Loading...

Knowledge Center


Endpoint Security Access Protection events are not available in ePolicy Orchestrator
Technical Articles ID:   KB87149
Last Modified:  8/23/2018
Rated:


Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee ePolicy Orchestrator (ePO) 5.x

Problem

Access Protection events are not available in ePO, even though the events are logged locally and confirmed to be occurring on the client system.

Cause

The default configuration of the ENS policy for event generation, and the McAfee Agent configuration for Event Filtering, might be suppressing or excluding Access Protection events, so they never reach the ePO server. In this case:
  • The Endpoint Security Common policy is configured not to send events that are Informational.
  • The McAfee Agent Event Filtering policy configured in the ePO Server Settings excludes sending Event ID 1092 and 1095.

Solution

Modify the Endpoint Security Common policy to send all events:
  1. Log on to the ePO console.
  2. Navigate to Policy Catalog, Endpoint Security Common, [your assigned policy] or McAfee Default, Show Advanced.
  3. In the Event Logging section, change the drop-down list for Access Protection events to log All events.
     
    NOTE: Event Logging must be set to All because the Access Protection events generated by the clients are Informational from the perspective of the ePO server, despite being Critical events from the perspective of the client.

Solution

Modify the McAfee Agent configuration for Event Filtering to send Event ID 1092 and 1095:
  1. Log on to the ePO console.
  2. Navigate to Menu, Server Settings, Event Filtering.
  3. Click Edit.
  4. Locate the Event ID for which you want to receive events and ensure it is selected:
    • 1092: Access protection rule violation detected and blocked (Low)
    • 1095: Access Protection rule violation detected and NOT blocked (Low)
     
    In other words, Event ID 1092 is for Access Protection rules that are configured to Block and report; Event ID 1095 is for Access Protection rules that are configured to Report only.
  5. Click Save.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.