This article is a consolidated list of common questions and answers intended for users who are new to the product. But, it can be of use to all users.
Recent updates to this article
Date
Update
September 30, 2021
Updated the FAQ "How can I import settings (for example, firewall settings) at installation time?" in the section "Configuration - Includes best practices, configuring, optimizing, and customizing". Added that you must disable the Access Protection rule protecting ESConfig in the ENS Threat Prevention Access Protection policy.
September 15, 2021
Added the FAQ "How do I best handle v3 DAT content updates in an environment where systems are non-persistent?" in the section "Configuration - Includes best practices, configuring, optimizing, and customizing".
April, 20, 2021
Added the FAQ "How does the integration with Windows Antimalware Scan Interface (AMSI) work?" in the "Functionality - Product features and functions" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Where can I find an explanation of Endpoint Security event messages?
Endpoint Security event messaging uses Natural Language Strings (NLS). Some events might require further explanation than what is provided in the small text string in an event. For a detailed explanation of event messages, see: KB85494 - Complete list of event IDs for Endpoint Security.
How can I check the status of the Endpoint Security service and other McAfee services on a system?
Use the executable C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe to check the status of services as follows. This executable can be useful if you’re using a third-party monitoring tool to track the status of the Endpoint Security service. Or, to get a report on how many systems have Endpoint Security running.
NOTE: To check the status of all McAfee services, run the command: C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -enum
What is the mfeensppl service?
The mfeensppl service is a Protected Process Light (PPL) service. The service is used for the registration of mfetp with the Windows Security Center (WSC) service wscsvc. The mfeensppl.exe service stops and starts as it is needed. The mfeensppl.exe service is similar to the mfefire service, which also runs only when it is in use. The registration with WSC happens every time policies are enforced on the system and also when the system restarts. The registration with WSC is done through PPL in Windows 10 version 1809 (October 2018 Update) and later. When the mfeensppl.exe service runs, it checks whether the system is compatible with the Windows 10 version 1809 or later technology. The service then reacts accordingly. On systems not running Windows 10 version 1809 (and later), the mfeensppl.exe service is present. After determining that the operating system isn’t supported, mfeensppl.exe exits gracefully.
Why does the Help feature in the ePolicy Orchestrator console open a web browser page to docs.mcafee.com, instead of a contextual page of product information?
This behavior is the result of a feature change starting in Endpoint Security 10.6.0. When you use the Help feature by clicking the "?" question mark inside the ePolicy Orchestrator console, it now opens the Documentation Portal (docs.mcafee.com), where you can perform a search.
What is the $MfeDeepRem folder, for example, the folder located under root C:\?
This folder is used by the Endpoint Security Adaptive Threat Protection Enhanced Remediation feature. The folder is created per drive. The folder size varies depending on the file size of the drive. This folder is protected by McAfee Enterprise. It might need to be excluded by applications that try to access files or folders that aren’t their own, such as backup software. Attempts to access the folder are denied access.
How can I determine the Real Protect content version?
Open the Endpoint Security console and go to the About window. The About window shows the Real Protect content version. If you want to see the Real Protect content version without opening the console, go to C:\Program Files\Common Files\McAfee\Engine\content\rpstatic. The folder name shows the content version. For example, 1.1.10005.6250. The Real Protect content version isn’t stored in the registry.
Can Endpoint Security coexist with the legacy McAfee Enterprise products SiteAdvisor Enterprise and VirusScan Enterprise?
No. The Endpoint Security installer removes both SiteAdvisor Enterprise and VirusScan Enterprise no matter which Endpoint Security module is selected to install. For more information, see: KB86504 - Legacy products can't coexist with Endpoint Security modules.
What are the supported platforms, environments, and operating systems for Endpoint Security?
See KB82761 - Supported platforms for Endpoint Security. This article provides a list of supported client and server operating systems, virtual infrastructure, email clients, hardware requirements, and internet browsers.
Is Microsoft Windows XP or Windows Server 2003 supported?
No. Neither is Windows 2009 Point Of Service Embedded because it’s an XP-based operating system.
What SQL version must I use for my ePolicy Orchestrator server?
To install the Endpoint Security Migration Extension on the ePolicy Orchestrator server, you must change the Compatibility Level of the current database to SQL 2008. For more information, see: KB86470 - Incorrect syntax near 'MERGE' (Migration Extension installation failure).
