Knowledge Center

FAQs for Endpoint Security
Technical Articles ID:   KB86704
Last Modified:  11/18/2019


McAfee Endpoint Security (ENS) Firewall 10.x
McAfee ENS Threat Prevention 10.x
McAfee ENS Web Control 10.x


This article is a consolidated list of common questions and answers intended for users who are new to the product. But it can be of use to all users.

Recent updates to this article 
Date Update
November 18, 2019 Updated for ENS 10.7.
September 27, 2019 Added the FAQ "What is the mfeensppl service?" in the "General" section.
September 19, 2019 Updated the link for "Combatting Ransomware" in the "Configuration" section.
September 3, 2019 Added the FAQ "How do I configure Endpoint Security Firewall network traffic logging?" in the "Configuration" section.
March 25, 2019 Added the FAQ "What is the "McAfee DAT Built in test" task?" in the "AMCore Content" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Click to expand the section you want to view:

Where can I find known issues with Endpoint Security?
For a list of known issues of high or medium rating that are outstanding with a given release, see KB82450 - Endpoint Security 10.x Known Issues, and KB88788 - Endpoint Security Adaptive Threat Protection 10.x Known Issues.
Where can I find Endpoint Security product documentation?
For McAfee product documents, go to the Enterprise Product Documentation portal at https://docs.mcafee.com.

Where can I find an explanation of Endpoint Security event messages?
Endpoint Security event messaging uses Natural Language Strings (NLS). Some events might require further explanation than what is provided in the small text string in an event. For a detailed explanation of event messages, see KB85494.

Why am I not seeing events from client systems in ePolicy Orchestrator?
To troubleshoot the issue, use the instructions in KB53035.

How can I check the status of the Endpoint Security service and other McAfee services on a system?
Use the executable C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe to check the status of services as follows. This executable can be useful if you are using a third-party monitoring tool to track the status of the Endpoint Security service. Or, to get a report on how many systems have Endpoint Security running.
  1. Open an administrator command prompt.
  2. Run the following command:

    C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -query mfecore

    Example output:

    SERVICE_NAME: mfecore

    NOTE: To check the status of all McAfee services, run the command: C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -enum
What is the mfeensppl service?
The mfeensppl service is a Protected Process Light (PPL) service. The service is used for the registration of mfetp with the Windows Security Center (WSC) service wscsvc. The mfeensppl.exe service stops and starts as it is needed. The mfeensppl.exe service is similar to the mfefire service, which also runs only when it is in use. The registration with WSC happens every time policies are enforced on the system and also when the system restarts. The registration with WSC is done through PPL in Windows 10 version 1809 (October 2018 Update) and later. When the mfeensppl.exe service runs, it checks whether the system is compatible with the Windows 10 version 1809 or later technology. The service then reacts accordingly. On systems not running Windows 10 version 1809 (and later), the mfeensppl.exe service is present. After determining that the operating system is not supported, mfeensppl.exe exits gracefully.

Why does the Help feature in the ePolicy Orchestrator console open a web browser page to https://docs.mcafee.com, instead of a contextual page of product information?
This behavior is the result of a feature change starting in Endpoint Security 10.6.0. When you use the Help feature by clicking the "?" question mark inside the ePolicy Orchestrator console, it now opens the McAfee Documentation Portal (https://docs.mcafee.com), where you can perform a search.
Back to Contents
Can Endpoint Security coexist with the legacy McAfee products SiteAdvisor Enterprise and VirusScan Enterprise?
No. The Endpoint Security installer removes both SiteAdvisor Enterprise and VirusScan Enterprise no matter which Endpoint Security module is selected to install. For more information, see KB86504.

Can I install two different antivirus products on a single system?
No. Having two on-access scanners can lead to several problems. The most common is a performance issue because two on-access scanners scan the same file. For more information, see KB89595.

What are the supported platforms, environments, and operating systems for Endpoint Security?
See KB82761 for a list of supported client and server operating systems, virtual infrastructure, email clients, hardware requirements, and internet browsers.

Is Microsoft Windows XP or Windows Server 2003 supported?
No. Neither is Windows 2009 Point Of Service Embedded because it is an XP-based operating system.

