. Use McAfee Agent 5.0.2.333 or later.
1144915   10.2.0 Will Not Fix Issue: After all ENS modules are uninstalled, the Common module (Endpoint Security Platform) uninstallation is automatically started. Sometimes the user interface for this uninstallation is minimized, which can make it harder for a user to tell when this uninstallation is occurring.

Cause: The Endpoint Security Platform is a support module that is required for the ENS protection modules to function. When all other modules are uninstalled, the Endpoint Security Platform module is automatically removed. But, Windows sometimes starts this process in a minimized mode or show the window behind the other windows on the screen. If the user does not know that this uninstallation is happening, they could inadvertently restart the system in the middle of that uninstallation.

Resolution: This issue will not be resolved. Before you uninstall ENS products, ensure that any current work is saved, and close running desktop programs. The user can likely see that the Endpoint Security Platform uninstallation is occurring.
1149046   10.2.0 As Designed Issue: ENS does not disable Windows Defender on Windows Server 2016. Microsoft has deprecated the Windows API to enable or disable Windows Defender in Windows Server 2016. This fact could lead to performance issues, but this issue has not been confirmed. The best practice is to run a single real-time anti-virus solution.

Resolution: This behavior is as designed. Use PowerShell to manually disable Windows Defender:
 
Set-MpPreference -DisableRealtimeMonitoring $true
 
For more information about PowerShell cmdlets, see https://technet.microsoft.com/en-us/library/dn433280.aspx?f=255&MSPPError=-2147217396.
1148753   10.2.0 Will Not Fix Issue: The ENS 10.2 services stop after a McAfee Agent upgrade in the presence of Threat Intelligence Exchange (TIE) client 10.1.

Resolution: This issue will not be resolved. To avoid the issue:
  • Upgrade to ENS 10.2 first without an upgrade to McAfee Agent, and then upgrade McAfee Agent and any other McAfee managed products.
  • Uninstall TIE client 10.1, install McAfee Agent and any other McAfee managed products, and then reinstall TIE client 10.1.
1148403   10.2.0 Will Not Fix Issue: If you upgrade the Threat Prevention extension version, the ENS client UI might fail to display Exploit Prevention exclusions, indicate erroneous validation errors, and generate errors in EndpointSecurityPlatform_Errors.log such as the following:
 
Failed to retrieve GPEP setting for Exploit Prevention.

Failed to enforce Exploit Prevention policies.
 
Resolution: This issue will not be resolved. Edit and save the assigned Exploit Prevention policy, and send an agent wake-up call to the affected systems.
1148210   10.2.0 Will Not Fix Issue: An upgrade from ENS 10.1 to ENS 10.2 hangs at 24% in the presence of TIE client 10.1.

Resolution: This issue will not be resolved. To avoid the issue:
  • Upgrade to ENS 10.2 first without an upgrade of McAfee Agent, and then upgrade McAfee Agent and any other McAfee managed products.
  • Uninstall TIE client 10.1, install McAfee Agent and any other McAfee managed products, and then reinstall TIE client 10.1.
1142553 KB87534 10.2.0 Unable to reproduce Issue: On Windows 7, user roaming profiles are not saved to a network share on user logoff.

Workaround: Create an exclusion in Threat Prevention to not scan the roaming profile folders on the server. See the related article for more information. Currently a root cause cannot be found on Windows 7. If you experience the issue with Windows 8 or Windows 10, collect the information described in the related article and provide the results to Technical Support.
1137118   10.2.0 Will Not Fix Issue: During upgrade from a previous version of ENS, when Save my settings if upgrading is deselected, the user provided Access Protection exclusions remain on the system.

Resolution: This issue will not be resolved. Remove unwanted Access Protection exclusions; use the ENS Console before the upgrade to the latest version of ENS.
1137117   10.2.0 Will Not Fix Issue: During upgrade from a previous version of ENS, when Save my settings if upgrading is deselected, the user provided Exploit Prevention exclusions partially remain on the system.

Resolution: This issue will not be resolved. Remove unwanted Exploit Prevention exclusions; use the ENS Console before the upgrade to the latest version of ENS.
1134953   10.2.0 Will Not Fix Issue: If you use Firefox, when ENS Web Control blocks the download of a malicious file, a zero-byte file is left in the folder in which the file was being downloaded.

Resolution: This issue will not be resolved. Use a different browser, such as Internet Explorer or Chrome.
1132923   10.2.0 As Designed Issue: When you select the IPS Rules policy for migration, the IPS Protection policy category lists all policies from the Policy Catalog including McAfee defined and unmodified My Default policies.

Resolution: This behavior is as designed.
1132406   10.2.0 Will Not Fix Issue: SiteAdvisor Enterprise policies named Typical Corporate Environment are not migrated in a manual migration or one-to-one auto migration. Typical Corporate Environment is a default policy name for a few products that are not migrated. The Migration Assistant does not migrate policies with this name for any products.

Resolution: This issue will not be resolved. Rename the SiteAdvisor Enterprise policy from Typical Corporate Environment to any other name and then perform the migration.
1132404   10.2.0 Will Not Fix Issue: Manual migration is allowed to continue when only the IPS protection policy is selected.

Resolution: This issue will not be resolved.
1132212   10.2.0 Will Not Fix Issue: Auto-migrated Threat Prevention Access Protection and XP policies do not include the IPS Protection policy in their notes section.

Resolution: This issue will not be resolved.
1131595   10.2.0 Will Not Fix Issue: Executable notes from Host Intrusion Prevention Exceptions do not migrate to the Exploit Prevention executable notes section.

Resolution: This issue will not be resolved.
1129727   10.2.0 Will Not Fix Issue: If a Host Intrusion Prevention file, reg, or program rule exception contains multiple parameter types, such as user name and executable, the exception applies when all parameters are true. After migration to an ENS Access Protection rule, the exception applies when any of the parameters are true.

Resolution: This issue will not be resolved. In ENS, create one rule per parameter type.
1127732   10.2.0 As Designed Issue: The TIE client sends only TIER 1 requests for known trusted files signed by a certificate.

Resolution: This behavior is as designed.
1120973   10.2.0 As Designed Issue: When you perform a Secure Search from the search bar, it does not automatically use the configured Secure Search engine.

Resolution: This behavior is as designed. Manually set McAfee Secure Search as the default search provider.
1110634   10.2.0 As Designed Issue: When a deployment task for ENS fails because of an insufficient version of McAfee Agent, the McAfee Agent Monitor displays a message that says the task is successful.

Resolution: This behavior is as designed. Ending the deployment process during the prerequisite software check is not considered a failure state by McAfee Agent. The deployment does not continue to the download phase. As far as McAfee Agent is concerned, the task itself was successful in running, even though it ended prematurely. This behavior is different from when the deployment fails while running the installation program after it has been downloaded to the endpoint.
1099253   10.2.0 Will Not Fix Issue: ENS fails to preserve custom settings for features that are not installed in VirusScan Enterprise 8.8 when upgrading to ENS 10.2 or 10.5.

Resolution: This issue will not be resolved.
1097395     Will Not Fix Issue: The Action Taken properties from "Contains pattern" values in the Threat Event Log, show Intrusion Detection System (IDS)  strings, for example, “IDS_ALERT_ACT_TAK_DEN”. These strings are instead of natural language strings, for example, “deny access”. 

Resolution: This issue will not be resolved.
1094383   10.2.0 Will Not Fix Issue: The VirusScan Enterprise Buffer Overflow Protection (BOP) exclusion API value is not migrated if either the module or API name contains a period (for example, dll.socket or fakeAPI.abc).

Resolution: This issue will not be resolved. Ensure that the module or API name does not contain a period.
1089748   10.2.0 Will Not Fix Issue: Sometimes there is a delay in the display of the email annotation in Outlook.

