FAQs for Endpoint Security

Technical Articles ID: KB86704
Last Modified: 4/20/2021

Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP)
McAfee ENS Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x

Summary

This article is a consolidated list of common questions and answers intended for users who are new to the product. But, it can be of use to all users.

Recent updates to this article

Date	Update
April, 20, 2021	Added the FAQ "How does the integration with Windows Antimalware Scan Interface (AMSI) work?" in the "Functionality - Product features and functions" section.
March 25, 2021	Added the FAQ "Can different modules (for example, Web Control and Threat Prevention), originating from different source packages (for example, February Update and April Update), be installed on a single given system?" in the "Installation, Upgrade, Migration, Removal - Information about installing, removing, upgrading, and migrating" section.
March 22, 2021	Updated the FAQ "How can I determine the size of AMCore content update files?" in the "AMCore Content - Updating, downgrading, and reporting of AMCore content" section with the HTTPS URL https://update.nai.com/products/commonupdater/current/amcordat2000/dat/0000/.
September 17, 2020	Added the FAQ "Can Endpoint Security detect a virus that is encrypted by an encrypted file system (EFS)?" to the "Functionality" section.
August 13, 2020	Added the FAQ "How can I determine the Real Protect content version?" to the "General" section.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Contents
Click to expand the section you want to view:

General - Product information covering miscellaneous topics

Where can I find known issues with Endpoint Security?
For a list of known issues with a high or medium rating and that are outstanding with a given release, see the known issues articles. These articles are KB82450 - Endpoint Security 10.x Known Issues, and KB88788 - Endpoint Security Adaptive Threat Protection 10.x Known Issues.

Where can I find Endpoint Security product documentation?

For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

Where can I find an explanation of Endpoint Security event messages?
Endpoint Security event messaging uses Natural Language Strings (NLS). Some events might require further explanation than what is provided in the small text string in an event. For a detailed explanation of event messages, see: KB85494 - Complete list of event IDs for Endpoint Security.

Why am I not seeing events from client systems in ePolicy Orchestrator?
To troubleshoot the issue, use the instructions in: KB53035 - How to troubleshoot ePolicy Orchestrator event and report content.

How can I check the status of the Endpoint Security service and other McAfee services on a system?
Use the executable C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe to check the status of services as follows. This executable can be useful if you are using a third-party monitoring tool to track the status of the Endpoint Security service. Or, to get a report on how many systems have Endpoint Security running.

Open an administrator command prompt.
Run the following command:

C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -query mfecore

Example output:

SERVICE_NAME: mfecore
SERVICE_STATUS SERVICE_RUNNING

NOTE: To check the status of all McAfee services, run the command: C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -enum

What is the mfeensppl service?
The mfeensppl service is a Protected Process Light (PPL) service. The service is used for the registration of mfetp with the Windows Security Center (WSC) service wscsvc. The mfeensppl.exe service stops and starts as it is needed. The mfeensppl.exe service is similar to the mfefire service, which also runs only when it is in use. The registration with WSC happens every time policies are enforced on the system and also when the system restarts. The registration with WSC is done through PPL in Windows 10 version 1809 (October 2018 Update) and later. When the mfeensppl.exe service runs, it checks whether the system is compatible with the Windows 10 version 1809 or later technology. The service then reacts accordingly. On systems not running Windows 10 version 1809 (and later), the mfeensppl.exe service is present. After determining that the operating system is not supported, mfeensppl.exe exits gracefully.

Why does the Help feature in the ePolicy Orchestrator console open a web browser page to https://docs.mcafee.com, instead of a contextual page of product information?
This behavior is the result of a feature change starting in Endpoint Security 10.6.0. When you use the Help feature by clicking the "?" question mark inside the ePolicy Orchestrator console, it now opens the McAfee Documentation Portal (https://docs.mcafee.com), where you can perform a search.

What is the $MfeDeepRem folder, for example, the folder located under root C:\?
This folder is used by the Endpoint Security Adaptive Threat Protection Enhanced Remediation feature. The folder is created per drive. The folder size varies depending on the file size of the drive. This folder is protected by McAfee. It might need to be excluded by applications that try to access files or folders that are not their own, such as backup software. Attempts to access the folder are denied access.

How can I determine the Real Protect content version?
Open the Endpoint Security console and go to the About window. The About window shows the Real Protect content version. If you want to see the Real Protect content version without opening the console, go to C:\Program Files\Common Files\McAfee\Engine\content\rpstatic. The folder name shows the content version. For example, 1.1.10005.6250. The Real Protect content version is not stored in the registry.

