Technical Articles ID:
KB86704
Last Modified: 3/25/2019
Rated:
Environment
McAfee Endpoint Security (ENS) Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x
Summary
This article is a consolidated list of common questions and answers and is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
March 25, 2019
Added the FAQ "What is the "McAfee DAT Built in test" task?" in the "AMCore Content" section.
February 22, 2019
Added the FAQ "Why does Endpoint Security reinstall Windows Defender during an upgrade?" in the "Installation, Upgrade, Migration, Removal" section.
December 13, 2018
Added the FAQ "After migrating the VirusScan Enterprise on-access scan policy to Endpoint Security using the Migration Assistant, why aren’t the on-access scan exclusions enforced?" in the "Installation, Upgrade, Migration, Removal" section.
August 1, 2018
Updated the FAQs "What do I do if uninstalling Endpoint Security fails" to reference the McAfee Endpoint Product Removal tool, in the "Installation, Upgrade, Migration, Removal" section.
July 9, 2018
Added the FAQ "Why are there ePolicy Orchestrator Server Task entries when editing Endpoint Security policies?" in the Configuration section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Where can I find known issues with Endpoint Security?
For a list of known issues of high or medium rating that are outstanding with a given release, see KB82450 - Endpoint Security 10.x Known Issues. For a dynamic list of articles that describe known issues, click the relevant link below for your product:
Endpoint Security Firewall known issues - Click here.
Endpoint Security Threat Prevention known issues - Click here.
Endpoint Security Web Control known issues - Click here.
Where can I find Endpoint Security product documentation?
All Endpoint Security product documentation is available on the ServicePortal.
Click here for a dynamic list of Endpoint Security Release Notes.
Click here for a dynamic list of Endpoint Security Installation Guides.
Click here for a dynamic list of Endpoint Security Product Guides.
Select an Endpoint Security product (for example, Endpoint Security Threat Prevention) from the Product list.
Click Search.
Select Knowledge Base and then Product Documentation.
Where can I find product documentation issues with Endpoint Security?
Documentation Correction articles provide corrections to posted Endpoint Security product documents. Documentation issues included in these articles will be corrected in a future version of the product document. Click here for a dynamic list of Endpoint Security Documentation Correction articles.
Where can I find an explanation of Endpoint Security event messages?
Endpoint Security event messaging uses Natural Language Strings (NLS). Some events might require further explanation than what can be contained in the small string of text found in an event. For a detailed explanation of event messages, see KB85494.
Why am I not seeing events from client systems in ePolicy Orchestrator?
The ePolicy Orchestrator database user is corrupted. To resolve the issue, reset the ePolicy Orchestrator database user using the instructions in KB86071.
How can I check the status of the ENS service and other McAfee services on a system?
Use the executable C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe to check the status of services as follows. This executable can be useful if you are using a third-party monitoring tool to track the status of the ENS service, or to get a report on how many systems have ENS running.
NOTE: To check the status of all McAfee services, run the command: C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -enum
Why does the Help feature in the ePolicy Orchestrator console open a web browser page to https://docs.mcafee.com, instead of a contextual page of product information?
This behavior is the result of a feature change starting in ENS 10.6.0 and is the functionality going forward. When you use the Help feature (when you click the "?" question mark) inside the ePolicy Orchestrator console, it now opens the McAfee Documentation Portal (https://docs.mcafee.com), where a search can be performed.
Can Endpoint Security coexist with the legacy McAfee products SiteAdvisor Enterprise and VirusScan Enterprise?
No. The Endpoint Security installer removes both SiteAdvisor Enterprise and VirusScan Enterprise no matter which Endpoint Security module is selected to install. For more information, see KB86504.
Can I install two different anti-virus products on a single system?
No. Having two on-access scanners can lead to several problems. The most common is a performance issue because two on-access scanners scan the same file.
What are the supported platforms, environments, and operating systems for Endpoint Security?
For a list of supported client and server operating systems, virtual infrastructure, email clients, hardware requirements, and Internet browsers, see KB82761.
Is Microsoft Windows XP or Windows Server 2003 supported?
No. Neither is Windows 2009 Point Of Service Embedded because it is an XP-based operating system.
What SQL version must I use for my ePolicy Orchestrator server?