Resolution: This issue will not be resolved.
1086074 KB86948 10.2.0 Will Not Fix Issue: On Windows Server operating systems, the Internet Explorer browser setting Enable third-party browser extensions is disabled by default. ENS Web Control requires this option to be enabled. After ENS Web Control is installed, the end user cannot enable the setting Enable third-party browser extensions.

Resolution: This issue will not be resolved. Enable the setting Enable third-party browser extensions in Internet Explorer. See the related article for more information.
1083135   10.2.0 As Designed Issue: The list of assigned tasks in one group is not moved to another group when a major upgrade is deployed from ePolicy Orchestrator (for example, ENS 10.2 to 10.5).

Resolution: This behavior is as designed.
1075106   10.2.0 Will Not Fix Issue: Firewall DNS blocking is not enforced for Internet Explorer running on Windows 7 64-bit, and Windows Server 2008 R2 systems. 

Resolution: This issue will not be resolved. This issue is intermittent and occurs only for a short time after you upgrade ENS.
1074557   10.2.0 Will Not Fix Issue: The McTray icon is distorted after you install ENS in a TPS environment.

Resolution: This issue will not be resolved.
1070400   10.2.0 As Designed Issue: The client UI does not start in Safe Mode.

Resolution: This behavior is as designed.
1070739   10.2.0 Will Not Fix Issue: Natural language descriptions are not properly translated.

Resolution: This issue will not be resolved. To resolve the issue, restart the system.
1057970 KB84522 10.2.0 Will Not Fix Issue: The service start process times out while waiting for a dependent service to start. If the service does not respond in 30 seconds, Windows stops the service. 

Resolution: This issue will not be resolved. Log on and start the service manually from the Services user interface (Services.MSC). The service also starts automatically from a COM ping when a browser window is left open for a few minutes. See the related article for more information.
1070189   10.2.0 Will Not Fix Issue: Even if you choose another language for the client interface language, the interface language of ENS Web Control is written in the default language.

Resolution: This issue will not be resolved. The language of the ENS Web Control interface in the browser does not depend on the client user interface language that is set. The language is localized based on system locale.
996973   10.2.0 As Designed Issue: A manual installation generates an Unidentified Publisher error.

Resolution: This behavior is as designed. Check Event Viewer, Windows Logs, Application log for the latest event from source Certificate Services Client to verify that it has been started successfully. Certificate Services Client is a core part of Windows that manages certificate handling, such as certificate enrollment, including auto-enrollment and credential roaming.
996375   10.2.0 As Designed Issue: A Windows Security Audit failure occurs because of mfeelamk.sys.

Resolution: This behavior is as designed. A driver developed for Windows 8 and signed by "Microsoft Windows Early Launch Anti-malware Publisher" is generating audit errors on Windows 7. Depending on how often your system is designed to run an audit, you might see several of these errors in the Windows Event Log.
993212   10.2.0 As Designed Issue: ENS client help is not enabled for screen readers, such as JAWS.

Resolution: This behavior is not supported.
991842   10.2.0 As Designed Issue: By default, Use system proxy settings is selected in the Common setting for a self-managed system.

Resolution: This behavior is as designed. Use the local UI to change the setting.
990974   10.2.0 As Designed Issue: Some informational common settings for modules still exist in the Common settings page even though the module is not installed. For example, Threat Prevention events are not removed after the related blades are uninstalled from the system.

Resolution: This behavior is as designed. No problems occur because of the existence of these settings.
990805   10.2.0 Will Not Fix Issue: The local update task does not run at the specified time, but instead runs later.

Resolution: This issue will not be resolved. To avoid a network storm, the local update task uses a randomization of 60 minutes when setting up the schedule. So, the update task runs within 60 minutes of the scheduled time. The randomization setting is not available from the local UI and cannot be changed.
982238   10.2.0 As Designed Issue: A sharing violation error is logged in the local log file after scanning the C:\Windows folder. The sharing violation is expected because of the files being open exclusively (no shared read) in Windows processes.

Resolution: This behavior is as designed. The sharing violation error severity is set to Informational, which means by default the error is not sent to ePolicy Orchestrator. Also, the error does not display in the Windows Event Log by default.
976918   10.2.0 As Designed Issue: Some Access Protection rules protect against remote access, such as the Remotely accessing local files or folders rule. When these rules are enabled and an access is reported or blocked, the target path value in the Event Log might report the pipe connection, rather than the file path that was requested in the attempted access. For example, the Event Log might report \\.\pipe\srvsvc rather than \\computer\share\filename.

Resolution: This behavior is as designed, and is a reflection of how the Windows file system works.
949580   10.2.0 As Designed Issue: An erroneous summary is displayed in the Threat Summary: Threat free for last 30 days if ENS was installed in the last 30 days.

Resolution: This behavior is as designed. If there have been no threats in the last 30 days, ENS displays this message. If there were threats in the last 30 days, ENS displays the exact number of threat-free days.
926640   10.2.0 Will Not Fix Issue: The ENS Web Control plug-in fails to work if both Protected mode and Enhanced Protected mode are enabled in Internet Explorer 10 or 11.

Resolution: This issue will not be resolved.
922465   10.2.0 As Designed Issue: The Firewall Rules table does not allow a new rule to be added to a new empty group in one step.

Resolution: This behavior is as designed. To move a newly added firewall rule to an empty group, first drag the rule above the group, and then drag and drop the rule inside the new group.
919855   10.2.0 As Designed Issue: When running some ePolicy Orchestrator ENS event queries, and you drill down on a specific event's details, not all details of the event display.

Resolution: This behavior is as designed. Select the Go to related Event Log link to see the complete event details.
912588   10.2.0 As Designed Issue: There are no Self-Protection events in the Windows Event Viewer, the ENS Client Event Viewer, or ePolicy Orchestrator Threat Events.

Resolution: This behavior is as designed. Self-Protection events are set to Informational by default and they are tied to the Event Filtering of Access-Protection. All event filtering is set to Major and Critical by default in ePolicy Orchestrator and in the client UI. To see Self-Protection events in the Windows Event Viewer, the ENS Client Event Viewer, or ePolicy Orchestrator Threat Events, you must change the Event Filtering for Access-Protection to All. Because All includes informational events, Self-Protection events display in the three areas mentioned.

NOTE: Regardless of the Event Filtering settings, Self-Protection events are logged to the SelfProtection_Activity.log file located in %PROGRAMDAT%\McAfee\Endpoint or %allusersprofile%\application data\McAfee\Endpoint. You can view this information at any point if needed.
898131   10.2.0 Will Not Fix Issue: Clicking Update Now reports a successful update when the system is already up to date.

Resolution: This issue will not be resolved. When you click Update Now, the updater is initiated and the repository is checked for new updates. This behavior occurs regardless of whether the system is already up to date. Even in the case where no update is applied, the updater reports that the update was successful.


Back to Top
Critical:
 
Reference Number Related Article Found in ENS Version Resolved in ENS Version Issue Description
1220432 KB89771 10.5.3 10.5.3 Hotfix 1 Issue: A rare blue screen error with BugCheck 133 involving the mfefirek.sys firewall driver can be encountered on high-demand server class systems.

Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
1219240
1217114
KB90053 10.5.3 (RTW) 10.5.3 (Repost) Issue: Under a specific and rare race condition, a system crash (blue screen error) might occur during an upgrade from an earlier (older) ENS version to ENS 10.5.3.

Workaround: If a system has encountered this issue and does not automatically restart, see the related article for the workaround procedure.

Resolution: The repost of ENS 10.5.3 corrects this issue. See the related article for more information.
  • If you currently have ENS 10.5.3 installed, you can continue to run ENS 10.5.3 on the system because the issue occurs only during the initial upgrade.
  • For any new installations of ENS 10.5.3, we recommend that you use the ENS 10.5.3 repost.
1211101 KB89985 10.5.3 10.5.3 Issue: On 64-bit systems, upgrades from previous versions of ENS that were installed by explicitly providing the custom installation path "c:\Program Files (x86)\" do not update the ENS Platform files.