Why do I have compatibility issues with third-party software applications that "hook" McAfee processes, or attempt to, by loading their own code (a DLL) into the McAfee process?
McAfee Enterprise products include self-protection mechanisms to prevent tampering with McAfee Enterprise files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks. For more information, see: KB83123 - Compatibility issues can occur when third-party applications inject McAfee processes.
Why is Endpoint Security blocking System Information Reporter (SIR) from restoring registry keys?
SIR registry restore fails under Endpoint Security-protected registries because an Endpoint Security Self Protection Rule is blocking it. To resolve this issue, do one of the following:
Connect to AAC and add the exceptional allow rule for regedit.
Don’t use regedit and update your application to directly make the registry changes.
Where can I find the list of third-party software that Endpoint Security uses?
On a computer where Endpoint Security is deployed, the list of third-party software that Endpoint Security uses is in the following file:
How are releases for Endpoint Security for Windows packaged?
In 2020 and later, Endpoint Security only provides.MSI packages for standard major, minor, and update releases.1 This decision was made based on customer feedback regarding the need to reduce complexity and deployment effort.
This single package type will:
Install Endpoint Security on new systems
And
Upgrade existing installations of Endpoint Security.
To deploy these packages for Endpoint Security upgrades, customers must use an installation Product Deployment task and no longer need to use an Update task.
1 This decision doesn’t apply to the current Endpoint Security hotfix delivery and format which remains unchanged. An Update task can be used to apply them.
Can different modules (for example, Web Control and Threat Prevention), originating from different source packages (for example, February Update and April Update), be installed on a single given system?
All Endpoint Security modules installed on a system should originate from the same source package, avoiding a mix and match of installed components/modules.
What are the managed Endpoint Security installation options?
There are two management options: ePolicy Orchestrator (ePO) and ePO Cloud. The primary differences in managing the two environments are:
ePolicy Orchestrator - Administrators install product components on the management server, then they typically configure feature settings (policies) and deploy the client software to multiple managed systems using deployment tasks.
ePO Cloud - McAfee Enterprise or another service provider sets up each ePO Cloud account on an offsite management server. It then notifies the local administrator when products are ready to install on managed systems. Local administrators then typically create and send an installation URL to users for installation on local systems.
How do you migrate from an evaluation version of Endpoint Security to a Licensed version?
You must first uninstall the evaluation package of Endpoint Security before installing the licensed version of Endpoint Security.
How do I migrate legacy McAfee Enterprise products to Endpoint Security?
Use the Endpoint Migration Assistant to migrate the following settings and assignments to Endpoint Security. For instructions, see the Endpoint Security Migration Guide:
VirusScan Enterprise 8.8
Host Intrusion Prevention Firewall 8.0
SiteAdvisor Enterprise 3.5
After migrating the VirusScan Enterprise on-access scan policy to Endpoint Security using the Migration Assistant, why aren’t the on-access scan exclusions enforced?
This issue occurs when the VirusScan Enterprise on-access scan policy contains invalid exclusion data or exclusion patterns that Endpoint Security doesn’t support. The Migration Assistant doesn’t change the exclusion patterns during the migration. For a list of exclusion patterns that Endpoint Security supports, see the Endpoint Security Migration Guide.
For example, the exclusion "%systemroot%system32inetsrv" is invalid because there’s no '\' between the environment variable and next file/folder data. The correct exclusion in this case, is "%systemroot%\system32inetsrv".
If you have this issue, the Endpoint Security Platform error log shows an error similar to the following:
08/14/2017 09:35:31.225 AM mfetp(1924.2840) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5315): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_LOW, Error code: 0xA7F40511
Does the Endpoint Migration Assistant migrate rules that are assigned based on tags?
No. The Endpoint Migration Assistant doesn’t merge and replace policies that are assigned using tagging rules.
How do I deploy Endpoint Security modules using ePolicy Orchestrator?
First, check the Endpoint Security module packages into the ePolicy Orchestrator server. From the ePolicy Orchestrator Software Manager, there’s a bundle package. This package checks the module installation packages, Help files, and module extensions into the ePolicy Orchestrator Master Repository. Module installation packages include the Security Platform module, Firewall module, Threat Prevention module, and Web Protection module. From the Product Downloads site, download each package separately and check it into the ePolicy Orchestrator Master Repository.