To install the Endpoint Security Migration Extension on the ePolicy Orchestrator server, you must change the Compatibility Level of the current database to SQL 2008. For more information, see KB86470.
Why do I have compatibility issues with third-party software applications that "hook" McAfee processes, or attempt to, by loading their own code (a DLL) into the McAfee process?
McAfee products include self-protection mechanisms to prevent tampering with McAfee files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks. For more information, see KB83123.
Why is Endpoint Security blocking System Information Reporter (SIR) from restoring registry keys?
SIR registry restore fails under Endpoint Security-protected registries because an Endpoint Security Self Protection Rule is blocking it. To resolve this issue, do one of the following:
Connect to AAC and add the exceptional allow rule for regedit.
Do not use regedit and update your application to directly make the registry changes.
What are the managed Endpoint Security installation options?
There are two management options: ePolicy Orchestrator (ePO) and ePO Cloud. The primary differences in managing the two environments are:
ePO - Administrators install product components on the management server, then they typically configure feature settings (policies) and deploy the client software to multiple managed systems using deployment tasks.
ePO Cloud - McAfee or another service provider sets up each ePO Cloud account on an offsite management server and notifies the local administrator when products are ready to install on managed systems. Local administrators then typically create and send an installation URL to users for installation on local systems.
What is the latest evaluation package for Endpoint Security?
A full install evaluation package is built and posted with each update release of Endpoint Security. But, if you are using an ENS evaluation and want to update ENS, you must uninstall the current evaluation package and then install the updated evaluation package.
How do I migrate legacy McAfee products to Endpoint Security?
Use the Endpoint Migration Assistant to migrate VirusScan Enterprise 8.8, Host Intrusion Prevention Firewall 8.0, and SiteAdvisor Enterprise 3.5 settings and assignments to Endpoint Security. For instructions, see the Endpoint Security Migration Guide.
After migrating the VirusScan Enterprise on-access scan policy to Endpoint Security using the Migration Assistant, why aren’t the on-access scan exclusions enforced?
This issue occurs when the VirusScan Enterprise on-access scan policy contains invalid exclusion data or exclusion patterns that Endpoint Security does not support. The Migration Assistant does not change the exclusion patterns during the migration. For a list of exclusion patterns that Endpoint Security supports, see the Endpoint Security Migration Guide.
For example, the exclusion "%systemroot%system32inetsrv" is invalid because there is no '\' between the environment variable and next file/folder data. The correct exclusion would be "%systemroot%\system32inetsrv".
If you have this issue, the Endpoint Security Platform error log shows an error similar to the following:
08/14/2017 09:35:31.225 AM mfetp(1924.2840) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5315): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_LOW, Error code: 0xA7F40511
Does the Endpoint Migration Assistant migrate rules that are assigned based on tags?
No. The Endpoint Migration Assistant does not merge and replace policies that are assigned using tagging rules.
How do I deploy Endpoint Security modules using ePO?
First check the Endpoint Security module packages into the ePO server. From the ePO Software Manager, there is a bundle package that checks the module installation packages, Help files, and module extensions into the ePO Master Repository. (Module installation packages include the Security Platform module, Firewall module, Threat Prevention module, and Web Protection module.) From the Product Downloads site (http://www.mcafee.com/us/downloads/downloads.aspx), download each package separately and check it into the ePO Master Repository.
Next, create a deployment task. Deployment tasks of the Firewall module, Threat Prevention module, or Web Protection module check the version of Security Platform. The module installer automatically updates the Security Platform version first before installing Firewall, Threat Prevention, or Web Protection.
The Adaptive Threat Protection module checks in separate from the other Endpoint Security modules. When installing the Adaptive Threat Protection module, the version of Endpoint Security Threat Prevention must be the same. For example, you cannot install Adaptive Threat Protection 10.5.4 on a system running Endpoint Security Threat Prevention 10.5.3. Do not include the Adaptive Threat Protection module when you deploy the other Endpoint Security modules. The ePO deployment task might run the Adaptive Threat Protection module installation before the Threat Prevention module installation, so it is recommended that you have a separate deployment task for the Adaptive Threat Protection module.
How do I deploy Endpoint Security using third-party deployment solutions?
The third-party solution must meet these requirements:
Ensure that all installation files are available/accessible.
