Loading...

Knowledge Center


McAfee Active Response 2.x Known Issues
Technical Articles ID:   KB88196
Last Modified:  8/22/2019

Environment

McAfee Active Response (MAR) 2.x

Summary

Recent updates to this article
Date Update
August 22, 2019 MAR 2.4.1 released to General Availability.
August 13, 2019 MAR 2.4.0 Hotfix 5 released to General Availability.
Added ENSW-27358 to the Critical known issues section.
March 1, 2019 Added 1267676 to the Non-critical known issues section.
November 27, 2018 MAR 2.4.0 Hotfix 1 released to General Availability.
November 13, 2018 Added MAR 2.3.0 Hotfix 4 Release Notes and 2.4.0 Hotfix 1 build 2.4.0.176 (RTS).
Updated 1241963.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


Contents
Click to expand the section you want to view:
 
 
Active Response Version General Availability (GA) Release Notes
2.4.1 August 22, 2019 PD28472
2.4.0. Hotfix 5 August 13, 2019 PD28456
2.4.0 Hotfix 1 November 27, 2018 PD28083
2.4.0 September 25, 2018 PD27895
2.3.0 Hotfix 4 November 13, 2018 PD28082
2.3.0 Hotfix 3 September 4, 2018 PD27964
2.3.0 Hotfix 2 August 14, 2018 Withdrawn
2.3.0 Hotfix 1 July 10, 2018 PD27862
2.3.0 June 12, 2018 PD27435
2.2.0 November 11, 2017 PD27282
2.1.0.270 Hotfix 2 Bundle October 18, 2017 PD27297
2.1.0 August 28, 2017 PD27182
Hotfix 2.0.1.139.1 July 14, 2017 PD27115
2.0.1 March 31, 2017 PD26885
2.0 December 20, 2016 PD26819


Reference Number Related Article Found in MAR version Resolved in MAR version Issue Description
ENSW-27358       Issue: MAR cannot be installed or upgraded on top of ENS 10.7 Release to Support evaluation builds greater than build 10.7.0.541.

Workaround: Contact Technical Support for a workaround.
N/A   2.4   Issue: Active Response Registered Server does not activate showing 'Error Activating the license, try again later'.

Solution: Make sure that the configured Server Location is valid and manually force McAfee Agent synchronization for Data Exchange Layer (DXL) and Threat Intelligence Exchange (TIE) components using the cmdagent utility at the appliance so the MAR Server can answer the request.
 
IMPORTANT: Active Response registered server is not updated automatically if it was manually edited and saved.
If the Active Response registered server was manually edited, it must be removed and re-created during upgrade.
1257901   2.4   Issue: Too many complex searches at once might cause JVM heap to overrun stopping the ElasticSearch (ES) service to store search results, leaving ‘None of the configured nodes are available’ errors in logs.

Solution:
Expand JVM heap limits by adding ‘ES_HEAP_SIZE=2g
’ at the top of /usr/share/elasticsearch/bin/elasticsearch.
Restrict ES heap size by changing /etc/init.d/elasticsearch in line 8 to ‘export ES_HEAP_SIZE=2g’.
Restart service by running ‘service elasticsearch restart‘.
1256879   2.4   Issue: Active Response Server 2.4 upgrade fails to leave the service uninstalled when pushed to a legacy Active Response 2.3 appliance.

Solution: Check the required one-time migration procedure detailed in the MAR 2.4 Install Guide.
Redeploy Active Response Server 2.3 to recover functionality and custom content.
  KB90915 2.4   Issue: When you upgrade from a multiple-server installation (2.3 and earlier) to a single-server setup (2.4 and later), you must migrate your configured content to avoid losing it.

Solution: See the Related Article.
1244782 KB90784 2.2 2.3 Issue: Installing MAR 2.2.x via ePolicy Orchestrator fails when Endpoint Security 10.6 is installed

Solution: Fixed in MAR client 2.3
1241963   2.3 2.3 HF4
2.4 HF1
Issue: You install or upgrade a McAfee product on a system with SysCore with Endpoint Security Exploit Prevention or Host Intrusion Prevention Exploit Prevention enabled. You then see either a blue screen displayed, or the system stops responding (hangs).
 
Workaround: Disable the Exploit Prevention feature before you install or upgrade the software.