Next, create a deployment task. Deployment tasks of the Firewall module, Threat Prevention module, or Web Protection module check the version of Security Platform. The module installer automatically updates the Security Platform version first before installing Firewall, Threat Prevention, or Web Protection.
The Adaptive Threat Protection module checks in separate from the other Endpoint Security modules. When installing the Adaptive Threat Protection module, the version of Endpoint Security Threat Prevention must be the same. For example, you can't install Adaptive Threat Protection 10.6.1 on a system running Endpoint Security Threat Prevention 10.6.0. Don’t include the Adaptive Threat Protection module when you deploy the other Endpoint Security modules. The ePolicy Orchestrator deployment task might run the Adaptive Threat Protection module installation before the Threat Prevention module installation. So, McAfee Enterprise recommends that you have a separate deployment task for the Adaptive Threat Protection module.
How do I deploy Endpoint Security using third-party deployment solutions?
The third-party solution must meet these requirements:
Make sure that all installation files are available/accessible.
Run the executable installer (SetupEP.exe), and not the MSI files.
Run with SYSTEM or Administrator privilege.
Use the Endpoint Security standalone package for the installation source files.
NOTE: You can customize this package using the Package Designer.
Will Endpoint Security upgrade my older McAfee Agent version?
It depends on whether McAfee Agent is managed:
When ePolicy Orchestrator manages the McAfee Agent, an installation of Endpoint Security doesn’t modify the agent. It isn’t permitted to do so automatically when the agent is in managed mode.
When the McAfee Agent is unmanaged (standalone), the SetupEP.exe installer upgrades the agent to the version included with the Endpoint Security package.
How do I install Endpoint Security for users who don’t have Administrator rights?
Create an installation URL and send it to users to install Endpoint Security on their systems. For instructions, see the Endpoint Security Installation Guide.
Can I use Sysprep to include Endpoint Security in a base image?
Yes. Sysprep is a supported installation method.
Can I install Endpoint Security to a custom drive letter or location?
Yes.
What processes does Endpoint Security install?
For a list of the processes (Windows Services and processes running as a service or as User) that Endpoint Security installs, see: KB87791 - Processes that Endpoint Security installs.
How do I remove the Endpoint Security Common extension from ePolicy Orchestrator?
The Common extension can't be removed if any other Endpoint Security module extensions are checked in. Remove all Endpoint Security module extensions first, before trying to remove the Endpoint Security Common extension.
How do I configure Access Protection rules to block malware?
For a list of suggested Access Protection rules to implement, see: KB91934 - Protecting against Ransomware - Rev J - Combating Ransomware.
Can I use variables when creating Access Protection rules?
McAfee Enterprise doesn’t recommend using variables because it can have unexpected outcomes. The best practice is to use wild cards. For example, C:\Users\%username%\SubFolder can be represented as C:\Users\*\SubFolder.
Why are Access Protection events that are confirmed to be occurring on the client system and are getting logged locally, not visible in ePolicy Orchestrator after sending client events?
See KB87149 - Access Protection events aren’t available in ePO. The default configuration for Endpoint Security excludes those events from being created. Or, the agent might also be suppressing the events.
How can I access the console or remove Endpoint Security if I forgot the password?
The default password is mcafee. If you changed the password and have forgotten the new password, contact Technical Support for instructions to remove the password. Make sure that you complete the following items before contacting Technical Support:
Collect Minimum Escalation Requirement (MER) data using the MER tool.
Obtain administrator rights and physical access to the affected system.
Why do on-demand scan (ODS) tasks I created not update in Endpoint Security Threat Prevention Product Properties on the ePolicy Orchestrator "System Details" page?
Only the default policy-defined ODS tasks update the Date of Last Full Scan and the Date of Last Quick Scan. The functionality is working as intended. See KB86677 - User-defined on-demand scan doesn't update Date of Last Full Scan or Date of Last Quick Scan.
How do I remove the default "Quick Scan" and "Full Scan" on-demand scan tasks?
This question is a concern for customers who have created a group and accepted the default settings for on-demand scan tasks. The reason is because the task assignments can't be edited or deleted. The simplest solution is to create a group in the ePolicy Orchestrator System Tree and move systems into that group. Don’t enable the on-demand scan tasks for the new group.