Run the executable installer (SetupEP.exe), and not the MSI files.
Run with SYSTEM or Administrator privilege.
Use the Endpoint Security standalone package for the installation source files.
NOTE: You can customize this package using the Package Designer (available in Endpoint Security 10.2.0 and later).
Will Endpoint Security upgrade my older McAfee Agent version?
It depends on whether McAfee Agent is managed:
When the McAfee Agent is managed by ePolicy Orchestrator, an installation of Endpoint Security does not modify the agent. It is not permitted to do so automatically when the agent is in managed mode.
When the McAfee Agent is unmanaged (standalone), the SetupEP.exe installer upgrades the agent to the version included with the Endpoint Security package.
How do I install Endpoint Security for users who do not have Administrator rights?
Create an installation URL and send it to end users to install Endpoint Security on their systems. For instructions, see the Endpoint Security Installation Guide.
Can I use Sysprep to include Endpoint Security in a base image?
Yes. Sysprep is a supported installation method with Endpoint Security 10.5 (and later) and Endpoint Security 10.2.1 (and later).
What are the most common Endpoint Security installations issues?
The following articles describe the most common installation issues:
KB86087 - System freezes during the installation of Endpoint Security Epsetup
KB85033 - Endpoint Security install fails if there are issues with temp folder access
KB86087 - System freezes during the installation of Endpoint Security Epsetup
KB86580 - The Windows Installer Service could not be accessed (Endpoint Security install fails with log error)
Can I install Endpoint Security to a custom drive letter or location?
Yes.
Why are policies not being enforced after an ePolicy Orchestrator server or VirusScan Enterprise extension upgrade?
The cause is unknown. For McAfee to investigate this issue, we require a copy of your ePolicy Orchestrator database before the upgrade. The workaround is to identify the corrupt policy, delete it, and then re-create the policy. For more information, see KB81867.
What processes does Endpoint Security install?
See KB87791 for a list of the processes (Windows Services and processes running as a service or as User) that Endpoint Security installs.
Can I invoke an Endpoint Security update from the command line?
Not now. This request is being reviewed for a future release of Endpoint Security.
What do I do if uninstalling Endpoint Security fails from "Programs and Features" or "Apps & features" (depending on your version of Windows)?
To obtain the McAfee Endpoint Product Removal tool, contact Technical Support. Ensure that you complete the following items before contacting Technical Support:
Collect Minimum Escalation Requirement (MER) data using the MER tool: https://mer.mcafee.com.
Collect Process Monitor data capturing an attempt to uninstall Endpoint Security (or install Endpoint Security, if the install failed and did not remove Endpoint Security).
Collect a Virtual Machine capturing the state of the system. This data is often the most beneficial data point in solving uninstall failure issues.
How do I uninstall Endpoint Security from client systems that are managed by ePolicy Orchestrator Cloud?
Use the instructions in KB85135 to uninstall Endpoint Security if the client system is managed by ePolicy Orchestrator Cloud.
How do I remove the Endpoint Security Common extension from ePolicy Orchestrator?
The Common extension cannot be removed if any other Endpoint Security module extensions are checked in. Remove all Endpoint Security module extensions first, before trying to remove the Endpoint Security Common extension.
Why does Endpoint Security reinstall Windows Defender during an upgrade?
To ensure continued protection, Endpoint Security reinstalls Windows Defender if it is not present on the system and if Endpoint Security is uninstalled. When you perform a major upgrade of Endpoint Security, for example, from 10.5.x to 10.6.x, Endpoint Security uninstalls 10.5.x and then installs 10.6.x. The uninstall of Endpoint Security triggers the action to reinstall Windows Defender if it is not present on the system. During the Endpoint Security install, Windows Defender is disabled, but not uninstalled. If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of Endpoint Security.
How do I improve performance with Endpoint Security?
For information about improving performance after installing Endpoint Security, see KB88205. This article is updated as information is gathered about performance issues, so check the article first for assistance if you experience symptoms of poor performance.
How do I configure Access Protection rules to block malware?
For a list of suggested Access Protection rules to implement, see PD25203 - Combating Ransomware.
How do I create an Access Protection rule for a file or folder in systems?
User-defined Access protection rules prevent modification of files or folders in systems. For instructions to create and apply a user-defined Access Protection rule, see KB86577.