What SQL version must I use for my ePolicy Orchestrator server?
To install the Endpoint Security Migration Extension on the ePolicy Orchestrator server, you must change the Compatibility Level of the current database to SQL 2008. For more information, see KB86470.

Why do I have compatibility issues with third-party software applications that "hook" McAfee processes, or attempt to, by loading their own code (a DLL) into the McAfee process?
McAfee products include self-protection mechanisms to prevent tampering with McAfee files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks. For more information, see KB83123.

Why is Endpoint Security blocking System Information Reporter (SIR) from restoring registry keys?
SIR registry restore fails under Endpoint Security-protected registries because an Endpoint Security Self Protection Rule is blocking it. To resolve this issue, do one of the following:
  • Connect to AAC and add the exceptional allow rule for regedit.
  • Do not use regedit and update your application to directly make the registry changes.
For more information, see KB86050.

Back to Contents
What are the managed Endpoint Security installation options?
There are two management options: ePolicy Orchestrator (ePO) and ePO Cloud. The primary differences in managing the two environments are:
  • ePolicy Orchestrator - Administrators install product components on the management server, then they typically configure feature settings (policies) and deploy the client software to multiple managed systems using deployment tasks.
  • ePO Cloud - McAfee or another service provider sets up each ePO Cloud account on an offsite management server. It then notifies the local administrator when products are ready to install on managed systems. Local administrators then typically create and send an installation URL to users for installation on local systems.
What is the latest evaluation package for Endpoint Security?
A full install evaluation package is built and posted with each update release of Endpoint Security. But, if you are using an Endpoint Security evaluation and want to update Endpoint Security, you must first uninstall the current evaluation package. You can then install the updated evaluation package.

How do I migrate legacy McAfee products to Endpoint Security?
Use the Endpoint Migration Assistant to migrate the following settings and assignments to Endpoint Security. For instructions, see the Endpoint Security Migration Guide:
  • VirusScan Enterprise 8.8
  • Host Intrusion Prevention Firewall 8.0
  • SiteAdvisor Enterprise 3.5
After migrating the VirusScan Enterprise on-access scan policy to Endpoint Security using the Migration Assistant, why aren’t the on-access scan exclusions enforced?
This issue occurs when the VirusScan Enterprise on-access scan policy contains invalid exclusion data or exclusion patterns that Endpoint Security does not support. The Migration Assistant does not change the exclusion patterns during the migration. For a list of exclusion patterns that Endpoint Security supports, see the Endpoint Security Migration Guide.
For example, the exclusion "%systemroot%system32inetsrv" is invalid because there is no '\' between the environment variable and next file/folder data. The correct exclusion would be "%systemroot%\system32inetsrv".
If you have this issue, the Endpoint Security Platform error log shows an error similar to the following:
08/14/2017 09:35:31.225 AM    mfetp(1924.2840) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5315): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_LOW, Error code: 0xA7F40511

Does the Endpoint Migration Assistant migrate rules that are assigned based on tags?
No. The Endpoint Migration Assistant does not merge and replace policies that are assigned using tagging rules.

How do I deploy Endpoint Security modules using ePolicy Orchestrator?
First, check the Endpoint Security module packages into the ePolicy Orchestrator server. From the ePolicy Orchestrator Software Manager, there is a bundle package. This package checks the module installation packages, Help files, and module extensions into the ePolicy Orchestrator Master Repository. Module installation packages include the Security Platform module, Firewall module, Threat Prevention module, and Web Protection module. From the Product Downloads site (http://www.mcafee.com/us/downloads/downloads.aspx), download each package separately and check it into the ePolicy Orchestrator Master Repository.

Next, create a deployment task. Deployment tasks of the Firewall module, Threat Prevention module, or Web Protection module check the version of Security Platform. The module installer automatically updates the Security Platform version first before installing Firewall, Threat Prevention, or Web Protection.

The Adaptive Threat Protection module checks in separate from the other Endpoint Security modules. When installing the Adaptive Threat Protection module, the version of Endpoint Security Threat Prevention must be the same. For example, you can't install Adaptive Threat Protection 10.6.1 on a system running Endpoint Security Threat Prevention 10.6.0. Do not include the Adaptive Threat Protection module when you deploy the other Endpoint Security modules. The ePolicy Orchestrator deployment task might run the Adaptive Threat Protection module installation before the Threat Prevention module installation. So, McAfee recommends that you have a separate deployment task for the Adaptive Threat Protection module.