Why are there ePolicy Orchestrator Server Task entries when editing Endpoint Security policies?
When editing Endpoint Security policies on an ePolicy Orchestrator 5.9 (or later) server, an ePolicy Orchestrator Server Task log entry named "Policy <policy name> was saved. Comment: <policy comment>" is created. This entry describes what policy changes were made, at what date and time the change was made, and by what ePolicy Orchestrator user name. This feature change was introduced with ePolicy Orchestrator 5.9.
NOTE: When you duplicate McAfee default (uneditable) policies, the first policy change made to the duplicate policy logs several policy detail changes. But, for any subsequent policy change, the Server Task entry logs only the specific policy changes made during each saved policy change.
How can I import settings (for example, firewall settings) at installation time?
Use one of the following options:
Endpoint Security includes a Package Designer utility that allows customizing policies. These policies can be included with the installation package.
Endpoint Security includes a utility named ESConfigTool.exethat allows you to export and import policies. The ESConfigTool.exe utility is located in the Endpoint Security Platform folder (by default, C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform). Deploy Endpoint Security to at least one client system, configure settings as wanted, and then export the settings using ESConfigTool.exe. NOTES: You can import the file generated from ESConfigTool.exe using the command: setupEP.exe /import
Don’t use the plain text option when exporting if you intend to import the settings.
Don’t specify an extension for the file.
You must disable the Access Protection rule protecting ESConfig in the ENS Threat Prevention Access Protection policy.
To display help and options, execute the utility with no parameters.
How do I configure Endpoint Security Firewall network traffic logging?
Within the Endpoint Security Firewall Options policy, enable the Log all allowed or Log all blocked options. Endpoint Security Firewall will log blocked and allowed network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePolicy Orchestrator events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Be aware that generic, high event-generation rules can cause performance issues. For more information, see: KB90177 - Enabling the 'Treat match as intrusion' or 'Log matching traffic' logging options might cause high CPU use.
NOTE:Endpoint Security Firewall log functionality doesn’t allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
NOTE: The Ideas forum replaces the previous Product Enhancement Request system.
What is "Presentation mode" when running on-demand scan tasks?
Presentation mode is any window in full-screen mode. This mode can apply to video playback software, Microsoft PowerPoint presentations, or Remote Desktop Protocol windows.
How do I best handle v3 DAT content updates in an environment where systems are non-persistent?
In virtualized environments (XEN/VMware/Citrix) where systems are spawned from a "gold image" or "templates" it’s useful to update those "gold images" or "templates" with the latest content every so often. This practice circumvents the need for an end node to download a full content update (usually hundreds of MB of files) when they start. You can make these updates as follows. Start the "gold image", start the update task and connect to a valid repository (for example, ePO), and take a "gold image". For an automated update process through ePO or the public update site (update.nai.com) in general, we publish incremental updates (usually 100 - 500 kB). Any system spawned from such a "template" or "gold image" can consume the updates instead of a full update, if it isn’t more than 35 versions behind the current content release.
How do content files work?
When the scan engine scans files for threats, it compares the contents of the scanned files to known threat information stored in the AMCore content files. Exploit Prevention uses its own content files to protect against exploits.
Why is EICAR not being detected? Why is my content version 0.5?
This issue occurs when AMCore content hasn’t yet been updated after installing the product. To resolve this issue, update the content.
How often does McAfee Enterprise release new Threat Prevention content files?
McAfee Enterprise releases new Exploit Prevention content files as needed. The Endpoint Security Product Guide incorrectly states that Exploit Prevention content files are released once a month.
Which content does Endpoint Security need?
Endpoint Security Threat Prevention uses "Endpoint Security Exploit Prevention Content" and "AMCore Content Package".
Where can I get AMCore DAT files? How do I update AMCore content manually?
Can I update the AMCore content from the command line on a client system?
Yes. To update the AMCore content, run the following command on the client system: "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" /update
Why does Endpoint Security update the engine version automatically? I’m not able to electively download the engine.
The concept of engine updates has changed with AMCore technology; they’re no longer separate packages from content. When AMCore content requires an update to any one of its engines that is used during scanning, the engine update is included in the V3 content update releases. Downgrading AMCore content would also downgrade an engine if not part of that older content.