Workaround: Uninstall ENS from the custom installation path and then install the latest version of ENS.

Resolution: This issue is resolved in ENS 10.5.3. But, this issue could not be fixed for systems that are already installed and upgrading from ENS 10.5.2 or earlier. Only a clean installation of ENS 10.5.3 will address the issue and prevent it from happening in the future. See the related article for more information.
1206158 KB89681 10.5.1 Hotfix 2 10.5.2 Issue: Services that are required for ENS functionality fail to load on Windows 7 Embedded systems when ENS 10.5.1 Hotfix 2 is applied to the system.

Resolution: This issue is resolved in ENS 10.5.2. See the related article for more information.
1191601 KB89864 10.5.1 10.5.3 Issue: When ENS Exploit Prevention policies are backed up or exported, the backup copy contains only the Exploit Prevention content signatures from the content version when the backup was created. When the backup policy is restored on an ePolicy Orchestrator server with newer ENS Exploit Prevention content, the imported policy is missing any new content signatures until the next Exploit Prevention content update.

Workaround: Workaround steps are outlined in the related article.

Resolution: This issue is resolved in ENS 10.5.3.
1179148   10.5.1 10.5.3 Issue: The Access Protection rule "Changing any file extension registrations" is not effective at preventing changing file extension registrations.

Resolution: This issue is resolved in ENS 10.5.3.
1211550 1182188 KB89855
KB89904
 
10.5.1 10.5.3
10.5.2 Hotfix 1213762
Issue: After Exploit Prevention content is updated, the Application Protection Rules policies are set back to the default configuration. This set back means that any previously configured custom rules must be re-created.

Resolution: This issue is resolved in ENS 10.5.2 Threat Prevention extension Hotfix 1213762 and ENS 10.5.3. See the related articles for more information.
1184551   10.5.1 10.5.3 Issue: AMCore content is not retained on client systems after upgrading ENS.

Resolution: This issue is resolved in ENS 10.5.3.
  KB89029 10.5.1 10.5.1 Hotfix 1 Issue: If Device Guard or Credential Guard is enabled on a Windows 10 Creators Update 64-bit system, you must ensure that Microsoft KB4016251 is installed on the system before you install McAfee products. For more information, see KB89029.

Because of an issue in Windows 10 Creators Update, if Microsoft KB4016251 is not installed and you install McAfee products, the system shows a blue screen error and is no longer bootable. Currently, there is no known workaround for this issue.

Resolution: The issue does not occur if you install ENS 10.5.1 with Hotfix 1 on the Windows 10 Creators Update system. See the related article for more information.
1235700
1235504
1235375
1166985
KB90480 10.5.0 10.5.3 Issue: Systems might experience a random blue screen error (system crash) with BugCheck 7E when Threat Prevention 10.5.0, 10.5.1, or 10.5.2 is installed.

The stack text is similar to below:
 
STACK_TEXT:
fffff880`08e04310 fffff880`0d94c258 : 00000000`00000000 00000000`00000000 fffff880`0d944960 00000000`000007ff : mfeavfk11!AVFWORK::Init+0x1e0 [d:\build_668958\build\syscore\avfilt\avfsysmain.cpp @ 3054]
fffff880`08e04370 fffff800`01c50c16 : fffffa80`128dc1d0 fffffa80`128dc1d0 00000000`00000000 00000000`000007ff : mfeavfk11!DriverEntry+0x258 [d:\build_668958\build\syscore\avfilt\avfsysmain.cpp @ 3222]
fffff880`08e04510 fffff800`01c51015 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!IopLoadDriver+0xa06
fffff880`08e047e0 fffff800`01cf8559 : 00000000`00000000 ffffffff`80003cd0 00000000`00000000 00000000`00000000 : nt!IopLoadUnloadDriver+0x55
fffff880`08e04820 fffff800`018c3283 : fffffa80`10993040 fffffa80`06d14040 00000000`00000000 00000000`00000000 : nt!NtLoadDriver+0x189
fffff880`08e048d0 fffff800`018b6b50 : fffff880`0151441a fffff880`08cde6a0 fffffa80`06d14040 00000000`00000000 : nt!KiSystemServiceCopyEnd+0x13
fffff880`08e04a68 fffff880`0151441a : fffff880`08cde6a0 fffffa80`06d14040 00000000`00000000 fffff880`02016180 : nt!KiServiceLinkage
fffff880`08e04a70 fffff800`01b55284 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : mfehidk!DriverLoadThreadMain+0x5a [d:\build_668958\build\syscore\syslib\sysload.cpp @ 227]
fffff880`08e04c00 fffff800`018b9816 : fffff880`02016180 fffffa80`10993040 fffff880`02023140 00000000`00000000 : nt!PspSystemThreadStartup+0x140
fffff880`08e04c40 00000000`00000000 : fffff880`08e05000 fffff880`08dff000 fffff880`08e03df0 00000000`00000000 : nt!KxStartSystemThread+0x16

Resolution: This issue is resolved in ENS 10.5.3 and later. See the related article for the required steps to resolve the issue.
1186563   10.5.0 10.5.1 Issue: After the ENS Exploit Prevention content is updated, some systems might not display new or updated content signatures in the Endpoint Security Threat Prevention - Exploit Prevention policy, or when the standalone client is used.

Resolution: This issue is resolved in ENS 10.5.1.
1182777 KB88815 10.5.0 Microsoft fix available Issue: After Threat Prevention is installed, Windows Server 2012 or Windows Server 2012 R2 servers with Cluster Shared Volumes randomly show a blue screen error.

Workaround: The issue does not occur with Windows Server 2016.

Resolution: There is a Microsoft release that resolves this issue, which is described in the March 2017 rollup: https://support.microsoft.com/en-us/help/4012219/march-2017-preview-of-monthly-quality-rollup-for-windows-8-1-and-windows-server-2012-r2. See the related article for more information.
1176129   10.5.0 10.5.1 Issue: The firewall is unable to communicate with the Global Threat Intelligence (GTI) server through a proxy.

Resolution: This issue is resolved in ENS 10.5.1.
1172948
1173107
  10.5.0 10.5.1 Issue: The firewall blocks all traffic if the Global Threat Intelligence (GTI) server is unavailable.

Resolution: This issue is resolved in ENS 10.5.1. Traffic is no longer blocked if ENS is unable to access the GTI server.
1164824   10.5.0 10.5.3 Issue: If you edit the block or report settings for an Exploit Prevention signature, the client UI might display that signature at the bottom of the list of signatures. This display might happen even though the list is sorted numerically otherwise.

Workaround: In the client UI, scroll to the bottom of the list of Exploit Prevention signatures to find signatures whose block or report settings have been changed from their default value.

Resolution: This issue is resolved in ENS 10.5.3.
1163245   10.5.0 10.5.3 Issue: When ENS is installed, it creates the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\RealProtect" for the Real Protect component. Uninstallation of ENS does not delete this registry key. This registry key is a subkey of "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee" so it does not interfere with any other products.

Workaround: Manually delete the registry key "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\RealProtect".

Resolution: This issue is resolved in ENS 10.5.3.
1154397   10.2.0 10.2.1 Issue: The ENS 10.2.0 Firewall rule policy McAfee Default rule named Allow SMB over TCP has both the local and remote port set to 445.

Workaround: Edit the Firewall rules to: Allow incoming Local port=445, remote port=Any and Allow outgoing Remote port=445, local port=Any.

Resolution: This issue is resolved in ENS 10.2.1.
1153407 KB87658 10.2.0 Host IPS 8.0 Patch 8 Hotfix 1153407 or Host IPS 8.0 Patch 8 Issue: When you install any McAfee product that includes SysCore 15.5 (such as Endpoint Security 10.2.0), it breaks the trust in Host Intrusion Prevention (Host IPS) 8.0 Patches 5–7.