How do I deploy Endpoint Security using third-party deployment solutions?
The third-party solution must meet these requirements:
  • Make sure that all installation files are available/accessible.
  • Run the executable installer (SetupEP.exe), and not the MSI files.
  • Run with SYSTEM or Administrator privilege.
  • Use the Endpoint Security standalone package for the installation source files.
    NOTE: You can customize this package using the Package Designer.
Will Endpoint Security upgrade my older McAfee Agent version?
It depends on whether McAfee Agent is managed:
  • When ePolicy Orchestrator manages the McAfee Agent, an installation of Endpoint Security does not modify the agent. It is not permitted to do so automatically when the agent is in managed mode.
  • When the McAfee Agent is unmanaged (standalone), the SetupEP.exe installer upgrades the agent to the version included with the Endpoint Security package.
How do I install Endpoint Security for users who do not have Administrator rights?
Create an installation URL and send it to users to install Endpoint Security on their systems. For instructions, see the Endpoint Security Installation Guide.

Can I use Sysprep to include Endpoint Security in a base image?
Yes. Sysprep is a supported installation method.

Can I install Endpoint Security to a custom drive letter or location?

What processes does Endpoint Security install?
See KB87791 for a list of the processes (Windows Services and processes running as a service or as User) that Endpoint Security installs.

What do I do if uninstalling Endpoint Security fails from "Programs and Features" or "Apps & features" (depending on your version of Windows)?
To obtain the McAfee Endpoint Product Removal tool, see KB90895.

How do I uninstall Endpoint Security from client systems that ePolicy Orchestrator Cloud manages?
Use the instructions in KB85135 to uninstall Endpoint Security if ePolicy Orchestrator Cloud manages the client system.

How do I remove the Endpoint Security Common extension from ePolicy Orchestrator?
The Common extension can't be removed if any other Endpoint Security module extensions are checked in. Remove all Endpoint Security module extensions first, before trying to remove the Endpoint Security Common extension.

Why does Endpoint Security reinstall Windows Defender during an upgrade?
To ensure continued protection, Endpoint Security reinstalls Windows Defender if it is not present on the system and if Endpoint Security is uninstalled. When you perform a major upgrade of Endpoint Security, for example, from 10.6.x to 10.7.x, Endpoint Security uninstalls 10.6.x and then installs 10.7.x. The uninstall of Endpoint Security triggers the action to reinstall Windows Defender if it is not present on the system. During the Endpoint Security install, Windows Defender is disabled, but not uninstalled. If you intentionally uninstalled Windows Defender and want it to remain uninstalled, you need to uninstall it after each major upgrade of Endpoint Security.

Back to Contents
How do I improve performance with Endpoint Security?
For information about improving performance after installing Endpoint Security, see KB88205. This article is updated as information is gathered about performance issues. Check the article first for assistance if you experience symptoms of poor performance.

How do I configure Access Protection rules to block malware?
For a list of suggested Access Protection rules to implement, see KB91934 - Combating Ransomware.

How do I create an Access Protection rule for a file or folder in systems?
User-defined Access protection rules prevent changes to files or folders in systems. For instructions to create and apply a user-defined Access Protection rule, see KB86577.

Can I use variables when creating Access Protection rules?
McAfee does not recommend using variables because it can have unexpected outcomes. The best practice is to use wild cards. For example, C:\Users\%username%\SubFolder can be represented as C:\Users\*\SubFolder.

Why are Access Protection events that are confirmed to be occurring on the client system and are getting logged locally, not visible in ePolicy Orchestrator after sending client events?
See KB87149. The default configuration for Endpoint Security excludes those events from being created. Or, the agent might also be suppressing the events.