How can I determine the Exploit Prevention content version and date from the registry or file system?
The Exploit Prevention content date isn’t stored in the registry. The date is the last modified date of the content.bin file found in the directory C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS.
To determine the Exploit Prevention content version from the registry:
To get the Exploit Prevention content version, take the ContentVersion value and replace the value before the first period with the ContentMajorVersion, and the value after the first period with the ContentMinorVersion. For example, if the ContentVersion is 8.0.0.8137, the ContentMajorVersion is 10, and the ContentMinorVersion is 7, the Exploit Prevention content version is 10.7.0.8137.
Is there a way to determine the AMCore content version from the registry or file system?
Yes. Perform the following steps:
Convert the major and minor version from hexadecimal to decimal. In the following example, the version is 2556.0.
"dwContentMajorVersion"=dword:000009fc (000009fc is 2556 in decimal) "dwContentMinorVersion"=dword:00000000 (00000000 is 0 in decimal)
The following date and time registry keys are also present. In the following example, the AMCore content was built on March 22, 2017 at 08:44:00 GMT.
"szContentCreationDate"=reg_sz:"2017-03-22" (formatted date yyyy-mm-dd) "szContentCreationTime"=reg_sz:"08:44:00" (formatted time hh:mm:ss)
From the file system (if managed by ePolicy Orchestrator):
Locate the value of AvManifestVersion in the file C:\Program Files\McAfee\Endpoint Security\Threat Prevention\AvContentMgr.xml.
In the following example, the version is 2591.0: 2591.0
What does the trailing number in a DAT version mean?
The trailing number indicates whether it’s a Production, Pre-production, or Beta V3 DAT package.
xxxx.0 (Example: 3158.0) - Indicates a Production V3 DAT package
xxxx.1 (Example: 3158.1) - Indicates a Pre-production V3 DAT package
xxxx.3 (Example: 3158.3) - Indicates a Beta V3 DAT package
How do I downgrade or roll back DAT content?
Use one of the following options to install the wanted version:
Use ePolicy Orchestrator and run a DAT update task on the client.
Run the V3 DAT content file manually on the client.
How is AMCore content compliance determined?
The criteria for "compliant" can't be changed. The AMCore content compliance is based on the age of the AMCore DAT.
If the DAT is less than seven days old, it’s considered compliant.
If the DAT is greater than or equal to seven days old, it’s noncompliant.
NOTE:The DAT age isn’t related to when the system updated, but when the DAT was released.
Does the option "DAT Version compliance for VirusScan Enterprise was within X versions of Repository DAT" exist in Endpoint Security?
No. Endpoint Security determines compliance based on the age of the DAT, not the DAT version.
Why is the V3 DAT still a 100 MB+ file when I was told the new DATs are much smaller?
The smaller size of DAT is the comparison of the AVV versus the MED (medium) DATs. These DATs offer equivalent functionality between VirusScan Enterprise and Endpoint Security.
For ENS:
The MED DATs are found in the following location (note that the versioned folder changes):
The combined size of medscan.dat, mednames.dat, and medclean.dat is 62.7 MB.
For VSE:
The AVV DATs are found in the following location:
C:\Program Files (x86)\Common Files\McAfee\Engine
The combined size of avvscan.dat, avvnames.dat, and avvclean.dat is 143 MB, which is a reduction in size of 56%.
What is the "McAfee DAT Built in test" task?
The McAfee DAT Built in test performs some basic checks on the health of the system. It’s tied to the DAT update as the trigger for when it starts. It runs seven times at random intervals between AMCore updates. The task isn’t configurable. It runs only if the following options are enabled in the Endpoint Security Threat Prevention, Options policy, Proactive Data Analysis section:
Safety pulse
McAfee GTI feedback
AMCore Content Reputation
If the task doesn’t succeed, verify that the system has network connectivity and run the task manually. The task runs mcdatrep.exe, a component that uses TrustedSource. So. HTTPS must be allowed and the system proxy properly configured for the task to succeed.
What do each of the Endpoint Security modules do?
There are three Endpoint Security modules:
Firewall - Monitors and intercepts suspicious communication between the computer and resources on the network and the internet.
Threat Prevention - Checks for viruses, spyware, unwanted programs, and other threats by scanning items both automatically when users access them (on-access) or on-demand at any time.