Solution: Fixed in 2.3 Hotfix 4 and 2.4 Hotfix 1 (RTS).
1176118   2.3 2.3 HF1 Issue: Workspace does not receive remediation events automatically for Mac endpoints. You must manually dismiss the event.

Workaround: Apply a remediation, then check for processes being properly closed in the Trace chart for each host. Then manually dismiss the threat.
Or, view the Threat Event Log for the relevant events and manually dismiss the events.
    2.3   Issue: The Trace Plug-in is disabled by default when you upgrade to MAR 2.3 on macOS only.

Solution: Navigate to your policy and enable it using the Enable Plug-in for macOS Endpoints options.
  1. Click Menu, Policy, Policy Catalog.
  2. Select the Trace tab.
  3. Check the Enable Plug-in for macOS Endpoints (Beta).
1214069   2.2 2.3 Issue: You identify a threat in the Potential Threats list. You then remove one or more of its affected hosts from the System Tree, before taking remediation action. But, you see that the threat is not removed from the Potential Threats list.

Solution: Remove Affected Hosts you know are no longer a problem. Use the Dismiss action on the Workspace for this removal.
1208348   2.2   Issue: The MAR Workspace disables the Stop and Remove action on Known Trusted files. But, if the file is trusted by McAfee Certificates or by McAfee Validation and Trust Protection (VTP) service, the file’s reputation in the Workspace appears as Not Set. Also, the Stop and Remove action is enabled.
 
Solution: When a Stop and Remove action is taken from the Workspace, the RemoveFileSafe reaction from the Active Response catalog is executed on the endpoint. This reaction stops and removes only those files that are not trusted by McAfee Certificates or McAfee VTP.
1210099   2.2   Issue: When Active Response server runs out of storage space, features in the Catalog, Advanced Search, and Workspace stop working, and the issue is not reported in Health Status.

Solution: Make sure that the minimum requirements for Active Response server are met. When experiencing problems in Advanced Search on the Catalog but having no error messages in Health Status, check the server for low storage capacity.
1214051   2.2   Issue: USBConnectedStorageDevices collector shows incorrect data for Mac endpoints when a virtual USB drive is connected.
It only shows USBMSC Identifier (non-unique) as the Vendor ID field.

Solution: None Available. But the presence of this information might be an indicator of a virtual USB device present.
1207202   2.0.1 2.1 Issue: You enable Trace on the MAR client 2.0.1 and open Outlook. Outlook takes a long time to open and you then see that the endpoint slows down and suffers performance issues.  

Solution: Upgrade to MAR 2.1.
    2.0   Issue: MAR 2.x is deployed using ePO 5.3; but, if you then upgrade to ePO 5.9, you see that the MAR Server certificates are no longer valid and must be regenerated.

Solution:
  1. Navigate to Server Settings, Active Response.
  2. Click Edit.
  3. Click Regenerate Stores.
    This step updates the Active Response Certificates.
  4. Click Save.
1209426   2.1.2 2.2.0 Issue: The installer for Active Response Aggregator released in the package for MAR 2.1.0 is defective.

Workaround: Perform the applicable workaround:
  • If you are upgrading from MAR 2.0 or earlier, use the Aggregator version 2.0.1.
  • If you are upgrading from MAR 2.0.1, do not upgrade Aggregator. Leave the 2.0.1 version.
  • If you are performing a new deployment of MAR 2.1.0, use the Aggregator version 2.0.1.
All other components must be MAR version 2.1.0.

Aggregator version 2.0.1 is available from the McAfee Downloads site (www.mcafee.com/us/downloads/downloads.aspx) and ePO Software Manager.
1205281   2.1.0 2.2.0 Issue: Installation of the MAR 2.1.0 extensions bundle fails when Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) extensions are already installed in ePO.