How can I access the console or remove Endpoint Security if I forgot the password?
The default password is mcafee. If you changed the password and have forgotten the new password, contact Technical Support for instructions to remove the password. Make sure that you complete the following items before contacting Technical Support:
  • Collect Minimum Escalation Requirement (MER) data using the MER tool: https://mer.mcafee.com.
  • Obtain administrator rights and physical access to the affected system.
Why do on-demand scan (ODS) tasks I created not update in Endpoint Security Threat Prevention Product Properties on the ePolicy Orchestrator "System Details" page?
Only the default policy-defined ODS tasks update the Date of Last Full Scan and the Date of Last Quick Scan. The functionality is working as intended, see KB86677.

Why do I not see events in ePolicy Orchestrator for on-demand scan (ODS) tasks?
Ensure all relevant logging is enabled using KB87752. Be aware that only policy-defined ODS tasks create events, not custom ODS tasks (see KB86677).

How can I remove the Pause scan message in Endpoint Security?
Disable the scan on idle feature. For more information, see KB84208.

How do I remove the default "Quick Scan" and "Full Scan" on-demand scan tasks?
This question is a concern for customers who have created a group and accepted the default settings for on-demand scan tasks. The reason is because the task assignments can't be edited or deleted. The simplest solution is to create a group in the ePolicy Orchestrator System Tree and move systems into that group. Do not enable the on-demand scan tasks for the new group.

Why are there ePolicy Orchestrator Server Task entries when editing Endpoint Security policies?
When editing Endpoint Security policies on an ePolicy Orchestrator 5.9 (or later) server, an ePolicy Orchestrator Server Task log entry named "Policy <policy name> was saved. Comment: <policy comment>" is created. This entry describes what policy changes were made, at what date and time the change was made, by what ePolicy Orchestrator user name, and so on. This feature change was introduced with ePolicy Orchestrator 5.9. 

NOTE: When you duplicate McAfee default (uneditable) policies, the first policy change made to the duplicate policy logs several policy detail changes. But, for any subsequent policy change, the Server Task entry should log only the specific policy changes made during each saved policy change.

How can I import settings (for example, firewall settings) at installation time?
Use one of the following options:
  • Endpoint Security includes a Package Designer utility that allows customizing policies that can be included with the installation package.
  • Endpoint Security includes a utility named EsConfigTool.exe that allows you to export and import policies. The ESConfigTool.exe utility is located in the Endpoint Security Platform folder (by default, C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform). Deploy Endpoint Security to at least one client system, configure settings as wanted, and then export the settings using ESConfigTool.exe.
    NOTES: You can import the file generated from ESConfigTool.exe using the command: setupEP.exe /import
    • Do not use the plain text option when exporting if you intend to import the settings.
    • Do not specify an extension for the file.
    • Execute the utility with no parameters to display help and options.

How do I configure Endpoint Security Firewall network traffic logging?
Within the Endpoint Security Firewall Options policy, enable the Log all allowed or Log all blocked options. Endpoint Security Firewall will log blocked and allowed network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePolicy Orchestrator events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Be aware that generic, high event generation rules can cause performance issues. See KB90177 for more information.

NOTE: Endpoint Security Firewall log functionality does not allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file. 
If you require a change to product functionality, submit a new product idea at:


The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.

Back to Contents
How do content files work?
When the scan engine scans files for threats, it compares the contents of the scanned files to known threat information stored in the AMCore content files. Exploit Prevention uses its own content files to protect against exploits.

Why is EICAR not being detected? Why is my content version 0.5?
This issue occurs when AMCore content has not yet been updated after installing the product. To resolve this issue, update the content.

How often does McAfee release new Threat Prevention content files?
McAfee releases new Exploit Prevention content files as needed. The Endpoint Security Product Guide incorrectly states that Exploit Prevention content files are released once a month.

Which content does Endpoint Security need?
Endpoint Security Threat Prevention uses "Endpoint Security Exploit Prevention Content" and "AMCore Content Package".

Where can I get AMCore DAT files? How do I update AMCore content manually? Can I update the AMCore content from the command line on a client system?
Yes. To update the AMCore content, run the following command on the client system: "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" /update

Why does Endpoint Security update the engine version automatically? I am not able to electively download the engine.
The concept of engine updates has changed with AMCore technology; they are no longer separate packages from content. When AMCore content requires an update to any one of its engines used during scanning, the engine update is included in the V3 content update releases. Downgrading AMCore content would also downgrade an engine if not part of that older content.