Web Control - Displays safety ratings and reports for websites during online browsing and searching. Web Control enables the site administrator to block access to websites based on safety rating or content.
What difference in IPS coverage is there between Endpoint Security and Host Intrusion Prevention?
For a list of all Endpoint Security Exploit Prevention and Host Intrusion Prevention signatures and their current supported directives, see: KB51504 - REGISTERED - Signature Directive support.
NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted. What does "Let McAfee Decide" mean when scanning files?
You can specify when the on-access scanner (OAS) scans files, such as when writing to disk or when reading from disk. Or, you can let McAfee Enterprise decide when to scan. When you select Let McAfee Decide, the on-access scanner uses trust logic to optimize scanning. Trust logic improves security and boosts performance by avoiding unnecessary scans. For more information, see the Understanding the Endpoint Security 10 Threat Prevention Module white paper.
Can Endpoint Security detect a virus that is encrypted by an encrypted file system (EFS)?
Yes, if the user who owns the EFS folder accesses the file when the scan runs. Endpoint Security can use their access token. Otherwise, Endpoint Security can't scan inside encrypted files or packages, and neither can any antivirus scanner. The Endpoint Security logs show the following when an EFS is encountered: Not scanned (The file is encrypted). Detection takes place only when the file has been decrypted or opened.
How does the Endpoint Security on-access scanner (OAS) handle Client-side Caching interactions? Is the file local or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device isn’t connected to the network. This function is called client-side caching because Windows creates a local copy of the file in a protected folder. It is from this local copy that the device reads and modifies the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.
The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. It’s Windows that handles the needed redirection that provides access to the cached, local copy.
Because the file is always considered remote, for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the on-demand scanner (ODS) to scan the offline files, it must be provided the original (remote) location.
Why does the Endpoint Security Help file open in a browser that isn’t my default browser?
Endpoint Security starts the application associated with the .html extension. If the default browser isn’t associated with the .html extension, a different browser opens. For more information, see: KB86558 - Help file displays in a non-default browser.
Why does McShield.exe use high CPU?
McShield.exe is the user mode scanner that analyzes files to determine whether they’re clean or malware. It must use CPU cycles to accomplish its work.
Why is McShield.exe using high CPU continually?
McShield.exe is also the hosting scanner to perform the needed work for on-demand scan tasks. If you have a scheduled on-demand scan task running, you see McShield.exe use CPU cycles to carry out the requested scans. In ENS 10.7, there’s an option to limit the CPU usage during an on-demand scan task.
Where is EmailScan? Why doesn't Endpoint Security include an email scanner like VirusScan Enterprise?
Currently there’s no plug-in for either Outlook or Lotus mail clients. This feature isn’t included because the functionality of EmailScan is largely redundant or overlapping with the real-time scanning. If there’s a specific use case wanted for this feature, contact your Support Account Manager and relay your user story to Product Management.
Endpoint Security reports the error "Clean error as no cleaner was available, and delete pending" for a detected threat file. What does this error mean?
This error typically means that the file wasn’t cleanable and should be deleted. Deleting files can return inconsistent results because of the transient nature of files. The product might indicate that a delete action is pending when the file was already deleted (by the operating system) before the product could perform the delete action.
What does the value "Duration Before Detection" shown in the "Endpoint Security: Threat Behavior" ePolicy Orchestrator dashboard mean?
This value is the time between the file creation date (when it was written to the disk) and the detection time.
How does the integration with Windows Antimalware Scan Interface (AMSI) work?
AMSI is a generic interface standard that Microsoft provides. AMSI is supported on Windows 10, Windows Server 2016, and Windows Server 2019 systems. AMSI allows applications and services to integrate with ENS Threat Prevention, providing better protection against malware. Integrating with AMSI provides enhanced scanning for threats in non-browser-based scripts, such as PowerShell, JavaScript, and VBScript.
How do I enable debug logging in Endpoint Security?
Enable debug logging for each Endpoint Security module through the Endpoint Security Common policy. Make sure that you enforce the policy on the client before trying to reproduce the issue. To enforce the policy, either perform an agent wake-up call to the system from the ePolicy Orchestrator console or click Collect and Send Props from the client McAfee Agent Status Monitor. Debug log files are stored at %ProgramData%\McAfee\Endpoint Security\Log or C:\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs depending on the operating system. For instructions, see: KB91797 - Enable debug logging to troubleshoot Endpoint Security issues.
