How to troubleshoot Virtual Machines when the Anti-malware protection status is Off or Unknown

Technical Articles ID: KB84669
Last Modified: 10/13/2021

Environment

McAfee Cloud Workload Security (CWS) 5.x
McAfee MOVE AntiVirus (AV) Agentless 4.x

Summary

Background details
The following protection status events are sent from both:

A Virtual Machine (VM) to the Security Virtual Appliance (SVA)
The SVA to ePolicy Orchestrator (ePO), where it is placed in an SQL database table

MOVE AV Agentless 4.x Events

EVENT 37086 (VM Protected)
EVENT 37087 (VM Unprotected)

NOTE: See also the following article: KB77944 - List of Event IDs for MOVE Agentless and Multi-Platform)

From that table, the cloud connector for vSphere reads the content and populates the ePO user interface (UI).The role of the cloud connector for vSphere here is only to display the content from the table to report the protection status of VMs.

There are several reasons why the protection status is not reported correctly. Because of the different components involved in this environment, it is important to follow a troubleshooting method that does the following:

Guide you through the different stages involved, to correctly identify where the cause of the problem is.
Provide the solution to overcome the issue.

Prerequisites:

MOVE AV Agentless is set up correctly.
MOVE Agentless policy has on-access scanner (OAS) enabled.
MOVE AV Agentless extension is installed in ePO.
Event parser service is running.
The Cloud Connector for vSphere account registration is completed successfully.

For assistance, see the respective product guides in the Registering cloud accounts section:

For product documents, go to the Product Documentation portal.
SVA and the VM are both managed by the same ePO server.
VMware vCenter correctly reports the SVA presence for each host.
The VM is turned on. When the VM goes to an idle state, the vsepflt driver is unloaded, which can contribute to reporting the Agentless anti malware protection as Off.
Make sure that the following events are selected in ePO. Navigate to Server Settings, Event filtering, and then click Edit:
- EVENT 37086 (VM Protected)
- EVENT 37087 (VM Unprotected)

Solution 1

Troubleshooting the VM
Start troubleshooting from a VM that reports the incorrect Protection Status in ePO. Make a note of the name of the VM and the UUID (unique ID) of the VM where the troubleshooting is performed. You can find this information in ePO and vCenter.

Verify that the VM is reporting the correct system information to ePO:
1. Log on to the ePO console.
2. Click the System Tree and open the vSphere group, then locate the VM.
3. To bring up the System Properties, click the VM.
4. Click the Virtualization tab.
5. Verify that the VM details are present and correct.
Verify that the VMware Tools are installed.

NOTE: The installation of VMware Tools is a prerequisite when you use MOVE AV Agentless.
- Verify using ePO:
  In the ePO System Tree, navigate to the vSphere group, identify the system, and verify the VMware Tool is listed in the VMware Tool column.
  
  If the VMware Tools are installed, it reports running.
- Verify using VM:
  In Add/Remove Programs, verify that VMware Tool is listed. If it is not, download and install the VMware Open Virtualization Format (OVF) software package from: http://communities.vmware.com/community/vmtn/server/vsphere/automationtools/ovf.
Verify that the VMCI driver is enabled.
Installation of the VMware Tools does not automatically install the Virtual Machine Communication Interface (VMCI driver vsepflt.sys). So, when you install the VMware Tools, select Custom setup, and under the VMCI driver, select vShield Drivers.

To verify that the vShield driver (vsepflt.sys) is installed, navigate to the following folder: C:\Windows\System32\drivers
Enable debug logging for ePO.
Before you start to troubleshoot, if further analysis is needed, enable debug logging for ePO in the Orion.log file. For how to enable debug logging for the cloud connector extension, see KB90072 - How to enable debug logging for the Cloud Workload Security connectors
Verify that the VMCI driver (vsepflt) is loaded correctly:

NOTE: When you reload the vShield driver, it forces the events to be generated. This test can be used to verify the correct communication.
1. Log on to the endpoint VM as an Administrator.
2. Open a command prompt, click Start, Run, type cmd, and then click OK.
3. To unload the driver vsepflt, type the following command and press Enter:
  
  fltmc unload vsepflt
4. To load the vsepflt driver, type the following command and press Enter:
  
  fltmc load vsepflt
5. Resynch the SVA with ePO.
  For the MA commands to collect and send properties from SVA to the ePO server, see KB52707 - McAfee Agent command-line switches.
  