Back to Contents

Compatibility - Interaction between other products and software

Can Endpoint Security coexist with the legacy McAfee products SiteAdvisor Enterprise and VirusScan Enterprise?
No. The Endpoint Security installer removes both SiteAdvisor Enterprise and VirusScan Enterprise no matter which Endpoint Security module is selected to install. For more information, see: KB86504 - Legacy products can't coexist with Endpoint Security modules.

Can I install two different antivirus products on a single system?
No. Having two on-access scanners can lead to several problems. The most common is a performance issue because two on-access scanners scan the same file. For more information, see: KB89595 - Endpoint Security, Host Intrusion Prevention, and VirusScan Enterprise do not support using third-party security solutions that provide the same functionality.

What are the supported platforms, environments, and operating systems for Endpoint Security?
See KB82761 - Supported platforms for Endpoint Security. This article provides a list of supported client and server operating systems, virtual infrastructure, email clients, hardware requirements, and internet browsers.

Is Microsoft Windows XP or Windows Server 2003 supported?
No. Neither is Windows 2009 Point Of Service Embedded because it is an XP-based operating system.

What SQL version must I use for my ePolicy Orchestrator server?
To install the Endpoint Security Migration Extension on the ePolicy Orchestrator server, you must change the Compatibility Level of the current database to SQL 2008. For more information, see: KB86470 - Incorrect syntax near 'MERGE' (Migration Extension installation failure).

Why do I have compatibility issues with third-party software applications that "hook" McAfee processes, or attempt to, by loading their own code (a DLL) into the McAfee process?
McAfee products include self-protection mechanisms to prevent tampering with McAfee files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks. For more information, see: KB83123 - Compatibility issues can occur when third-party applications inject McAfee processes.

Why is Endpoint Security blocking System Information Reporter (SIR) from restoring registry keys?
SIR registry restore fails under Endpoint Security-protected registries because an Endpoint Security Self Protection Rule is blocking it. To resolve this issue, do one of the following:

Connect to AAC and add the exceptional allow rule for regedit.
Do not use regedit and update your application to directly make the registry changes.

For more information, see: KB86050 - Endpoint Security blocks System Information Reporter from restoring registry entries.

Where can I find the list of third-party software that Endpoint Security uses?
On a computer where Endpoint Security is deployed, the list of third-party software that Endpoint Security uses is in the following file:

C:\Program Files\McAfee\EndpointSecurity\Endpoint Security Platform\ThirdParty_License_Info.txt

Back to Contents

Installation, Upgrade, Migration, Removal - Information about installing, removing, upgrading, and migrating

How are releases for Endpoint Security for Windows packaged?
In 2020 and later, Endpoint Security only provides .MSI packages for standard major, minor, and update releases.¹This decision was made based on customer feedback regarding the need to reduce complexity and deployment effort.

This single package type will:

Install Endpoint Security on new systems
And
Upgrade existing installations of Endpoint Security.

To deploy these packages for Endpoint Security upgrades, customers must use an installation Product Deployment task and no longer need to use an Update task.

For more information about our release practices, see: KB51560 - McAfee on-premises product release cycle.

¹This decision does not apply to the current Endpoint Security hotfix delivery and format which remains unchanged. An Update task can be used to apply them.

Can different modules (for example, Web Control and Threat Prevention), originating from different source packages (for example, February Update and April Update), be installed on a single given system?
All Endpoint Security modules installed on a system should originate from the same source package, avoiding a mix and match of installed components/modules.

What are the managed Endpoint Security installation options?
There are two management options: ePolicy Orchestrator (ePO) and ePO Cloud. The primary differences in managing the two environments are:

ePolicy Orchestrator - Administrators install product components on the management server, then they typically configure feature settings (policies) and deploy the client software to multiple managed systems using deployment tasks.
ePO Cloud - McAfee or another service provider sets up each ePO Cloud account on an offsite management server. It then notifies the local administrator when products are ready to install on managed systems. Local administrators then typically create and send an installation URL to users for installation on local systems.

How do you migrate from an evaluation version of Endpoint Security to a Licensed version?
You must first uninstall the evaluation package of Endpoint Security before installing the licensed version of Endpoint Security.