Can I use variables when creating Access Protection rules?
McAfee does not recommend using variables because it can have unexpected outcomes. The best practice is to use wild cards. For example, C:\Users\%username%\SubFolder can be represented as C:\Users\*\SubFolder.
Why are Access Protection events (that are confirmed to be occurring on the client system and are getting logged locally) not visible in ePolicy Orchestrator after sending client events?
See KB87149. The default configuration for Endpoint Security excludes those events from being created; the agent might also be suppressing the events.
How can I access the console or remove Endpoint Security if I forgot the password?
The default password is mcafee. If you changed the password and have forgotten the new password, contact Technical Support for instructions to remove the password. Ensure that you complete the following items before contacting Technical Support:
Collect Minimum Escalation Requirement (MER) data using the MER tool: https://mer.mcafee.com.
Obtain administrator rights and physical access to the affected system.
Why do On-Demand Scan (ODS) tasks I created not update in Endpoint Security Threat Prevention Product Properties on the ePolicy Orchestrator "System Details" page?
The Date of Last Full Scan and the Date of Last Quick Scan are updated only by the default policy-defined ODS tasks. The functionality is working as intended, see KB86677.
Can I perform an On-Demand Scan manually from the command line?
Not now. This request is being reviewed for a future release of Endpoint Security.
How can I remove the Pause scan message in Endpoint Security?
Disable the scan on idle feature. For more information, see KB84208.
How do I remove the default "Quick Scan" and "Full Scan" On-Demand Scan tasks?
This question is a concern for customers who have created a group and accepted the default settings for On-Demand Scan tasks because the task assignments cannot be edited or deleted. The simplest solution is to create a new group in the ePolicy Orchestrator System Tree and move systems into that group. Do not enable the On-Demand Scan tasks for the new group.
Why are there ePolicy Orchestrator Server Task entries when editing Endpoint Security policies?
When editing Endpoint Security policies on an ePolicy Orchestrator 5.9 (or later) server, an ePolicy Orchestrator Server Task log entry named "Policy <policy name> was saved. Comment: <policy comment>" is created. This entry describes what policy changes were made, at what date and time the change was made, by what ePolicy Orchestrator user name, and so on. This feature change was introduced with ePolicy Orchestrator 5.9.
NOTE: When you duplicate McAfee default (uneditable) policies, the first policy change made to the duplicate policy logs several policy detail changes. But for any subsequent policy change, the Server Task entry should log only the specific policy changes made during each saved policy change.
How can I import settings (for example, firewall settings) at installation time?
Use one of the following options:
Endpoint Security 10.2.0 and later includes a Package Designer utility that allows customizing policies that can be included with the installation package.
Endpoint Security includes a utility named EsConfigTool.exe that allows you to export and import policies. The ESConfigTool.exe utility is located in the Endpoint Security Platform folder (by default, C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform). Deploy Endpoint Security to at least one client system, configure settings as wanted, and then export the settings using ESConfigTool.exe. NOTES:
Do not use the plain text option when exporting if you intend to import the settings.
Do not specify an extension for the file.
Execute the utility with no parameters to display help and options.
You can import the file generated from ESConfigTool.exe using the command: setupEP.exe /import
How do content files work?
When the scan engine scans files for threats, it compares the contents of the scanned files to known threat information stored in the AMCore content files. Exploit Prevention uses its own content files to protect against exploits.
Why is EICAR not being detected? Why is my content version 0.5?
This issue occurs when AMCore content has not yet been updated after installing the product. To resolve this issue, update the content.
How often does McAfee release new Threat Prevention content files?
McAfee releases new Exploit Prevention content files as needed. The Endpoint Security Product Guide incorrectly states that Exploit Prevention content files are released once a month. This documentation error is described in KB86631 and will be corrected in a future version of the product guide.
Which content does Endpoint Security need?
Endpoint Security Threat Prevention uses "Endpoint Security Exploit Prevention Content" and "AMCore Content Package".
Where can I get AMCore DAT files? How do I update AMCore content manually?
Installing this package replaces existing AMCore content.
You must run the .exe content installer as an Administrator.
Additional frequently asked questions regarding AMCore content are answered in KB82396.