  The system now displays the Anti-Malware Protection status as ON.
Verify whether the events generated above are reaching ePO:
1. Log on to the ePO console.
2. Click Menu, Reporting, Threat Event Log and verify if the above mentioned events are present.
3. Verify that you are also getting the client system IP address in the threat event logs.
Verify whether the events generated above have changed the Protection status of the VM:
1. Navigate to the node in ePO.
2. Select the Virtualization tab and then verify the status of the Agentless Anti-malware Protection.
3. Verify that the status shows ON.
Verify that EICAR can be detected in the VM:
1. Create and test the VM with an EICAR test file. For details, see KB59742 - How to use the EICAR test file with McAfee products.
2. Log on to the ePO console.
3. Click Menu, Reporting, Threat Event Log and verify that the Threat event is present.

Solution 2

Troubleshooting the Security Virtual Appliance (SVA)

Verify that the SVA is reported correctly in ePO and that it is turned on:
1. Log on to the ePO console.
2. From the System Tree, select the vSphere host and check if the associated SVA is reported.
3. Confirm that HOST is listed under the column System Type.
4. From the System Tree, access the SVA system properties and confirm that the SVA properties are reported correctly.
5. Under the Summary section, verify that the correct IP address is listed.
6. Under the Properties section, verify that all details are listed and are correct.
Verify that the SVA is reported correctly in the vCenter:
1. Log on to VMware vShield vCenter.
2. From the Home location, click Host and Clusters.
3. In the left pane, select the host.
4. In the right pane, click the Virtual Machines tab.
5. Locate your SVA and verify that the status in the State column shows Powered On.
Verify the registration of the SVAs with their respective hypervisors (in the VMware vCenter, the SVAs are listed in the vShield tab):
1. Log on to the vSphere Client, then go to Home and select the vShield icon. A logon window is displayed.
2. Log on with your credentials to access the console.
3. In the left pane, expand Datacenters.
4. Select the IP address ###.###.###.### of the host.
5. In the right pane, the Summary tab displays and shows Service Virtual Machines details.
6. Verify that the SVA was registered correctly.
  
  Example of details that the Service Virtual Machines section shows:
  
  Name Type
  
  MOVE AV vShield Endpoint Active SVM
  
  vShield Manager vShield Manager
Restart the MOVE AV Agentless SVA services:
1. Log on to the SVA with the root or administrator account.
2. At a command prompt, type the following:
  
  Sudo service move restart
3. Log on to the ePO console.
4. Locate the SVA in the System Tree.
5. Verify the SVA system properties and confirm that the SVA is communicating correctly.
6. Verify if the VM status has changed.
Verify that the SVA date and time are in is sync with ePO.

NOTE: If the SVA and ePO Time Zone are not synchronized, the events are rejected and the database is not updated.

For details about how to set the time in SVA, see "Configuring the SVA" in the MOVE AV Agentless product guide for your version. See the Related Information section below for where to locate product documentation.
Load and unload the driver and verify that the related event is reaching the SVA. Verify at each stage that the events are being transferred:
1. Stop the McAfee Agent on the SVA. For how to use command-line switches with MA, see KB52707 - McAfee Agent command-line switches.
2. On the VM, unload and load the VMCI driver (vsepflt), which generates the following events:
  
  34432 or 37087 (VM Unprotected)
  34431 or 37086 (VM Protected)
3. Log on to the endpoint VM as an Administrator.
4. Open a command prompt, click Start, Run, type cmd, and then click OK.
5. Type the following commands and press Enter:
  
  Fltmc unload vsepflt
  
  Fltmc load vsepflt
Verify that the event is generated. At the SVA, navigate to the following location and check that an event related to the stopped driver is present.