How can I determine the Exploit Prevention content version and date from the registry or file system?
The Exploit Prevention content date is not stored in the registry. The date is the last modified date of the content.bin file found in the directory C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS.

To determine the Exploit Prevention content version from the registry:
  1. Navigate to the following registry key:

  2. Note the following string values under the key:
    • ContentMajorVersion
    • ContentMinorVersion
    • ContentVersion
  3. To get the Exploit Prevention content version, take the ContentVersion value and replace the value before the first period with the ContentMajorVersion, and the value after the first period with the ContentMinorVersion. For example, if the ContentVersion is, the ContentMajorVersion is 10, and the ContentMinorVersion is 7, the Exploit Prevention content version is

Is there a way to determine the AMCore content version from the registry or file system?
Yes. Perform the following steps:
  • From the registry:
    1. Navigate to the following registry key:
    2. Convert the major and minor version from hexadecimal to decimal. In the following example, the version is 2556.0.
      "dwContentMajorVersion"=dword:000009fc (000009fc is 2556 in decimal)
      "dwContentMinorVersion"=dword:00000000 (00000000 is 0 in decimal)

      The following date and time registry keys are also present. In the following example, the AMCore content was built on March 22, 2017 at 08:44:00 GMT.
      "szContentCreationDate"=reg_sz:"2017-03-22" (formatted date yyyy-mm-dd)
      "szContentCreationTime"=reg_sz:"08:44:00" (formatted time hh:mm:ss)
  • From the file system (if managed by ePolicy Orchestrator):
    Locate the value of AvManifestVersion in the file C:\Program Files\McAfee\Endpoint Security\Threat Prevention\AvContentMgr.xml.
    In the following example, the version is 2591.0:
What does the trailing number in a DAT version mean?
The trailing number indicates whether it is a Production, Pre-production, or Beta V3 DAT package.
  • xxxx.0 (Example: 3158.0) - Indicates a Production V3 DAT package
  • xxxx.1 (Example: 3158.1) - Indicates a Pre-production V3 DAT package
  • xxxx.3 (Example: 3158.3) - Indicates a Beta V3 DAT package
For a comparison of the V3 DAT package types, see KB89778.

How do I downgrade or roll back DAT content?
Use one of the following options to install the wanted version:
  • Use ePolicy Orchestrator and run a DAT update task on the client.
  • Run the V3 DAT content file manually on the client.
How is AMCore content compliance determined?
The criteria for "compliant" can't be changed. The AMCore content compliance is based on the age of the AMCore DAT.
  • If the DAT is less than seven days old, it is considered compliant.
  • If the DAT is greater than or equal to seven days old, it is noncompliant.
NOTE: The DAT age is not related to when the system updated, but when the DAT was released.
Does the option "DAT Version compliance for VirusScan Enterprise was within X versions of Repository DAT" exist in Endpoint Security?
No. Endpoint Security determines compliance based on the age of the DAT, not the DAT version.

How can I determine the size of AMCore content update files?
You can view the AMCore content update files at this location: http://update.nai.com/products/commonupdater/current/amcordat2000/dat/0000/. The date/time stamp of the files is always the current date, but a *.gem incremental update file is released each day and 30 days worth of incremental updates are stored there.
Why is the V3 DAT still a 100 MB+ file when I was told the new DATs are much smaller?
The smaller size of DAT refers to the comparison of the AVV versus the MED (medium) DATs. These offer equivalent functionality between VirusScan Enterprise and Endpoint Security.
  • For ENS:
    The MED DATs are found in the following location (note that the versioned folder changes):
    C:\Program Files\Common Files\McAfee\Engine\content\avengine\med\2647.0
    The combined size of medscan.dat, mednames.dat, and medclean.dat is 62.7 MB.
  • For VSE:
    The AVV DATs are found in the following location:
    C:\Program Files (x86)\Common Files\McAfee\Engine
    The combined size of avvscan.dat, avvnames.dat, and avvclean.dat is 143 MB, which is a reduction in size of 56%.
What is the "McAfee DAT Built in test" task?
The McAfee DAT Built in test performs some basic checks on the health of the system and is tied to the DAT update as the trigger for when it starts. It runs seven times at random intervals between AMCore updates. The task is not configurable, and runs only if the following options are enabled in the Endpoint Security Threat Prevention, Options policy, Proactive Data Analysis section:
  • Safety pulse
  • McAfee GTI feedback
  • AMCore Content Reputation
If the task does not succeed, verify that the system has network connectivity and run the task manually. The task runs mcdatrep.exe, a component that uses TrustedSource. So. HTTPS must be allowed and the system proxy properly configured for the task to succeed.