How do I migrate legacy McAfee products to Endpoint Security?
Use the Endpoint Migration Assistant to migrate the following settings and assignments to Endpoint Security. For instructions, see the Endpoint Security Migration Guide:

VirusScan Enterprise 8.8
Host Intrusion Prevention Firewall 8.0
SiteAdvisor Enterprise 3.5

After migrating the VirusScan Enterprise on-access scan policy to Endpoint Security using the Migration Assistant, why aren’t the on-access scan exclusions enforced?
This issue occurs when the VirusScan Enterprise on-access scan policy contains invalid exclusion data or exclusion patterns that Endpoint Security does not support. The Migration Assistant does not change the exclusion patterns during the migration. For a list of exclusion patterns that Endpoint Security supports, see the Endpoint Security Migration Guide.

For example, the exclusion "%systemroot%system32inetsrv" is invalid because there is no '\' between the environment variable and next file/folder data. The correct exclusion in this case, is "%systemroot%\system32inetsrv".

If you have this issue, the Endpoint Security Platform error log shows an error similar to the following:

08/14/2017 09:35:31.225 AM mfetp(1924.2840) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5315): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_LOW, Error code: 0xA7F40511

Does the Endpoint Migration Assistant migrate rules that are assigned based on tags?
No. The Endpoint Migration Assistant does not merge and replace policies that are assigned using tagging rules.

How do I deploy Endpoint Security modules using ePolicy Orchestrator?
First, check the Endpoint Security module packages into the ePolicy Orchestrator server. From the ePolicy Orchestrator Software Manager, there is a bundle package. This package checks the module installation packages, Help files, and module extensions into the ePolicy Orchestrator Master Repository. Module installation packages include the Security Platform module, Firewall module, Threat Prevention module, and Web Protection module. From the Product Downloads site (http://www.mcafee.com/us/downloads/downloads.aspx), download each package separately and check it into the ePolicy Orchestrator Master Repository.

Next, create a deployment task. Deployment tasks of the Firewall module, Threat Prevention module, or Web Protection module check the version of Security Platform. The module installer automatically updates the Security Platform version first before installing Firewall, Threat Prevention, or Web Protection.

The Adaptive Threat Protection module checks in separate from the other Endpoint Security modules. When installing the Adaptive Threat Protection module, the version of Endpoint Security Threat Prevention must be the same. For example, you can't install Adaptive Threat Protection 10.6.1 on a system running Endpoint Security Threat Prevention 10.6.0. Do not include the Adaptive Threat Protection module when you deploy the other Endpoint Security modules. The ePolicy Orchestrator deployment task might run the Adaptive Threat Protection module installation before the Threat Prevention module installation. So, McAfee recommends that you have a separate deployment task for the Adaptive Threat Protection module.

How do I deploy Endpoint Security using third-party deployment solutions?
The third-party solution must meet these requirements:

Make sure that all installation files are available/accessible.
Run the executable installer (SetupEP.exe), and not the MSI files.
Run with SYSTEM or Administrator privilege.
Use the Endpoint Security standalone package for the installation source files.

NOTE: You can customize this package using the Package Designer.

Will Endpoint Security upgrade my older McAfee Agent version?
It depends on whether McAfee Agent is managed:

When ePolicy Orchestrator manages the McAfee Agent, an installation of Endpoint Security does not modify the agent. It is not permitted to do so automatically when the agent is in managed mode.
When the McAfee Agent is unmanaged (standalone), the SetupEP.exe installer upgrades the agent to the version included with the Endpoint Security package.

How do I install Endpoint Security for users who do not have Administrator rights?
Create an installation URL and send it to users to install Endpoint Security on their systems. For instructions, see the Endpoint Security Installation Guide.

Can I use Sysprep to include Endpoint Security in a base image?
Yes. Sysprep is a supported installation method.

Can I install Endpoint Security to a custom drive letter or location?
Yes.

What processes does Endpoint Security install?
For a list of the processes (Windows Services and processes running as a service or as User) that Endpoint Security installs, see: KB87791 - Processes that Endpoint Security installs.

What do I do if uninstalling Endpoint Security fails from "Programs and Features" or "Apps & features" (depending on your version of Windows)?
To obtain the McAfee Endpoint Product Removal tool, see: KB90895 - Endpoint Product Removal tool to uninstall McAfee products.

How do I uninstall Endpoint Security from client systems that ePolicy Orchestrator Cloud manages?
Use the instructions in KB85135 - How to remove Endpoint Security from client systems that ePO Cloud manages.