MA 5.9 and later:

var/McAfee/Agent/AgentEvent
1. If the event is not present, make sure that MA is stopped. For how to use command-line switches with MA, see
2. Then try to load and unload the vsepflt driver again. If those events do not arrive in the MA event folder, troubleshoot this issue. See KB52707 - McAfee Agent command-line switches.
  1. Enable or disable debug level logging at the SVA. For details, see KB87799 - How to enable debug logging for MOVE Agentless and Multi-Platform via the command line.
  2. Generate the event again by unloading and reloading the vsepflt driver at the VM, then collect a SVA MER. For details, see KB80097 - How to generate the MOVE AntiVirus Agentless MER file.
  3. Disable Debug level logging at the SVA.
3. If those events are arriving in the MA event folder, send the event to ePO, then restart MA and enforce the policy. At the command prompt type, the following:
  
  sudo /opt/McAfee/cma/bin/cmdagent -P
  
  NOTE: The event is no longer present in the SVA event folder.
Verify that the event is reported in the ePO Threat Event Log. This action confirms that the event is reaching ePO:
1. Log on to the ePO console.
2. Click Menu, Reporting, Threat Event Log. The following events are shown for the VM:
  
  34432 or 37087 (VM Unprotected)
  34431 or 37086 (VM Protected)
3. At the ePO console, verify the status of the Agentless Anti-malware Protection:
  1. Log on to the ePO console.
  2. Click System Tree, vSphere group, and then locate the VM.
  3. Select the VM and click it to bring up the System Properties.
  4. Click the Virtualization tab.
  5. Verify the Agentless Anti-malware Protection status.
Start a manual sync of the Cloud Connector for vSphere to see if it completes successfully:
1. Log on to ePO console and access the registered cloud account.
2. Select the name of the account and click Sync.
3. Verify the Last Sync Status.
Determine if the appropriate event was generated, but not passed to the ePO database:
1. Identify the VM's UUID and check in the SQL instance of the ePO database MOVEAGNTLSS_PROTECTIONSTATUS table for the status.
2. Locate the PROTECTION_STATUS column and identify if it shows ON or OFF for that VM.
3. Disable debug logging for ePO Orion.log. For details, see KB52369 - How to enable debug logging and log size for Orion.log in ePolicy Orchestrator.

If the Issue remains unresolved
If after following the above troubleshooting steps the issue remains unsolved, do the following:

Note the result of each troubleshooting step mentioned above as a Pass or Fail.
Provide a copy of the Orion.log with debug logging enabled.
Contact Technical Support and provide this article number (KB84669).
Generate the MOVE AntiVirus Agentless MER file (SVA). See KB80097 - How to generate the MOVE AntiVirus Agentless MER file.

IMPORTANT: The following files are required for Technical Support:

Minimum Escalation Requirements (MER) files for your specific product. For information about downloading the MERs for each product, see KB59385 - How to use MER tools with supported products.
Other files and logs, as requested by Technical Support.

To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.

If you are a registered user, type your User ID and Password, and then click Log In.
If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.

Related Information

AV Agentless 3.x Events (MOVE Agentless 3.x is End of Life)

EVENT 34431 (VM Protected)
EVENT 34432 (VM Unprotected

Affected Products

Cloud Workload Security 5.3.x
Cloud Workload Security 5.2.x
MOVE Antivirus Agentless 4.8.x
MOVE Antivirus Agentless 4.7.x
Troubleshooting

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

How to troubleshoot Virtual Machines when the Anti-malware protection status is Off or Unknown

Environment

Summary

Solution 1

Solution 2

Related Information

Affected Products

Languages:

Title

Title

Knowledge Center

How to troubleshoot Virtual Machines when the Anti-malware protection status is Off or Unknown

Environment

Summary

Solution 1

Solution 2

Related Information

Affected Products

Languages:

Choose your region

Title

Title