Workaround: To avoid the issue, upgrade to Host IPS 8.0 Patch 8 before you install ENS 10.2.0. See the related article for more information.
1137347   10.2.0 10.5.3 Issue: An upgrade of the TIE for VirusScan Enterprise extension to TIE for Endpoint Security did not update the event descriptions. The upgraded extension is still able to manage clients with Threat Intelligence Exchange for VirusScan Enterprise.

Resolution: This issue is resolved in ENS 10.5.3.
1129582 KB88161 10.2.0 10.5.0 Issue: A system with Threat Prevention installed experiences a system crash (blue screen) reporting BugCheck 8e in mfencbdc!FreeOpenFileAllocations. This issue has occurred infrequently on systems with Windows Server 2008 R2.

Resolution: This issue is resolved in ENS 10.5.0. See the related article for more information.
    10.2.0 McAfee Agent 5.0.3 Hotfix 1131329 Issue: System startup is slow and performance is poor after a restart.

Resolution: This issue is resolved in McAfee Agent 5.0.3 Hotfix 1131329.


Back to Top

Non-critical:
 
Reference Number Related Article Found in ENS Version Resolved in ENS Version Issue Description
1242104 KB90630 10.5.4 10.5.4 Issue: In the Mozilla Firefox and Google Chrome browsers, the view site report link in the ENS Web Control browser balloon is not directing the user to the McAfee Threat Center to view the site report for a URL. A redirection to the mcafee.com site occurs, and a page not found error displays.

Resolution: McAfee resolved this issue on the back-end servers for the McAfee Threat Center and the issue no longer occurs. See the related article for more information.
1231398 KB90357 10.5.3 Hotfix 1 10.5.4 Issue: When you run a right-click scan through the context menu and choose Scan for threats the resulting window might appear blank, with only a white background displayed. The window title says McAfee Endpoint Security. The window can be closed without any problem by clicking the red X in the top-right corner of the window. Scan activity does not appear to take place. Also, when you try to run a right-click scan and then close the blank window multiple times, mfeconsole processes remain in the list of active processes until you kill them or restart the system.

Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
1240394
1234679
1230833
  10.5.3 Microsoft fix available Issue: BugCheck KMODE_EXCEPTION_NOT_HANDLED (1e) occurs. This issue is typically found on Windows 10 kernels, such as Windows Server 2016, and the process is typically the cluster service clussvc.exe. Disabling Real Protect might resolve the issue. The stack text is similar to the following:
 
ffffd600`eeea9868 fffff803`cfb27e7d : 00000000`0000001e ffffffff`c0000005 fffff803`cff609e6 00000000`00000000 : nt!KeBugCheckEx
ffffd600`eeea9870 fffff803`cfbf2c82 : ffffc40d`d2115d00 ffffd600`eeeaa000 ffffd600`eeeaa0f0 fffff80f`687362fe : nt!KiDispatchException+0x22d
ffffd600`eeea9f20 fffff803`cfbef274 : ffffc40d`4765464d 00000000`00000070 ffffd600`eeeaa4c8 ffffc40d`cebaa7a0 : nt!KiExceptionDispatch+0xc2
ffffd600`eeeaa100 fffff803`cff609e6 : 00000000`0000ce60 ffffd600`eeeaa340 00000000`00000000 00000000`0000006e : nt!KiPageFault+0x4f4
ffffd600`eeeaa290 fffff803`cfb7a2e1 : ffff8905`798266f8 ffff8905`798266f8 ffff8905`79fdf258 ffffc40d`00000000 : nt!HvpGetCellPaged+0x56
ffffd600`eeeaa2c0 fffff803`cff58aa8 : 00000000`ffffffff ffffd600`eeeaa3b0 00000000`00000017 ffffd600`eeeaa840 : nt!CmpConstructNameFromKeyNodes+0x171
ffffd600`eeeaa340 fffff803`cfea0e2c : 00000000`00000000 00000000`00000017 fffff803`d012b954 00000000`00000017 : nt!CmpConstructNameWithStatus+0x108
ffffd600`eeeaa3b0 fffff803`d0086c5a : ffff8905`7c70c000 00000000`00000000 ffff8905`7ee6aa88 ffff8905`7ee6aa80 : nt!CmpConstructName+0x14
ffffd600`eeeaa3e0 fffff803`d005c7f7 : 00000000`0000016c 00000000`00000003 ffff8905`79fdf258 ffff8905`79cac201 : nt!CmpEtwDumpKcb+0x42
ffffd600`eeeaa450 fffff803`cfc3d798 : 00000000`00000003 00000000`00000000 00000000`0000016c ffff8905`79cac201 : nt!CmpCleanUpKcbCacheWithLock+0x113417
ffffd600`eeeaa480 fffff803`d0098035 : fffff803`d009814c ffff8905`00000200 00000000`00000000 ffff8905`7c70c000 : nt!CmpSearchKeyControlBlockTreeEx+0x90
ffffd600`eeeaa4f0 fffff803`d0096987 : 00000000`00000000 00000000`ffffffff ffffd600`eeeaa640 fffff80f`671ebc6a : nt!CmpRefreshHive+0x121
ffffd600`eeeaa540 fffff803`d0085a77 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000c34 : nt!CmRestoreKey+0x113
ffffd600`eeeaa800 fffff803`cfbf2683 : ffffc40d`cd0bc600 00000000`00000bb4 00000000`00000000 ffff8905`7dd6e8d0 : nt!NtRestoreKey+0x20f

Resolution: Microsoft monthly rollup KB4103720 resolves this issue. For more information about KB4103720, see https://support.microsoft.com/en-us/help/4103720.
1232927   10.5.3 10.5.4 Issue: After creating an Exploit Prevention exclusion using ePolicy Orchestrator, when you open the exclusion in the ENS console, Type must be specified is displayed in red color and Type is specified as No type.

Resolution: This issue is resolved in ENS 10.5.4.
1227456 KB90364 10.5.3 10.5.4 Issue: Installation of ENS fails during the ENS Common module installation. See the related article for more information.

The McAfee Agent log records the following:
 
Run now task McAfee Agent > Product Deployment failed. Details: Product "ENDP_GS_1050" installation failed, reason "Unknown error".  

The McAfee_Common_VSCore_Install_All_<timestamp>.log record errors similar to the following:

[09:40:33:312] - Wait for MMS Service mfehcs to report RUNNING
...[09:41:02:766] - MMS Service mfehcs: [09:41:02:766] - SERVICE_START_PENDING
[09:41:03:781] - MMS Service mfehcs: [09:41:03:781] - SERVICE_STOPPED. Stop waiting for service to run
[09:41:03:781] - StartMMSService: exit=0
...
[09:41:03:781] - Code [0x20003051] : Error while starting McAfee service.
 
[09:41:03:781] - Exit code will be 4294967295
...
[09:41:03:781] - Returning 4294967295
1223321 KB90198 10.5.3 10.5.3 Hotfix 1 Issue: The same version of the ENS 10.5.3 Common Platform module is reinstalled multiple times, although the previous installation was successful. This issue occurs only with the reposted version of ENS 10.5.3 Common Platform version 10.5.3.3178_7.

Workaround: Modify the product deployment task to run the deployment for the ENS 10.5.3 Common Platform module only once.

Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
1221732   10.5.3 10.5.4 Issue: ENS Firewall does not properly log firewall entries and events when the ENS Exploit Prevention Network IPS feature is enabled. 

Resolution: This issue is resolved in ENS 10.5.4.
1219519 KB90249 10.5.3 10.5.3 Hotfix 1 Issue: Recurring deployment tasks download the ENS Firewall .zip file even though the same ENS Firewall version is already installed.

Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
1218825 KB88085 10.5.3 10.5.4 Issue: The system restarts and a blue screen error occurs when you upgrade from ENS 10.5.2 to ENS 10.5.3 in the presence of third-party injectors.

Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
1218771   10.5.3 10.5.4 Issue: If an ePolicy Orchestrator (ePO) repository branch contains many previous ENS patches and hotfixes, checking in the 10.5.3 patch into the same repository branch might result in ePO becoming unresponsive.
 
Workaround: To prevent the issue, remove all patches and hotfixes except for the previous version, before checking in the 10.5.3 patch. If you already encountered this issue and ePO is unresponsive, stop and restart the ePO service to resolve the issue.

Resolution: This issue is resolved in ENS 10.5.4.
1218572
1223324
KB90109 10.5.3 10.5.3 Hotfix 1 Issue: After you disable Access Protection via policy in ePolicy Orchestrator (ePO), once enforced on the client, the ENS console still shows that Access Protection is enabled. This information is then reported incorrectly back to ePO. This issue is cosmetic. When the policy is enforced, Access Protection is successfully disabled on the client.

Resolution: This issue is resolved in ENS 10.5.3 Hotfix 1. See the related article for more information.
1215500   10.5.3 10.5.4 Issue: The driver mfeepmpk does not load after a system restart.

Workaround: Perform the following steps:
  1. Disable ENS Self Protection.
  2. Press Windows+R, type regedit.exe, and click OK.
  3. Delete the entry "INITSTARTFAILED" if present at: HKEY_LOCAL_MACHINE\SYSTEM\
    CurrentControlSet\services\mfeepmpk\Enum
  4. Delete the entry "DriverEntry" if present at: HKEY_LOCAL_MACHINE\SYSTEM\
    CurrentControlSet\services\mfeepmpk
  5. Set the entry "Start" to 3 at: HKEY_LOCAL_MACHINE\SYSTEM\
    CurrentControlSet\services\mfeepmpk
  6. Set the entry "VTPOptions" to 0x20 (32 in decimal) at:
    HKEY_LOCAL_MACHINE\SYSTEM\
    CurrentControlSet\services\mfeepmpk
  7. Enable ENS Self Protection.
  8. Restart the system.
Resolution: This issue is resolved in ENS 10.5.4.
1214624   10.5.3 10.5.4 Issue: An upgrade to ENS 10.5.3 fails if Threat Intelligence Exchange (TIE) Client 10.2 is installed. This result is an intermittent issue.

Cause: There is a timing issue. The TIE Client tries to validate the installer utility before it is written to disk. This fact causes the McAfee trust verifier to treat the installer utility as untrusted.

Workaround: Perform one of the following options:
  • Attempt to send another deployment task to the systems with this issue. The chance of the upgrade succeeding in the second attempt is higher.
  • Uninstall TIE Client 10.2 before upgrading to a later version or patch. The deployment task for 10.5.x must include the Adaptive Threat Protection module to match the parity with TIE Client 10.2.x.
Resolution: This issue is resolved in ENS 10.5.4.
1213474   10.5.3 10.5.4 Issue: After selecting an expert rule and clicking the "Expert rule checker" button, sometimes the rule data is not populated.

Workaround: Order the table rows by ID before selecting expert rules.

Resolution: This issue is resolved in ENS 10.5.4.
1212160   10.5.3 10.5.4 Issue: Threat Prevention is disabled, or missing, after an upgrade attempt to ENS 10.5.3. The mfetp.exe process is not running.

Resolution: This issue is resolved in ENS 10.5.4. McAfee recommends that you upgrade to ENS 10.5.4 or later.
1218123   10.5.2 10.5.4 Issue: Services are deleted during an upgrade if they fail to stop in a timely manner. The services are left in a "not responding" state.

Resolution: This issue is resolved in ENS 10.5.4.
1216383 KB89947 10.5.2 10.5.4 Issue: Because of changes in Mozilla Firefox 56, ENS Web Control web protection does not load in the browser.

Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
1213197 KB89847 10.5.2 10.5.4 Issue: When you select the "Configure different settings for High Risk and Low Risk processes" option in the On-Access Scan policy, and all High Risk processes are removed, the High Risk processes are still enforced.

Workaround: Ensure that there is at least one High Risk process in the policy.

Resolution: This issue is resolved in ENS 10.5.4. See the related article for more information.
    10.5.2 10.5.3 Issue: When performing a right-click On-Demand Scan for a network share, the scan completes in seconds and 0 files were scanned. This issue happens even though you are logged on to the client system, with credentials that have local admin rights to the network share.

Resolution: This issue is resolved in ENS 10.5.3.
1211389 KB89844 10.5.2 10.5.3 Issue: During an installation or upgrade to ENS 10.5.2, an error occurs during the installation process that causes an MSI pop-up error. Installation is successful, but systems occasionally get the following pop-up error:
 
Error 1336. There was an error creating a temporary file that is needed to complete this installation. Folder: C:\Program Files\McAfee\
Endpoint Security\Threat Prevention. System error code: 5.

 
Workaround: Use the following steps to work around this issue. See the related article for more information.
  1. Disable ENS Self Protection. From the local console, navigate to Settings, Common, and disable Self-protection.
  2. Open Windows Explorer.
Resolution: This issue is resolved in ENS 10.5.3.
1209061 KB89840 10.5.2 10.5.4 Issue: When you install ENS using a custom policy that specifies a custom quarantine path, the quarantine is created in the default folder C:\Quarantine instead of the specified custom path.

Workaround: For ePO managed systems, the quarantine folder is automatically reset to the custom path specified in the policy on the next policy enforcement. Either wait for the next policy enforcement to occur, or manually trigger policy enforcement using one of the options in the related article.

Resolution: This issue is resolved in ENS 10.5.4.
1205792   10.5.2 10.5.3 Issue: A small long-term memory leak with McShield.exe might be observed each time a policy enforcement occurs.

Resolution: This issue is resolved in ENS 10.5.3.
1204625   10.5.2 Host IPS 8.0 Patch 11 Issue: If the Host Intrusion Prevention IPS feature is enabled, ENS installs or patch upgrades fail on about 20 percent of systems.

Workaround: Disable the IPS feature before the ENS install or upgrade; re-enable the IPS feature after the ENS install or upgrade completes.

Resolution: Use one of the following options:
  • Upgrade Host Intrusion Prevention to 8.0 Patch 11 before the ENS install or upgrade.
  • Remove Host Intrusion Prevention when you deploy ENS.
    10.5.2 (RTS) 10.5.2 (RTW) Issue: When you install the Endpoint Security 10.5.2 Profiler Tool, you need to create an exclusion for mcprofiler.exe in the Endpoint Security Common policy, Show Advanced, Self Protection, Exclude these processes.

Resolution: This issue is resolved in ENS 10.5.2 (RTW).
    Profiler (RTS) Profiler 1.3 Issue: After you install the Endpoint Security 10.5.2 Profiler Tool, you need to restart the system to get data.

Resolution: This issue is resolved in Profiler 1.3.
1193471   10.5.1 10.5.4 Issue: Threat Prevention reports that it is not responding. The issue is due to a timeout when trying to enumerate users when the service starts.

Resolution: This issue is resolved in ENS 10.5.4. With ENS 10.5.4, the service starts before timing out.
1192352   10.5.1 10.5.2 Issue: Scheduled scans configured to run when idle, sometimes fail to run when the system is idle, or sometimes resume unexpectedly when the system is not idle.

Resolution: This issue is resolved in ENS 10.5.2.
1182718   10.5.1 10.5.1 Hotfix 2 Issue: On-Demand Scan "files scanned" might not increment in the On-Demand Scan activity log, nor does "items scanned" increment in the On-Demand Scan pop-up dialog box, for files that are not detected as malware.

Resolution: This issue is resolved in ENS 10.5.1 Hotfix 2.
1180401   10.5.1 10.5.2 Issue: ENS installation fails when any injector software with an unsigned DLL tries to hook or inject into any McAfee process.