How do I remove the Endpoint Security Common extension from ePolicy Orchestrator?
The Common extension can't be removed if any other Endpoint Security module extensions are checked in. Remove all Endpoint Security module extensions first, before trying to remove the Endpoint Security Common extension.

Back to Contents

Configuration - Includes best practices, configuring, optimizing, and customizing

How do I improve performance with Endpoint Security?

See KB88205 - How to improve performance with Endpoint Security. This article is updated as information is gathered about performance issues. Check the article first for assistance if you experience symptoms of poor performance.

How do I configure Access Protection rules to block malware?
For a list of suggested Access Protection rules to implement, see: KB91934 - Protecting against Ransomware - Rev J - Combating Ransomware.

How do I create an Access Protection rule for a file or folder in systems?
User-defined Access protection rules prevent changes to files or folders in systems. See KB86577 - How to create a user-defined Access Protection rule for a file or folder registry.

Can I use variables when creating Access Protection rules?
McAfee does not recommend using variables because it can have unexpected outcomes. The best practice is to use wild cards. For example, C:\Users\%username%\SubFolder can be represented as C:\Users\*\SubFolder.

Why are Access Protection events that are confirmed to be occurring on the client system and are getting logged locally, not visible in ePolicy Orchestrator after sending client events?
See KB87149 - Access Protection events are not available in ePO. The default configuration for Endpoint Security excludes those events from being created. Or, the agent might also be suppressing the events.

How can I access the console or remove Endpoint Security if I forgot the password?
The default password is mcafee. If you changed the password and have forgotten the new password, contact Technical Support for instructions to remove the password. Make sure that you complete the following items before contacting Technical Support:

Collect Minimum Escalation Requirement (MER) data using the MER tool: https://mer.mcafee.com.
Obtain administrator rights and physical access to the affected system.

Why do on-demand scan (ODS) tasks I created not update in Endpoint Security Threat Prevention Product Properties on the ePolicy Orchestrator "System Details" page?
Only the default policy-defined ODS tasks update the Date of Last Full Scan and the Date of Last Quick Scan. The functionality is working as intended. See KB86677 - User-defined on-demand scan doesn't update Date of Last Full Scan or Date of Last Quick Scan.

Why do I not see events in ePolicy Orchestrator for on-demand scan (ODS) tasks?
To make sure that all relevant logging is enabled, see: KB87752 - How to create an ePolicy Orchestrator report for Endpoint Security reporting Event ID: 1203 (on-demand scans). Only policy-defined ODS tasks create events, not custom ODS tasks. See KB86677 - User-defined on-demand scan doesn't update Date of Last Full Scan or Date of Last Quick Scan.

How can I remove the Pause scan message in Endpoint Security?
Disable the scan on idle feature. For more information, see: KB84208 - Title Remove the Paused scan message in Endpoint Security.

How do I remove the default "Quick Scan" and "Full Scan" on-demand scan tasks?
This question is a concern for customers who have created a group and accepted the default settings for on-demand scan tasks. The reason is because the task assignments can't be edited or deleted. The simplest solution is to create a group in the ePolicy Orchestrator System Tree and move systems into that group. Do not enable the on-demand scan tasks for the new group.

Why are there ePolicy Orchestrator Server Task entries when editing Endpoint Security policies?
When editing Endpoint Security policies on an ePolicy Orchestrator 5.9 (or later) server, an ePolicy Orchestrator Server Task log entry named "Policy <policy name> was saved. Comment: <policy comment>" is created. This entry describes what policy changes were made, at what date and time the change was made, and by what ePolicy Orchestrator user name. This feature change was introduced with ePolicy Orchestrator 5.9.

NOTE: When you duplicate McAfee default (uneditable) policies, the first policy change made to the duplicate policy logs several policy detail changes. But, for any subsequent policy change, the Server Task entry logs only the specific policy changes made during each saved policy change.

How can I import settings (for example, firewall settings) at installation time?
Use one of the following options:

Endpoint Security includes a Package Designer utility that allows customizing policies. These policies can be included with the installation package.
Endpoint Security includes a utility named EsConfigTool.exe that allows you to export and import policies. The ESConfigTool.exe utility is located in the Endpoint Security Platform folder (by default, C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform). Deploy Endpoint Security to at least one client system, configure settings as wanted, and then export the settings using ESConfigTool.exe.
NOTES: You can import the file generated from ESConfigTool.exe using the command: setupEP.exe /import
- Do not use the plain text option when exporting if you intend to import the settings.
- Do not specify an extension for the file.
- To display help and options, execute the utility with no parameters.