Can I update the AMCore content from the command line on a client system?
Yes. To update the AMCore content, run the following command on the client system: "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" /update
Why does Endpoint Security update the engine version automatically? I am not able to electively download the engine.
The concept of engine updates has changed with AMCore technology; they are no longer separate packages from content. When AMCore content requires an update to any one of its engines used during scanning, the engine update is included in the V3 content update releases. Downgrading AMCore content would also downgrade an engine if not part of that older content.
How can I determine the Exploit Prevention content version and date from the registry or file system?
The Exploit Prevention content date is not stored in the registry. The date is the last modified date of the content.bin file found in the directory C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS.
To determine the Exploit Prevention content version from the registry:
To get the Exploit Prevention content version, take the ContentVersion value and replace the value before the first period with the ContentMajorVersion, and the value after the first period with the ContentMinorVersion. For example, if the ContentVersion is 8.0.0.8137, the ContentMajorVersion is 10, and the ContentMinorVersion is 5, the Exploit Prevention content version is 10.5.0.8137.
Is there a way to determine the AMCore content version from the registry or file system?
Yes. Perform the following steps:
Convert the major and minor version from hexadecimal to decimal. In the following example, the version is 2556.0.
"dwContentMajorVersion"=dword:000009fc (000009fc is 2556 in decimal)
"dwContentMinorVersion"=dword:00000000 (00000000 is 0 in decimal)
With ENS 10.5.0 (and later) and ENS 10.2.1 (and later), the following date and time registry keys are also present. In the following example, the AMCore content was built on March 22, 2017 at 08:44:00 GMT.
"szContentCreationDate"=reg_sz:"2017-03-22" (formatted date yyyy-mm-dd)
"szContentCreationTime"=reg_sz:"08:44:00" (formatted time hh:mm:ss)
From the file system (if managed by ePolicy Orchestrator):
Locate the value of AvManifestVersion in the file C:\Program Files\McAfee\Endpoint Security\Threat Prevention\AvContentMgr.xml.
In the following example, the version is 2591.0: 2591.0
What does the trailing number in a DAT version mean?
The trailing number indicates whether it is a Production, Pre-production, or Beta V3 DAT package.
xxxx.0 (Example: 3158.0) - Indicates a Production V3 DAT package
xxxx.1 (Example: 3158.1) - Indicates a Pre-production V3 DAT package
xxxx.3 (Example: 3158.3) - Indicates a Beta V3 DAT package
For a comparison of the V3 DAT package types, see KB89778.
How do I downgrade or roll back DAT content?
Use one of the following options to install the wanted version:
Use ePolicy Orchestrator and run a DAT update task on the client.
Run the V3 DAT content file manually on the client.
How is AMCore content compliance determined?
The criteria for "compliant" cannot be changed. The AMCore content compliance is based on the age of the AMCore DAT.
If the DAT is less than seven days old, it is considered compliant.
If the DAT is greater than or equal to seven days old, it is noncompliant.
NOTE:The DAT age is not related to when the system updated, but when the DAT was released.
Does the option "DAT Version compliance for VirusScan Enterprise was within X versions of Repository DAT" exist in Endpoint Security?
No. Endpoint Security determines compliance based on the age of the DAT, not the DAT version.
How can I determine the size of AMCore content update files?
You can view the AMCore content update files at this location: http://update.nai.com/products/commonupdater/current/amcordat2000/dat/0000/. The date/time stamp of the files is always the current date, but a *.gem incremental update file is released each day and 30 days worth of incremental updates are stored there.
Why is the V3 DAT still a 100 MB+ file when I was told the new DATs are much smaller?
The smaller size of DAT refers to the comparison of the AVV versus the MED (medium) DATs. These offer equivalent functionality between VirusScan Enterprise and Endpoint Security.
For ENS:
The MED DATs are found in the following location (note that the versioned folder will change):
The combined size of medscan.dat, mednames.dat, and medclean.dat is 62.7 MB.
For VSE:
The AVV DATs are found in the following location:
C:\Program Files (x86)\Common Files\McAfee\Engine
The combined size of avvscan.dat, avvnames.dat, and avvclean.dat is 143 MB, which is a reduction in size of 56%.
What is the "McAfee DAT Built in test" task?