Workaround: Perform one of the following:
  • Get the unsigned DLL certified or signed from the software vendor.
  • Remove the software and then install ENS.
Resolution: This issue is resolved in ENS 10.5.2.
1179065   10.5.1 10.5.2 Issue: A blue screen error occurs after restarting a system when ENS is installed with various McAfee products. These products include VirusScan Enterprise, Host Intrusion Prevention, Data Loss Prevention, and Drive Encryption with File and Removable Media Protection (FRP).

Cause: The kernel is running out of stack space during a file operation because there are more than the usual number of filters on the file stack. This fact causes a CPU double fault and the blue screen error. FRP currently uses the minimum kernel stack required for a call, which is 4 K.

Workaround: Increase this stack size as suggested below:
  1. Start the system in Windows Safe Mode.
  2. Navigate to the registry location HKLM/System/CurrentControlSet/Services/mfeeeff.
  3. Create a DWORD value here, with the name MinKernelStack and set it to 16384.
Resolution: This issue is resolved in ENS 10.5.2.
1185275 KB88867 10.5.0 10.2.1
10.5.1
Issue: On a system with ENS installed, ePolicy Orchestrator shows the ENS modules as not being installed.

Resolution: This issue is resolved in ENS 10.2.1 and ENS 10.5.1. See the related article for more information.
1183713   10.5.0 10.5.1 Hotfix 2 Issue: There is high CPU usage by mfetp.exe during policy enforcement when ENS writes On-Access Scan exclusions into the registry.

Workaround: Limit the number of On-Access Scan exclusions in the policy.

Resolution: This issue is resolved in ENS 10.5.1 Hotfix 2.
1182181 KB88866 10.5.0 10.5.1 Issue: In ePolicy Orchestrator, when the total number of characters in the path for the On-Access Scan exclusions plus the internal separators exceeds 5000, the policy does not enforce on the end node.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
  KB88797 10.5.0 10.5.1 Issue: ENS Web Control does not work in Firefox 51.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1173731 KB88791 10.5.0 10.5.1 Issue: In ePolicy Orchestrator, changing one Threat Prevention Exploit Prevention policy results in the same changes being made in other Exploit Prevention policies. The issue occurs only after upgrading the Threat Prevention extension from ENS 10.2.x to ENS 10.5.0 and for the Exploit Prevention policies that were created in ENS 10.2.x.

Workaround: Follow the steps below after the upgrade to ENS 10.5.0 and before changing any Exploit Prevention policy.
  1. Make a copy of each Exploit Prevention policy by duplicating the policies in ePolicy Orchestrator.
  2. Make any changes to the new duplicated policies. These changes do not change other policies.
Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1173342   10.5.0 10.5.1 Issue: In the Exploit Prevention policy, after editing a McAfee Defined Application Protection Rule with a name that has more than one word, the name is cut off leaving only the first word in the name.

Resolution: This issue is resolved in ENS 10.5.1.
1172855   10.5.0 10.5.1 Issue: Automatic Migration fails for edited VirusScan Enterprise My Default Policies for On-Demand Scan when the Both Workstation and Server settings migration option is selected. After the Automatic Migration "MyDefault 2" policies are created twice, one each for workstation and server-specific policies. This action then causes the policy migration to Threat Prevention to fail.

Workaround: In the policy preview page, manually rename the Threat Prevention On-Demand Scan policy that has the duplicate name to a unique name.

Resolution: This issue is resolved in ENS 10.5.1.
1171976   10.5.0 10.5.1 Issue: When you upgrade an endpoint with ENS 10.5 installed from Windows 7 x64 to Windows 10 x64, Exploit Prevention fails to initialize and remains disabled.

Cause: A race condition between mfetp and the VSCore driver, ESP, or MA Service during the installation flow causes this issue. This race condition leaves the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mfeepmpk\Enum set to 1 by mistake, and indicates a failure during initialization. The result is that Exploit Prevention remains disabled and cannot be initialized.

Workaround: To avoid the issue, perform the following steps:
  1. Before you start the Windows 10 upgrade process, disable ENS Self Protection.
  2. Press Windows+R, type regedit, and click OK.
  3. Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    services\mfeepmpk\Enum
  4. Set INITSTARTFAILED to 0.
  5. Enable ENS Self Protection.
  6. Start the Windows 10 upgrade process.
Resolution: This issue is resolved in ENS 10.5.1.
1170938   10.5.0 10.5.1 Issue: When ENS Web Control interlock Disable if a web gateway appliance is detected is enabled with more than one detect gateway option selected, ENS Web Control fails to stand down when any one of the selected detect gateway conditions fails to match. The detect gateway options can be organization default gateway, web gateway enforcement, or internal landmark.

Workaround: Do not select multiple detect gateway options, select one of the options that best suits the environment.

Resolution: This issue is resolved in ENS 10.5.1.
1164347   10.5.0 10.5.1 Issue: In the Host Intrusion Prevention catalog network, if you add an IP address with a fully qualified domain name without a dot, after migration to the ENS Catalog, an unexpected error displays, if you try to open the migrated catalog in ENS. (For example, a name without a dot is Google.)

Workaround: Before migration, delete all networks in the Host Intrusion Prevention catalog without a dot.

Resolution: This issue is resolved in ENS 10.5.1.
1164345   10.5.0 10.5.1 Issue: An exception error displays when you open an ENS firewall rule for editing in the Rules policy migrated from Host Intrusion Prevention. And, the same rule from the same Host Intrusion Prevention Rule policy is open in another tab.

Workaround: To compare the migrated Host Intrusion Prevention rule and the original Host Intrusion Prevention rule, use the rule summary or open rules in different browsers.

Resolution: This issue is resolved in ENS 10.5.1.
1162890   10.5.0 10.5.2 Issue: Boot times for some systems might be longer after you install ENS 10.5.0.

Resolution: This issue is resolved in ENS 10.5.2.
1158502   10.5.0 10.2.2 Issue: If you use the ENS 10.5 extension to create a scan task with the scan location of Registry and assign it to an ENS 10.2 client, the Registry item appears in scan tasks. It appears even though it is not supported. There is no adverse behavior if the scan task runs on an ENS 10.2 client. The task runs, but does not scan anything for that scan location.

Resolution: The issue is resolved in ENS 10.2.2.
1143866
1127671
1127669
  10.5.0 10.5.2 Issue: Code compiling programs like Cygwin can take longer to build projects with out-of-box configurations of ENS 10.5.0.

Resolution: The issue is resolved in ENS 10.5.2.
1204316   10.2.1 10.2.2
10.5.3
Issue: An AMCore content update succeeded, but the AMCore content version is not shown in the ENS Console or ePolicy Orchestrator. The correct AMCore content version is shown in the registry key [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVSolution\DS\DS]. The ThreatPrevention_Debug.log shows the following error:
 
07/13/2017 11:22:36.916 AM    mfetp(4472.4508) AvContentMgr.AVCMGR.Error: Failed to load container: Failed to load xml document, 0x00000001
 
Resolution: This issue is resolved in ENS 10.2.2 and ENS 10.5.3.
1186400 KB89023 10.2.1 10.5.3 Issue: If Threat Prevention Exploit Prevention is enabled, the dllhost.exe process will generate a crash dump after it performs a Cortana search on a Windows 10 Creators Update system. The issue occurs when Exploit Prevention fails to inject into the dllhost.exe process; the result is the process does not load and generates a crash dump.

Workaround: Add a global Exploit Prevention exclusion for the dllhost.exe process. The exclusion stops injection from being performed on the dllhost.exe process, and crash dumps are not generated. See the related article for more information.

Resolution: This issue is resolved in ENS 10.5.3.
1181041 KB88793 10.2.0 10.5.1 Hotfix 1 Issue: A Location Aware Group (LAG) with a local network and with connection isolation enabled blocks traffic by isolation. The issue occurs when the address specified in the local network of the LAG does not match an active network adapter on the system.