How do I configure Endpoint Security Firewall network traffic logging?
Within the Endpoint Security Firewall Options policy, enable the Log all allowed or Log all blocked options. Endpoint Security Firewall will log blocked and allowed network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePolicy Orchestrator events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Be aware that generic, high event-generation rules can cause performance issues. For more information, see: KB90177 - Enabling the 'Treat match as intrusion' or 'Log matching traffic' logging options might cause high CPU use.

NOTE: Endpoint Security Firewall log functionality does not allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file.

To submit a new product idea, go to: https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas.

The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021 - How to submit a Product Idea.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.

What is "Presentation mode" when running on-demand scan tasks?
Presentation mode is any window in full-screen mode. This mode can apply to video playback software, Microsoft PowerPoint presentations, or Remote Desktop Protocol windows.

Back to Contents

AMCore Content - Updating, downgrading, and reporting of AMCore content

How do content files work?
When the scan engine scans files for threats, it compares the contents of the scanned files to known threat information stored in the AMCore content files. Exploit Prevention uses its own content files to protect against exploits.

Why is EICAR not being detected? Why is my content version 0.5?
This issue occurs when AMCore content has not yet been updated after installing the product. To resolve this issue, update the content.

How often does McAfee release new Threat Prevention content files?
McAfee releases new Exploit Prevention content files as needed. The Endpoint Security Product Guide incorrectly states that Exploit Prevention content files are released once a month.

Which content does Endpoint Security need?
Endpoint Security Threat Prevention uses "Endpoint Security Exploit Prevention Content" and "AMCore Content Package".

Where can I get AMCore DAT files? How do I update AMCore content manually?

Content for AMCore is available online at: http://www.mcafee.com/apps/downloads/security-updates/security-updates.aspx.
Installing this package replaces existing AMCore content.
You must run the .exe content installer as an Administrator.
More frequently asked questions regarding AMCore content are answered in KB82396 - FAQs for V3 DAT files.

Can I update the AMCore content from the command line on a client system?
Yes. To update the AMCore content, run the following command on the client system: "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" /update

Why does Endpoint Security update the engine version automatically? I am not able to electively download the engine.
The concept of engine updates has changed with AMCore technology; they are no longer separate packages from content. When AMCore content requires an update to any one of its engines that is used during scanning, the engine update is included in the V3 content update releases. Downgrading AMCore content would also downgrade an engine if not part of that older content.

How can I determine the Exploit Prevention content version and date from the registry or file system?
The Exploit Prevention content date is not stored in the registry. The date is the last modified date of the content.bin file found in the directory C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS.

To determine the Exploit Prevention content version from the registry:

Navigate to the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\Endpoint\Ips\BO
Note the following string values under the key:
- ContentMajorVersion
- ContentMinorVersion
- ContentVersion
To get the Exploit Prevention content version, take the ContentVersion value and replace the value before the first period with the ContentMajorVersion, and the value after the first period with the ContentMinorVersion. For example, if the ContentVersion is 8.0.0.8137, the ContentMajorVersion is 10, and the ContentMinorVersion is 7, the Exploit Prevention content version is 10.7.0.8137.

Is there a way to determine the AMCore content version from the registry or file system?
Yes. Perform the following steps:

From the registry:
1. Navigate to the following registry key:
  
  [HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\AVSolution\DS\DS]\
2. Convert the major and minor version from hexadecimal to decimal. In the following example, the version is 2556.0.
  
  "dwContentMajorVersion"=dword:000009fc (000009fc is 2556 in decimal)
  "dwContentMinorVersion"=dword:00000000 (00000000 is 0 in decimal)
  
  The following date and time registry keys are also present. In the following example, the AMCore content was built on March 22, 2017 at 08:44:00 GMT.
  
  "szContentCreationDate"=reg_sz:"2017-03-22" (formatted date yyyy-mm-dd)
  "szContentCreationTime"=reg_sz:"08:44:00" (formatted time hh:mm:ss)
From the file system (if managed by ePolicy Orchestrator):
Locate the value of AvManifestVersion in the file C:\Program Files\McAfee\Endpoint Security\Threat Prevention\AvContentMgr.xml.
In the following example, the version is 2591.0:
2591.0

What does the trailing number in a DAT version mean?
The trailing number indicates whether it is a Production, Pre-production, or Beta V3 DAT package.

xxxx.0 (Example: 3158.0) - Indicates a Production V3 DAT package
xxxx.1 (Example: 3158.1) - Indicates a Pre-production V3 DAT package
xxxx.3 (Example: 3158.3) - Indicates a Beta V3 DAT package

For a comparison of the V3 DAT package types, see: KB89778 - Comparison of the V3 DAT packages (Production, Pre-production, Beta).