The McAfee DAT Built in test performs some basic checks on the health of the system and is tied to the DAT update as the trigger for when it starts. It runs seven times at random intervals between AMCore updates. The task is not configurable, and runs only if the following options are enabled in the Endpoint Security Threat Prevention, Options policy, Proactive Data Analysis section:
Safety pulse
McAfee GTI feedback
AMCore Content Reputation
If the task does not succeed, verify that the system has network connectivity and run the task manually. The task runs mcdatrep.exe, a component that uses TrustedSource, thus HTTPS must be allowed and the system proxy properly configured for the task to succeed.
What do each of the Endpoint Security modules do?
There are three Endpoint Security modules:
Firewall - Monitors and intercepts suspicious communication between the computer and resources on the network and the Internet.
Threat Prevention - Checks for viruses, spyware, unwanted programs, and other threats by scanning items both automatically when users access them (on-access) or on-demand at any time.
Web Control - Displays safety ratings and reports for websites during online browsing and searching. Web Control enables the site administrator to block access to websites based on safety rating or content.
What difference in IPS coverage is there between Endpoint Security and Host Intrusion Prevention?
For a list of all Endpoint Security Exploit Prevention and Host Intrusion Prevention signatures and their current supported directives, see KB51504.
The referenced article is available only to registered ServicePortal users.
Type the article ID in the search field on the home page.
Click Search or press Enter.
What does "Let McAfee Decide" mean when scanning files?
You can specify when the On-Access Scanner (OAS) scans files, such as when writing to disk or when reading from disk, or, you can let McAfee decide when to scan. When you select Let McAfee Decide, the On-Access Scanner uses trust logic to optimize scanning. Trust logic improves security and boosts performance by avoiding unnecessary scans. For more information, see the "Understanding the McAfee Endpoint Security 10 Threat Prevention Module" white paper at https://www.mcafee.com/us/resources/white-papers/restricted/wp-understanding-ep-security-10-module.pdf.
How does the Endpoint Security On-Access Scanner (OAS) handle Client-side Caching interactions? Is the file local or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device is not connected to the network. This function is called client-side caching because Windows creates a local copy of the file in a protected folder. It is from this local copy that the device reads and modifies the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.
The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. It is Windows that handles the needed redirection that provides access to the cached, local copy.
Because the file is always considered remote, for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the On-Demand Scanner (ODS) to scan the offline files, it must be provided the original (remote) location.
Why does the Endpoint Security Help file open in a browser that is not my default browser?
Endpoint Security starts the application associated with the .html extension. If the default browser is not associated with the .html extension, a different browser opens. For more information, see KB86558.
Why does McShield.exe use high CPU?
McShield.exe is the user mode scanner that analyzes files to determine whether they are clean or malware. It must use CPU cycles to accomplish its work.
Why is McShield.exe using high CPU continually?
McShield.exe is also the hosting scanner to perform the needed work for On-Demand Scan tasks. If you have a scheduled On-Demand Scan task running, you see McShield.exe use CPU cycles to carry out the requested scans.
NOTE: On-Demand Scan tasks can be configured to run when idle, which means you see high CPU from McShield.exe when the product detects the system is idle for about 60 seconds, which starts the scan. Confirm that McShield.exe is doing work for an On-Demand Scan task by:
Returning to the system and engaging in activity - within 60 seconds the CPU usage drops to previous levels
Inspecting the On-Demand Scan activity log to see whether the task is resuming and pausing
Where is EmailScan? Why doesn't Endpoint Security include an email scanner like VirusScan Enterprise?
Currently there is no plug-in for either Outlook or Lotus mail clients. This feature is not included because the functionality of EmailScan is largely redundant or overlapping with the real-time scanning. If there is a specific use case wanted for this feature, contact your Support Account Manager and relay your user story to Product Management.
Endpoint Security reports the error "Clean error as no cleaner was available, and delete pending" for a detected threat file. What does this error mean?
This error typically means that the file was not cleanable and should be deleted. Deleting files can return inconsistent results because of the transient nature of files. The product might indicate that a delete action is pending when the file was already deleted (by the operating system) before the product could perform the delete action.
What does the value "Duration Before Detection" shown in the "Endpoint Security: Threat Behavior" ePO dashboard mean?
This value is the time between the file creation date (when it was written to the disk) and the detection time.