Back to Contents
What do each of the Endpoint Security modules do?
There are three Endpoint Security modules:
  • Firewall - Monitors and intercepts suspicious communication between the computer and resources on the network and the internet.
  • Threat Prevention - Checks for viruses, spyware, unwanted programs, and other threats by scanning items both automatically when users access them (on-access) or on-demand at any time.
  • Web Control - Displays safety ratings and reports for websites during online browsing and searching. Web Control enables the site administrator to block access to websites based on safety rating or content.
What difference in IPS coverage is there between Endpoint Security and Host Intrusion Prevention?
For a list of all Endpoint Security Exploit Prevention and Host Intrusion Prevention signatures and their current supported directives, see KB51504.

The referenced article is available only to registered ServicePortal users.

To view registered articles:
  1. Log on to the ServicePortal at http://support.mcafee.com.
  2. Type the article ID in the search field on the home page.
  3. Click Search or press Enter.

What does "Let McAfee Decide" mean when scanning files?
You can specify when the on-access scanner (OAS) scans files, such as when writing to disk or when reading from disk, or, you can let McAfee decide when to scan. When you select Let McAfee Decide, the on-access scanner uses trust logic to optimize scanning. Trust logic improves security and boosts performance by avoiding unnecessary scans. For more information, see the "Understanding the McAfee Endpoint Security 10 Threat Prevention Module" white paper at https://www.mcafee.com/us/resources/white-papers/restricted/wp-understanding-ep-security-10-module.pdf.

How does the Endpoint Security on-access scanner (OAS) handle Client-side Caching interactions? Is the file local or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device is not connected to the network. This function is called client-side caching because Windows creates a local copy of the file in a protected folder. It is from this local copy that the device reads and modifies the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.

The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. It is Windows that handles the needed redirection that provides access to the cached, local copy.

Because the file is always considered remote, for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the on-demand scanner (ODS) to scan the offline files, it must be provided the original (remote) location.

Why does the Endpoint Security Help file open in a browser that is not my default browser?
Endpoint Security starts the application associated with the .html extension. If the default browser is not associated with the .html extension, a different browser opens. For more information, see KB86558.

Why does McShield.exe use high CPU?
McShield.exe is the user mode scanner that analyzes files to determine whether they are clean or malware. It must use CPU cycles to accomplish its work.

Why is McShield.exe using high CPU continually?
McShield.exe is also the hosting scanner to perform the needed work for on-demand scan tasks. If you have a scheduled on-demand scan task running, you see McShield.exe use CPU cycles to carry out the requested scans. In ENS 10.7, there is an option to limit the CPU usage during an on-demand scan task.

Where is EmailScan? Why doesn't Endpoint Security include an email scanner like VirusScan Enterprise?
Currently there is no plug-in for either Outlook or Lotus mail clients. This feature is not included because the functionality of EmailScan is largely redundant or overlapping with the real-time scanning. If there is a specific use case wanted for this feature, contact your Support Account Manager and relay your user story to Product Management.

Endpoint Security reports the error "Clean error as no cleaner was available, and delete pending" for a detected threat file. What does this error mean?
This error typically means that the file was not cleanable and should be deleted. Deleting files can return inconsistent results because of the transient nature of files. The product might indicate that a delete action is pending when the file was already deleted (by the operating system) before the product could perform the delete action.