How do I downgrade or roll back DAT content?
Use one of the following options to install the wanted version:

Use ePolicy Orchestrator and run a DAT update task on the client.
Run the V3 DAT content file manually on the client.

How is AMCore content compliance determined?
The criteria for "compliant" can't be changed. The AMCore content compliance is based on the age of the AMCore DAT.

If the DAT is less than seven days old, it is considered compliant.
If the DAT is greater than or equal to seven days old, it is noncompliant.

NOTE: The DAT age is not related to when the system updated, but when the DAT was released.

Does the option "DAT Version compliance for VirusScan Enterprise was within X versions of Repository DAT" exist in Endpoint Security?
No. Endpoint Security determines compliance based on the age of the DAT, not the DAT version.

How can I determine the size of AMCore content update files?
You can view the AMCore content update files here: https://update.nai.com/products/commonupdater/current/amcordat2000/dat/0000/ or http://update.nai.com/products/commonupdater/current/amcordat2000/dat/0000/. The date/time stamp of the files is always the current date. But, a *.gem incremental update file is released each day and 30 days worth of incremental updates are stored there.

Why is the V3 DAT still a 100 MB+ file when I was told the new DATs are much smaller?
The smaller size of DAT refers to the comparison of the AVV versus the MED (medium) DATs. These DATs offer equivalent functionality between VirusScan Enterprise and Endpoint Security.

For ENS:
The MED DATs are found in the following location (note that the versioned folder changes):

C:\Program Files\Common Files\McAfee\Engine\content\avengine\med\2647.0

The combined size of medscan.dat, mednames.dat, and medclean.dat is 62.7 MB.
For VSE:
The AVV DATs are found in the following location:

C:\Program Files (x86)\Common Files\McAfee\Engine

The combined size of avvscan.dat, avvnames.dat, and avvclean.dat is 143 MB, which is a reduction in size of 56%.

What is the "McAfee DAT Built in test" task?
The McAfee DAT Built in test performs some basic checks on the health of the system. It is tied to the DAT update as the trigger for when it starts. It runs seven times at random intervals between AMCore updates. The task is not configurable. It runs only if the following options are enabled in the Endpoint Security Threat Prevention, Options policy, Proactive Data Analysis section:

Safety pulse
McAfee GTI feedback
AMCore Content Reputation

If the task does not succeed, verify that the system has network connectivity and run the task manually. The task runs mcdatrep.exe, a component that uses TrustedSource. So. HTTPS must be allowed and the system proxy properly configured for the task to succeed.

Back to Contents

Functionality - Product features and functions

What do each of the Endpoint Security modules do?
There are three Endpoint Security modules:

Firewall - Monitors and intercepts suspicious communication between the computer and resources on the network and the internet.
Threat Prevention - Checks for viruses, spyware, unwanted programs, and other threats by scanning items both automatically when users access them (on-access) or on-demand at any time.
Web Control - Displays safety ratings and reports for websites during online browsing and searching. Web Control enables the site administrator to block access to websites based on safety rating or content.

What difference in IPS coverage is there between Endpoint Security and Host Intrusion Prevention?
For a list of all Endpoint Security Exploit Prevention and Host Intrusion Prevention signatures and their current supported directives, see: KB51504 - REGISTERED - Signature Directive support.

The referenced article is available only to registered ServicePortal users.

To view registered articles:

Log on to the ServicePortal at http://support.mcafee.com.
Type the article ID in the search field on the home page.
Click Search or press Enter.

What does "Let McAfee Decide" mean when scanning files?
You can specify when the on-access scanner (OAS) scans files, such as when writing to disk or when reading from disk. Or, you can let McAfee decide when to scan. When you select Let McAfee Decide, the on-access scanner uses trust logic to optimize scanning. Trust logic improves security and boosts performance by avoiding unnecessary scans. For more information, see the "Understanding the McAfee Endpoint Security 10 Threat Prevention Module" white paper at https://www.mcafee.com/us/resources/white-papers/restricted/wp-understanding-ep-security-10-module.pdf.