Workaround: Reconfigure the LAG without a local network as a location criteria; use other location criteria that is suitable in the environment.

Resolution: This issue is resolved in ENS 10.5.1 Hotfix 1. See the related article for more information.
1177881
1175503
  10.2.0 10.2.2
10.5.1
Issue: Clients do not send metadata, such as file names, to the Threat Intelligence Exchange server when the option Allow the Threat Intelligence Exchange server to collect anonymous diagnostic and usage data is disabled.

Resolution: This issue is resolved in Endpoint Security Threat Intelligence 10.2.2 and ENS 10.5.1. The option Allow the Threat Intelligence Exchange server to collect anonymous diagnostic and usage data now applies only to optional statistics collection by clients. Metadata is sent to the Threat Intelligence Exchange server.
1172168 KB88198 10.2.0 10.2.1
10.5.1
Issue: When ENS Web Control enforces an action in the browser, an enforcement message is displayed in the browser. The enforcement message that appears is blank even though the policy for the enforcement message has text. See the related article for more information.

Workaround: Remove any carriage returns from the enforcement message. Use HTML code for paragraph or break to make line spaces in the enforcement message.

Resolution: This issue is resolved in ENS 10.2.1 and ENS 10.5.1. See the related article for more information.
1169191 KB88312 10.2.0.179 10.2.1 Issue: The migration task fails when it tries to migrate policies from VirusScan Enterprise to ENS if it uses Endpoint Migration Assistant 10.2.0.179. The orion log of the ePolicy Orchestrator server contains the following error:
 
ERROR [scheduler-TaskQueueEngine-thread-2] service.ScheduledTaskManagerImpl  - execution of task Endpoint Security Migration failed
com.mcafee.orion.core.cmd.CommandException: String index out of range: -10
 
Resolution: This issue is resolved in Endpoint Migration Assistant 10.2.1. See the related article for more information.
1162713   10.2.0 10.5.0
10.2.1
Issue: After you upgrade to or install ENS 10.2.0 on a system, the AMCore content definitions do not always update.

Resolution: This issue is resolved in ENS 10.5.0 and ENS 10.2.1.
1148888   10.2.0 10.5.1 Issue: Packages created with ENS Package Designer do not honor the license type, which causes the ePolicy Orchestrator server to always display the package as Licensed. This issue does not impact the licensed Released To World (RTW) packages being customized. It impacts only the ENS evaluation builds when used to create custom packages. There is no functional impact on the client. The client About dialog box still displays it as Trial only. Only the ePolicy Orchestrator Master Repository displays as Licensed for trial packages.

Resolution: This issue is resolved in ENS 10.5.1.
1147423   10.2.0 10.5.0 Issue: When using the EPSetup standalone installer for ENS upgrades with the command-line switch ADDLOCAL="tp,fw,wc", the AMCore content is not immediately updated after the upgrade. The AMCore content is updated only when the next scheduled update happens for unmanaged systems.

Cause: When Threat Prevention is upgraded first, the Threat Prevention installer triggers a content update; but, the subsequent Firewall upgrade blocks it.

NOTE: The issue is not applicable in the following scenarios:
  • Managed systems do not have this issue because the content update mechanism does not rely on the installer to trigger a content update.
  • The issue does not occur if you use the EPSetup standalone GUI to perform the upgrade because Firewall always gets upgraded before Threat Prevention.
Workaround: If you already encountered this issue, manually run a content update with the ENS client UI to get the latest content.

Resolution: This issue is resolved in ENS 10.5.0, which uses the switch ADDLOCAL="fw,tp,wc" to install Firewall before Threat Prevention.
1145529   10.2.0 10.5.0 Issue: An executable is blocked although it has been marked as safe by Advanced Threat Defense (ATD) on some endpoints. TIE content does not honor the reputation set by ATD while it computes local reputations, and so fails to identify the file as safe.

Workaround: Manually mark these files as trusted manually on the ePolicy Orchestrator server, and use the same reputation provided by ATD; then TIE content on the client can consider this override and allow execution.

Resolution: This issue is resolved in ENS 10.5.0.
1145375 KB87493 10.2.0 10.5.0 Issue: UNC paths for network location are not supported when you use ePolicy Orchestrator to manage ENS Access Protection policies.

Workaround: To exclude or protect executables on a UNC network share, enter the path name in the form **\ instead of \\. See the related article for more information.

Resolution: This issue is resolved in ENS 10.5.0.
1139050 KB87511 10.2.0 10.5.1 Issue: After you upgrade ENS, permission set data is not retained accurately for the Firewall extension, if it had two categories of permissions sets before the upgrade. These two categories are, Endpoint Security Firewall Catalog and Client and Endpoint Security Firewall.

Workaround: Run the SQL script attached in the related article on the ePolicy Orchestrator server after you upgrade ENS to restore the Firewall extension permission set data.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1136609   10.2.0 10.5.0 Issue: The TIE client activity logs of ENS modules are partially localized.

Resolution: This issue is resolved in ENS 10.5.0.
1136521   10.2.0 10.5.0 Issue: The Publisher for the following ENS add-ons displays as Not Verified in Internet Explorer:
  • McAfee Endpoint Security Web Control(Toolbar)
  • McAfee Endpoint Security ScripScan
  • McAfee Endpoint Security Web Control(BHO)
Cause: Microsoft has released an SHA-1 code sign deprecation change in Internet Explorer. Any browser extension signed with an SHA-1 certificate displays as Not Verified.

Workaround: You can safely ignore this display because ENS still functions in Internet Explorer.

Resolution: This issue is resolved in ENS 10.5.0, which is signed by an SHA-2 certificate.
1135682   10.2.0 10.5.0 Issue: ENS does not support 64-bit Firefox.

Resolution: This issue is resolved in ENS 10.5.0.
1132889   10.2.0 10.5.1 Issue: IP addresses in CIDR format are not supported in private IP address exclusions in the Options policy.

Workaround: Use a supported format in private IP address exclusions: IP address range (at each octet level), IPv4, and IPv6 formats in comma-separated values.

Resolution: This issue is resolved in ENS 10.5.1.
1132321   10.2.0 10.5.0 Issue: When a trusted signed file reputation is overridden to a lower trust level that is set to block, the file is still allowed to run. The reason for this is that certificate trust takes precedence over file reputation, and so the file reputation change does not have an impact for a trusted certificate.

Resolution: This issue is resolved in ENS 10.5.0.
1129484   10.2.0 10.5.1 Issue: When you use the Web Gateway Interlock feature in ENS Web Control, if you use the option Specify internal landmark to use from the ENS Web Control ePolicy Orchestrator extension, you cannot specify IPv6 addresses and DNS names that resolve only to IPv6 addresses in the corresponding input fields.

Workaround: Use IPv4 addresses and DNS names that resolve to IPv4 addresses.

Resolution: This issue is resolved in ENS 10.5.1.
1112780   10.2.0 10.5.0 Issue: After you migrate from VirusScan Enterprise to ENS, the following errors display in the McAfee_TP_Migration_Plugin.log even though the settings were migrated successfully:
 
15/12/2015 19:07:45.04 [preserve] Failed to set properties for business object OAS, BLError = 2b
15/12/2015 19:07:45.19 [preserve] Code = c031002b, Description: OAS SetProperties failed
15/12/2015 19:07:45.19 [preserve] EnforceSettings: Failed to Apply XML Settings. XML File name C:\ProgramData\McAfee\Endpoint Security\McAfeeSettingsBackup\McAfee VirusScan Enterprise\VSE_OASSettings.xml
 
Resolution: These errors are erroneous and you can safely ignore them. These errors are removed in ENS 10.5.0.
1127750   10.2.0 10.5.0 Issue: When the TIE client submits a sample file to ATD server for analysis, the file name appears as the MD5 hash instead of the file name on the ATD server portal. The ePolicy Orchestrator server displays the file name properly. To correlate the file name from the ePolicy Orchestrator server to the ATD server, use the MD5 hash if the file name consists of CJK (Chinese, Japanese, and Korean) multi-byte characters.