How do I enable detailed logging for McAfee Agent?
Detailed logging in McAfee Agent helps to troubleshoot issues with updating, installing, and upgrading. Enable detailed logging for McAfee Agent through the McAfee Agent General policy. Click the Logging tab, and select Enable detail logging. Increase the Log file size limit (MB) to 20 and Roll over count to 2. For instructions, see: KB82170 - How to enable debug logging for McAfee Agent to troubleshoot Windows.
Why are events not reporting in the ePolicy Orchestrator dashboards?
Managed product events have a severity level. By default, Endpoint Security modules log only Critical and Major events. If an event has a severity of Informational, it isn’t logged. To log all events, edit the Endpoint Security Common policy and change the Event Logging Severity Level to All.
How do I prevent users from disabling the Web Control extension from a browser?
The self-protection policy in the Endpoint Security Common Policy prevents end users from disabling the Web Control toolbar and Web Control Browser Helper Object (BHO) in Internet Explorer. Self-protection doesn’t prevent users from disabling the Web Control extension in Chrome or Firefox.
If a user disables the Web Control extension in Firefox, Web Control will be enabled in future browse sessions after a Firefox restart. You can't prevent a user from disabling Web Control in Firefox.
If a user deletes the Web Control extension in Chrome, Web Control will no longer appear in Chrome even after a reinstall of Endpoint Security. You must either delete the Chrome user profile or reinstall Chrome. To prevent users from deleting the Web Control extension in Chrome, see: KB87568 - Web Control browser extension must be enabled by the user. This article contains information about force-enabling the Web Control extension through Active Directory group policy.
Can I have the SiteAdvisor Enterprise and Web Control extensions force enabled in Chrome at the same time?
No. You need to remove the SiteAdvisor Enterprise (SAE) APPID from the Chrome Group Policy template. Having the SAE extension force installed with the Web Control extension causes issues with the navigation from the enforcement messages. Don’t force install both the SAE and Web Control extensions into Chrome.
How does Web Control determine whether a site has a private/internal IP address?
Web Control doesn’t act on private or internal IP addresses. Private and internal sites on a prohibit list aren’t blocked. Web Control determines that a site has a private or internal IP address if it’s part of the following IP address ranges:
Default IPv4 private IP address ranges: 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
localhost or 127.0.0.1
Default IPv6 private IP address range:
Site-local and Link-local addresses that start with FEC, FED, FEE, FEF or FE8, FE9, FEA, FEB
Why does the version of Web Control in Chrome report differently than the version of Web Control in the Endpoint Security console?
The Endpoint Security console reports the current version of Web Control installed. Chrome reports the version of the Web Control extension hosted in the Google Play Store. As new versions of Web Control are released, the Web Control extension in the Google Play Store might not get updated. Chrome can report a different version for the Web Control extension than the version shown in the Endpoint Security About box or in ePolicy Orchestrator product properties. Chrome uses the locally installed Web Control extension.
What causes no annotations to show in search results when I perform the search witha supported search engine?
Web Control uses scripts to annotate search results with ratings. If a search engine changes the webpage it uses to present the search engine results, Web Control might not annotate the page. For more information, see: KB87640 - Web Control search annotation ratings aren’t displayed in the search engine results.
Why is a site on the Web Control allow list still appearing in email annotations as a red rated URL?
Web Control email annotations are based only on the Global Threat Intelligence (GTI) rating. The local allow policy doesn’t override the GTI rating for the email annotation.
Why is the Web Control browser balloon orange or displays "Error retrieving Web Control information"?
If the Web Control service can't communicate with the Global Threat Intelligence (GTI) servers, the browser balloon is orange. For troubleshooting steps, see: KB87930 - Endpoint Security Web Control status balloon is orange.
Why don't the ePolicy Orchestrator reports list a URL for green rated sites?
Web Control doesn’t track green rated URLs in reports sent to ePolicy Orchestrator for user privacy. Web Control sends a total green rated site count for unique categories in events sent to ePolicy Orchestrator. See the "How Web Control works with Web Reporter" section of the Endpoint Security Web Control Product Guide for information about configuring Web Control to work with McAfee Web Reporter to see green rated URLs.