Can Endpoint Security detect a virus that is encrypted by an encrypted file system (EFS)?
Yes, if the user who owns the EFS folder accesses the file when the scan runs. Endpoint Security can use their access token. Otherwise, Endpoint Security can't scan inside encrypted files or packages, and neither can any antivirus scanner. The Endpoint Security logs show the following when an EFS is encountered: Not scanned (The file is encrypted). Detection takes place only when the file has been decrypted or opened.

For more information, see the following Microsoft article, which covers EFS and issues with virus check programs: http://technet.microsoft.com/library/Cc962106.

How does the Endpoint Security on-access scanner (OAS) handle Client-side Caching interactions? Is the file local or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device is not connected to the network. This function is called client-side caching because Windows creates a local copy of the file in a protected folder. It is from this local copy that the device reads and modifies the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.

The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. It is Windows that handles the needed redirection that provides access to the cached, local copy.

Because the file is always considered remote, for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the on-demand scanner (ODS) to scan the offline files, it must be provided the original (remote) location.

Why does the Endpoint Security Help file open in a browser that is not my default browser?
Endpoint Security starts the application associated with the .html extension. If the default browser is not associated with the .html extension, a different browser opens. For more information, see: KB86558 - Help file displays in a non-default browser.

Why does McShield.exe use high CPU?
McShield.exe is the user mode scanner that analyzes files to determine whether they are clean or malware. It must use CPU cycles to accomplish its work.

Why is McShield.exe using high CPU continually?
McShield.exe is also the hosting scanner to perform the needed work for on-demand scan tasks. If you have a scheduled on-demand scan task running, you see McShield.exe use CPU cycles to carry out the requested scans. In ENS 10.7, there is an option to limit the CPU usage during an on-demand scan task.

Where is EmailScan? Why doesn't Endpoint Security include an email scanner like VirusScan Enterprise?
Currently there is no plug-in for either Outlook or Lotus mail clients. This feature is not included because the functionality of EmailScan is largely redundant or overlapping with the real-time scanning. If there is a specific use case wanted for this feature, contact your Support Account Manager and relay your user story to Product Management.

Endpoint Security reports the error "Clean error as no cleaner was available, and delete pending" for a detected threat file. What does this error mean?
This error typically means that the file was not cleanable and should be deleted. Deleting files can return inconsistent results because of the transient nature of files. The product might indicate that a delete action is pending when the file was already deleted (by the operating system) before the product could perform the delete action.

What does the value "Duration Before Detection" shown in the "Endpoint Security: Threat Behavior" ePolicy Orchestrator dashboard mean?
This value is the time between the file creation date (when it was written to the disk) and the detection time.

How does the integration with Windows Antimalware Scan Interface (AMSI) work?
AMSI is a generic interface standard that Microsoft provides. AMSI is supported on Windows 10, Windows Server 2016, and Windows Server 2019 systems. AMSI allows applications and services to integrate with ENS Threat Prevention, providing better protection against malware. Integrating with AMSI provides enhanced scanning for threats in non-browser-based scripts, such as PowerShell, JavaScript, and VBScript.

You can find out more about AMSI in the Microsoft documentation "Antimalware Scan Interface (AMSI)" and "How the Antimalware Scan Interface (AMSI) helps you defend against malware". Requirements for programmatic integration are listed here. For further documentation needs, engage Microsoft.

Back to Contents

Troubleshooting - How to aid in troubleshooting product issues

How do I enable debug logging in Endpoint Security?
Enable debug logging for each Endpoint Security module through the Endpoint Security Common policy. Make sure that you enforce the policy on the client before trying to reproduce the issue. To enforce the policy, either perform an agent wake-up call to the system from the ePolicy Orchestrator console or click Collect and Send Props from the client McAfee Agent Status Monitor. Debug log files are stored at %ProgramData%\McAfee\Endpoint Security\Log or C:\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs depending on the operating system. For instructions, see: KB91797 - Enable debug logging to troubleshoot Endpoint Security issues.

How do I enable detailed logging for McAfee Agent?
Detailed logging in McAfee Agent helps to troubleshoot issues with updating, installing, and upgrading. Enable detailed logging for McAfee Agent through the McAfee Agent General policy. Click the Logging tab, and select Enable detail logging. Increase the Log file size limit (MB) to 20 and Roll over count to 2. For instructions, see: KB82170 - How to enable debug logging for McAfee Agent to troubleshoot Windows.

Why are events not reporting in the ePolicy Orchestrator dashboards?
Managed product events have a severity level. By default, Endpoint Security modules log only Critical and Major events. If an event has a severity of Informational, it is not logged. To log all events, edit the Endpoint Security Common policy and change the Event Logging Severity Level to All.