Resolution: This issue is resolved in ENS 10.5.0.
1127002   10.2.0 10.5.0 Issue: The Enable WC and Disable WC menu options are always grayed out in Firefox.

Resolution: These options are removed in ENS 10.5.0. Enable or disable ENS Web Control in the client UI instead of Firefox.
1114141   10.2.0 ePO 5.9.0 Issue: After you create an On-Demand Scan task and click View Selected Task, the buttons Add, Save, and Cancel erroneously display.

Resolution: This issue is resolved in ePolicy Orchestrator 5.9.0.
1093254   10.2.0 10.5.0 Issue: When you click the View in Event Log option for a file quarantined by TIE, the event entry in the Event Log does not display.

Workaround: To view a specific TIE event, use the filters and search criteria on the Events Log window.

Resolution: This issue is resolved in ENS 10.5.0.
1172690   10.2.0 10.2.2 Issue: A file with a Threat Intelligence Exchange reputation of "Known Malicious" is not blocked on subsequent attempts to execute the file because of duplicate RuleId GUIDs for Arbitrary Access Control. This issue can occur any time the action is to block or clean.

Resolution: This issue is resolved in Endpoint Security Threat Intelligence 10.2.2.
1160532 KB88039 10.2.0 10.5.0 Issue: The ENS Web Control module fails to install when other ENS modules successfully install. The registration of the COM components of ENS Web Control fails with an access denied error.

Resolution: This issue is resolved in ENS 10.5.0. See the related article for more information.
1163212 KB88061 10.2.0 Entrust hotfix available Issue: There are compatibility issues with ENS and Entrust 9.3, including the following:
  • Performance issues
  • After installation of ENS on a system with Entrust 9.3, the system will not start after a restart.
Resolution: Contact Entrust to obtain a hotfix and quote Entrust reference number ref:_00D301H7DR._5001412ZkNK:ref. The hotfix is available only through Entrust support. See the related article for more information.
1156735
1140210
KB87755 10.2.0 ​10.5.0
10.2.1

10.2.0 Hotfix 1164434 
 
Issue: Performance is slow when you access a file on a network share.

Resolution: This issue is resolved in ENS Platform 10.2.0 Hotfix 1164434, ENS 10.2.1, and ENS 10.5.0. See the related article for more information.
1156051 KB87863 10.2.0 10.5.0
10.2.1
10.2.0 Hotfix 1164434
Issue: ENS Web Control add-ons can take longer than .2 seconds to load, and cause Internet Explorer to prompt the user to disable the add-ons.

Workaround: To prevent the prompt from appearing to the user, increase the value for the amount of time to load add-ons or disable the performance notification.

Resolution: This issue is resolved in ENS Platform 10.2.0 Hotfix 1164434, ENS 10.2.1, and ENS 10.5.0. See the related article for more information.
1152507   10.2.0 10.2.1 Issue: A file with a Threat Intelligence Exchange reputation of "Known Malicious" is not blocked on subsequent attempts to execute the file because of a timeout when the file is submitted to Advanced Threat Defense.

Resolution: This issue is resolved in Endpoint Security Threat Intelligence 10.2.1.
1149816 KB87532 10.2.0 10.5.0 Issue: When you try to restore to a Windows system restore point, the process fails with an access denied message.

Workaround: Uninstall all ENS modules and the McAfee Agent, restart, and run the system restore.

Resolution: This issue is resolved in ENS 10.5.0. See the related article for more information.
1146720 KB87434 10.2.0 10.5.1 Issue: Custom enforcement messages in the ENS Web Control Enforcement Messaging policy are truncated in the Firefox browser.

Workaround: Create an enforcement message that does not contain HTML tags.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1144868
1150035
KB87371 10.2.0 ePO 5.3.2 Hotfix 1144868 Issue: In ePolicy Orchestrator 5.3.2, the Save button in some ENS On-Access Scan policy pages is not active.

Resolution: This issue is resolved in ePolicy Orchestrator 5.3.2 Hotfix 1144868. See the related article for more information.
1141141 KB87353 10.2.0 Websense DLP 8.2 Issue: After you install ENS on a Windows 7 system with Websense Data Loss Prevention (DLP) 7.8 installed, a blue screen error occurs.

Workaround: Either remove the Websense software or upgrade to Windows 10.

Resolution: McAfee has determined that the issue is caused by Websense software that uses the QIP.sys driver on Windows 7 systems. Any solution must come from Websense. If you experience this issue, McAfee recommends that you contact Websense Technical Support for assistance. This issue has not been reported to occur with newer versions of Websense DLP 8.2. See the related article for more information.
1154040 KB86845 10.2.0 10.5.0 Issue: The Detection path for a threat is blank in an ePolicy Orchestrator Malware Detection Auto Response email. See the related article for more information.

Resolution: This issue is resolved in ENS 10.5.0. See the related article for more information.
1142318 KB87303 10.2.0 10.5.0 Issue: When you deselect Enable Web Control in the ENS Console or the ENS Web Control extension in ePolicy Orchestrator, it does not disable ENS Web Control in the browser.

Resolution: This issue is resolved in ENS 10.5.0. See the related article for more information.
1137622 KB86631 10.2.0 10.5.0 Issue: The Endpoint Security Product Guide incorrectly states that the ENS Web Control plug-in is enabled by default in Firefox.

Resolution: This documentation error is resolved in the Endpoint Security 10.5.0 Product Guide. In Firefox, a prompt displays that asks the end user to enable the ENS Web Control extension on opening Firefox after the ENS Web Control installation. The ENS Web Control service will enable the ENS Web Control browser extension automatically in Firefox five minutes after installation if the end user has not already opened Firefox. Every 30 minutes, the ENS Web Control service checks the status of the ENS Web Control extension in Firefox and enables the extension if it has been disabled by the end user. See the related article for more information.
1134872 KB87095 10.2.0 Entrust Entelligence 9.3 Issue: Installation of ENS fails when Entrust Entelligence 9.2 is installed.

Resolution: Upgrade to Entrust Entelligence 9.3. Installations of ENS are successful with the latest Entrust Entelligence version. See the related article for more information.
1114709 KB86804 10.2.0 10.5.1 Issue: Installation of ENS hangs on unpatched builds of Windows 7.

Workaround: See Microsoft Knowledge Base article https://support.microsoft.com/en-us/kb/2328240 for a fixlet to repair the issue before you install ENS.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1109716   10.2.0 MAR 1.1.0 Issue: When ENS is deployed with McAfee Active Response (MAR) present, the installation hangs because of a known race condition.

Workaround: To resolve this issue, perform one of the following:
  • Stop MAR, install ENS, and then restart MAR.
  • Uninstall MAR, install ENS, and then reinstall MAR.
Resolution: This issue is resolved in MAR 1.1.0.
1100562 KB86141 10.2.0 MACC 7.0 RTW build 646
MACC 6.2.0 Hotfix 505
MACC 6.1.3 Hotfix 441
MACC 6.1.2 Hotfix 449
MACC 6.1.1 Hotfix 404
MACC 6.1.0 Hotfix 706
Issue: ENS and Application and Change Control (MACC) 6.x are not compatible.

Resolution: This issue is resolved in MACC 7.0 RTW build 646, MACC 6.2.0 Hotfix 505, MACC 6.1.3 Hotfix 441, MACC 6.1.2 Hotfix 449, MACC 6.1.1 Hotfix 404, and MACC 6.1.0 Hotfix 706. See the related article for more information.
1074673   10.2.0 Microsoft KB2487426 Issue: mfewc.exe generates a crash dump during restart.

Resolution: This issue is resolved in Microsoft KB2487426. For more information, see https://support.microsoft.com/en-us/kb/2487426.


Back to Top

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.