How do I enable debug logging in Endpoint Security?
Enable debug logging for each Endpoint Security module through the Endpoint Security Common policy. Ensure that you enforce the policy on the client before trying to reproduce the issue. To enforce the policy, either perform an agent wake-up call to the system from the ePolicy Orchestrator console or click Collect and Send Props from the client McAfee Agent Status Monitor. Debug log files are stored at %ProgramData%\McAfee\Endpoint Security\Log or C:\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs depending on the operating system.
How do I enable detailed logging for McAfee Agent?
Detailed logging in McAfee Agent helps to troubleshoot issues with updating, installing, and upgrading. Enable detailed logging for McAfee Agent through the McAfee Agent General policy. Click the Logging tab, select Enable detail logging, and increase the Log file size limit (MB) to 20 and Roll over count to 2. For detailed instructions, see KB82170.
Why are events not reporting in the ePolicy Orchestrator dashboards?
Managed product events have a severity level. By default, Endpoint Security modules log only Critical and Major events. If an event has a severity of Informational, it is not logged. To log all events, edit the Endpoint Security Common policy and change the Event Logging Severity Level to All.
How do I prevent end users from disabling the Web Control extension from a browser?
The self-protection policy in the Endpoint Security Common Policy prevents end users from disabling the Web Control toolbar and Web Control Browser Helper Object (BHO) in Internet Explorer. Self-protection does not prevent end users from disabling the Web Control extension in Chrome or Firefox.
If a user disables the Web Control extension in Firefox, Web Control will be enabled in future browse sessions after a restart of Firefox. You cannot prevent an end user from disabling Web Control in Firefox.
If a user deletes the Web Control extension in Chrome, Web Control will no longer appear in Chrome even after a reinstall of Endpoint Security. You must either delete the Chrome user profile or reinstall Chrome. To prevent end users from deleting the Web Control extension in Chrome, see KB87568 for information about force-enabling the Web Control extension through Active Directory group policy.
Can I have the SiteAdvisor Enterprise and Web Control extensions force enabled in Chrome at the same time?
No. You need to remove the SiteAdvisor Enterprise (SAE) APPID from the Chrome Group Policy template. Having the SAE extension force installed with the Web Control extension causes issues with the navigation from the enforcement messages. Do not force install both the SAE and Web Control extensions into Chrome.
How does Web Control determine whether a site has a private/internal IP address?
Web Control does not act on private or internal IP addresses. Private and internal sites on a prohibit list are not blocked. Web Control determines that a site has a private or internal IP address if it is part of the following IP address ranges:
Default IPv4 private IP address ranges:
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
localhost or 127.0.0.1
Default IPv6 private IP address range:
Site-local and Link-local addresses that start with FEC, FED, FEE, FEF or FE8, FE9, FEA, FEB
Why does the version of Web Control in Chrome report differently than the version of Web Control in the Endpoint Security console?
The Endpoint Security console reports the current version of Web Control installed. Chrome reports the version of the Web Control extension hosted in the Google Play Store. As new versions of Web Control are released, the Web Control extension in the Google Play Store might not get updated. Chrome can report a different version for the Web Control extension than the version shown in the Endpoint Security About box or in ePO product properties. Chrome uses the locally installed Web Control extension.
What causes no annotations to show in search results when I perform the search witha supported search engine?
Web Control uses scripts to annotate search results with ratings. If a search engine changes the webpage it uses to present the search engine results, Web Control might not be able to annotate the page. For more information, see KB87640.
For example, www.yahoo.tw does not currently display search annotations with Web Control for this reason.
Why is a site on the Web Control allow list still appearing in email annotations as a red rated URL?
Web Control email annotations are based only on the Global Threat Intelligence (GTI) rating. The local allow policy does not override the GTI rating for the email annotation.
Why does a page load in the browser before the enforcement occurs?
Web Control does an asynchronous lookup for the rating on the webpage. The browser content can load before Web Control gets a rating from the Global Threat Intelligence servers. See KB88057.
Why is the Web Control browser balloon orange or displays "Error retrieving Web Control information"?
If the Web Control service cannot communicate with the Global Threat Intelligence (GTI) servers, the browser balloon is orange. See KB87930 for troubleshooting steps.