What does the value "Duration Before Detection" shown in the "Endpoint Security: Threat Behavior" ePolicy Orchestrator dashboard mean?
This value is the time between the file creation date (when it was written to the disk) and the detection time.
Back to Contents
How do I enable debug logging in Endpoint Security?
Enable debug logging for each Endpoint Security module through the Endpoint Security Common policy. Ensure that you enforce the policy on the client before trying to reproduce the issue. To enforce the policy, either perform an agent wake-up call to the system from the ePolicy Orchestrator console or click Collect and Send Props from the client McAfee Agent Status Monitor. Debug log files are stored at %ProgramData%\McAfee\Endpoint Security\Log or C:\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs depending on the operating system. For instructions, see KB91797.

How do I enable detailed logging for McAfee Agent?
Detailed logging in McAfee Agent helps to troubleshoot issues with updating, installing, and upgrading. Enable detailed logging for McAfee Agent through the McAfee Agent General policy. Click the Logging tab, and select Enable detail logging. Increase the Log file size limit (MB) to 20 and Roll over count to 2. For detailed instructions, see KB82170.

Why are events not reporting in the ePolicy Orchestrator dashboards?
Managed product events have a severity level. By default, Endpoint Security modules log only Critical and Major events. If an event has a severity of Informational, it is not logged. To log all events, edit the Endpoint Security Common policy and change the Event Logging Severity Level to All.
Back to Contents
How do I prevent users from disabling the Web Control extension from a browser?
The self-protection policy in the Endpoint Security Common Policy prevents end users from disabling the Web Control toolbar and Web Control Browser Helper Object (BHO) in Internet Explorer. Self-protection does not prevent users from disabling the Web Control extension in Chrome or Firefox.

If a user disables the Web Control extension in Firefox, Web Control will be enabled in future browse sessions after a Firefox restart. You can't prevent a user from disabling Web Control in Firefox.

If a user deletes the Web Control extension in Chrome, Web Control will no longer appear in Chrome even after a reinstall of Endpoint Security. You must either delete the Chrome user profile or reinstall Chrome. To prevent users from deleting the Web Control extension in Chrome, see KB87568 for information about force-enabling the Web Control extension through Active Directory group policy.

Can I have the SiteAdvisor Enterprise and Web Control extensions force enabled in Chrome at the same time?
No. You need to remove the SiteAdvisor Enterprise (SAE) APPID from the Chrome Group Policy template. Having the SAE extension force installed with the Web Control extension causes issues with the navigation from the enforcement messages. Do not force install both the SAE and Web Control extensions into Chrome.

How does Web Control determine whether a site has a private/internal IP address?
Web Control does not act on private or internal IP addresses. Private and internal sites on a prohibit list are not blocked. Web Control determines that a site has a private or internal IP address if it is part of the following IP address ranges:

Default IPv4 private IP address ranges: - - -
localhost or

Default IPv6 private IP address range:
Site-local and Link-local addresses that start with FEC, FED, FEE, FEF or FE8, FE9, FEA, FEB

Why does the version of Web Control in Chrome report differently than the version of Web Control in the Endpoint Security console?
The Endpoint Security console reports the current version of Web Control installed. Chrome reports the version of the Web Control extension hosted in the Google Play Store. As new versions of Web Control are released, the Web Control extension in the Google Play Store might not get updated. Chrome can report a different version for the Web Control extension than the version shown in the Endpoint Security About box or in ePolicy Orchestrator product properties. Chrome uses the locally installed Web Control extension.

What causes no annotations to show in search results when I perform the search with a supported search engine?
Web Control uses scripts to annotate search results with ratings. If a search engine changes the webpage it uses to present the search engine results, Web Control might not annotate the page. For more information, see KB87640.

For example, www.yahoo.tw does not currently display search annotations with Web Control for this reason.

Why is a site on the Web Control allow list still appearing in email annotations as a red rated URL?
Web Control email annotations are based only on the Global Threat Intelligence (GTI) rating. The local allow policy does not override the GTI rating for the email annotation.

Why does a page load in the browser before the enforcement occurs?
Web Control does an asynchronous lookup for the rating on the webpage. The browser content can load before Web Control gets a rating from the Global Threat Intelligence servers. See KB88057.

Why is the Web Control browser balloon orange or displays "Error retrieving Web Control information"?
If the Web Control service can't communicate with the Global Threat Intelligence (GTI) servers, the browser balloon is orange. See KB87930 for troubleshooting steps.
Back to Contents

Previous Document ID


Rate this document

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.