Back to Contents

Web Control - General information about Web Control

How do I prevent users from disabling the Web Control extension from a browser?
The self-protection policy in the Endpoint Security Common Policy prevents end users from disabling the Web Control toolbar and Web Control Browser Helper Object (BHO) in Internet Explorer. Self-protection does not prevent users from disabling the Web Control extension in Chrome or Firefox.

If a user disables the Web Control extension in Firefox, Web Control will be enabled in future browse sessions after a Firefox restart. You can't prevent a user from disabling Web Control in Firefox.

If a user deletes the Web Control extension in Chrome, Web Control will no longer appear in Chrome even after a reinstall of Endpoint Security. You must either delete the Chrome user profile or reinstall Chrome. To prevent users from deleting the Web Control extension in Chrome, see: KB87568 - Web Control browser extension must be enabled by the user. This article contains information about force-enabling the Web Control extension through Active Directory group policy.

Can I have the SiteAdvisor Enterprise and Web Control extensions force enabled in Chrome at the same time?
No. You need to remove the SiteAdvisor Enterprise (SAE) APPID from the Chrome Group Policy template. Having the SAE extension force installed with the Web Control extension causes issues with the navigation from the enforcement messages. Do not force install both the SAE and Web Control extensions into Chrome.

How does Web Control determine whether a site has a private/internal IP address?
Web Control does not act on private or internal IP addresses. Private and internal sites on a prohibit list are not blocked. Web Control determines that a site has a private or internal IP address if it is part of the following IP address ranges:

Default IPv4 private IP address ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
localhost or 127.0.0.1

Default IPv6 private IP address range:
Site-local and Link-local addresses that start with FEC, FED, FEE, FEF or FE8, FE9, FEA, FEB

Why does the version of Web Control in Chrome report differently than the version of Web Control in the Endpoint Security console?
The Endpoint Security console reports the current version of Web Control installed. Chrome reports the version of the Web Control extension hosted in the Google Play Store. As new versions of Web Control are released, the Web Control extension in the Google Play Store might not get updated. Chrome can report a different version for the Web Control extension than the version shown in the Endpoint Security About box or in ePolicy Orchestrator product properties. Chrome uses the locally installed Web Control extension.

What causes no annotations to show in search results when I perform the search with a supported search engine?
Web Control uses scripts to annotate search results with ratings. If a search engine changes the webpage it uses to present the search engine results, Web Control might not annotate the page. For more information, see: KB87640 - Web Control search annotation ratings are not displayed in the search engine results.

Why is a site on the Web Control allow list still appearing in email annotations as a red rated URL?
Web Control email annotations are based only on the Global Threat Intelligence (GTI) rating. The local allow policy does not override the GTI rating for the email annotation.

Why does a page load in the browser before the enforcement occurs?
Web Control does an asynchronous lookup for the rating on the webpage. The browser content can load before Web Control gets a rating from the Global Threat Intelligence servers. See KB88057 - Webpage content displays before the Endpoint Security Web Control block or warn page displays in the browser.

Why is the Web Control browser balloon orange or displays "Error retrieving Web Control information"?
If the Web Control service can't communicate with the Global Threat Intelligence (GTI) servers, the browser balloon is orange. For troubleshooting steps, see: KB87930 - Endpoint Security Web Control status balloon is orange.

Why don't the ePolicy Orchestrator reports list a URL for green rated sites?
Web Control does not track green rated URLs in reports sent to ePolicy Orchestrator for user privacy. Web Control sends a total green rated site count for unique categories in events sent to ePolicy Orchestrator. See the "How Web Control works with Web Reporter" section of the Endpoint Security Web Control Product Guide for information about configuring Web Control to work with McAfee Web Reporter to see green rated URLs.

Back to Contents

Previous Document ID

KB84388

Affected Products

Endpoint Security Adaptive Threat Protection
Endpoint Security Firewall 10.7.x
Endpoint Security Firewall 10.6.x
Endpoint Security Threat Prevention 10.7.x
Endpoint Security Threat Prevention 10.6.x
Endpoint Security Web Control 10.7.x
Endpoint Security Web Control 10.6.x
Getting Started

Languages:

This article is available in the following languages:

German
English United States
Spanish Spain
French
Italian
Japanese
Portuguese Brasileiro
Chinese Simplified

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.

Knowledge Center