Workaround: To avoid the installation failure when the DXL and TIE extensions are already installed in ePO, perform the following steps to install the MAR 2.1.0 extensions bundle:
  1. Upgrade all DXL extensions (listed below) to the versions contained in the MAR 2.1.0 extensions bundle:
    • DXL Broker
    • DXL Client
    • DXL Client Mgt
  2. Upgrade the TIE extension (listed below) to the version contained in the MAR 2.1.0 extensions bundle:
    • TIE Server
  3. Install the MAR 2.1.0 extensions bundle.
1193660   2.0 2.1.0 Issue: ePO 5.9.0 incorrectly displays MAR 2.0 health check status.
1198057   2.0 2.1.0 Issue: You are working in an environment with at least 50 potential threats recorded. When you move the Time filter to 90 days, you see the error:

HTTP 404 Not Found
 
Solution: This issue is resolved in MAR 2.1.0.
1148152   2.0 2.1 Issue: Due to a problem with how AAC Control manages resources, installation of MAR 2.0 clients can fail on Windows endpoints where other McAfee products are installed.

Solution: Restart the endpoint and start installation again.
    2.0   Issue: On Microsoft Windows versions 7, 8.1, and 10 the endpoint might experience performance degradation during boot and shutdown if the latest ENS 10.2.1 package is not installed.

Solution: Ensure that endpoints are updated to ENS 10.2.1 before installation.
    2.0   Issue: The Help extensions for Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) that are relevant to a MAR 2.0 deployment are not included in the MAR 2.0 extensions bundle. (The MAR Help extension is included.)
 
Solution: Install the DXL and TIE Help extensions manually from the ePolicy Orchestrator (ePO) Software Manager.
 1163497   2.0 2.0.1 Issue: MAR client reports false positive threats for issues related to processes that generate process and network, filesystem, or Windows Registry events that occur due to normal operation.

Cause: The Potential Threats list on the Active Response Workspace is populated with processes found on endpoints that have called the attention of the MAR client. The MAR client primarily monitors process events, network events, filesystem events, and Windows Registry events.

For example, the explorer.exe process might appear as a potential threat on the Workspace if it produced process, network, filesystem, or Windows Registry events. Although it is expected that explorer.exe can legitimately perform these operations, MAR is unable to determine if the activity is legitimate.

Resolution: There can be cases where a seemingly trusted process might exhibit malicious behavior. Check the following: 
  • Is the trusted process what it claims to be? Malware could impersonate the process.
  • Does the process have a valid hash?
  • Is the file being executed from the correct path?
  • Are there code injection events from other processes that could affect the trusted process?
    2.0   Issue: After you perform the Make Known Trusted action on a threat, the threat does not disappear from the Potential Threats list.

Cause: Threats that are remediated by setting the TIE reputation to Known Trusted might still produce events on endpoints. Although the user might want to assume that these running processes are safe, the processes still produce MAR events because other processes could use the trusted process in a malicious way.
 
Solution: Use the time selector in the Workspace to focus on recent activity and hide from the Potential Threats list those events that have been marked as Known Trusted. Also, after 90 days have passed since the first time the trusted process was seen, it is removed from the workspace.
 
NOTE: If the trusted process reappears on the Workspace as a threat, it means that there is new activity that the incident responder must inspect.
    2.0   Issue: When you use the Stop And Remove action through the Active Response Workspace, the process created by running a remote file is closed. But, the remote file is removed from the network shared drives or folders. Files included are ones that are not stored locally on the endpoint, but are logically linked to the endpoint, as is the case with Windows shared folders connected to the endpoint as drives.

Cause: By design Active Response cannot access network shared files due to security constraints.

Workaround: If MAR is installed on the file server that is linked to or accessed by the endpoint where the threat is detected, use an Active Response search to find the file and remove it.


Back to top
Reference Number Related Article Found in MAR version Resolved in MAR version Issue Description
 1163125   2.0   Issue: If an executable (.exe) file is signed by multiple certificates, information for a single certificate is shown in the event.

Workaround: You can use the Save to File option in the Trace timeline to view information about the certificate signing parent chain, if available.
1167621   2.0   Issue: The action of making a threat Known Malicious or Trusted from the EDR manager fails for a threat run on a client connected to Global Threat Intelligence (GTI). When an endpoint is disconnected from the on-premises TIE server, which is part of the MAR 2.0 deployment, the user might still take Make known trusted or Make known malicious actions from the Workspace. If the TIE server is operational, it tries to replicate this reputation change on all endpoints. But, any endpoints that are disconnected from the on-premises TIE server do not receive this reputation update and TIE clean-up actions are not executed.

Workaround: Endpoints can be disconnected from on-premises TIE, but connected to the GTI reputation service. In this case, the on-premises reputation change is ineffective at the endpoint until the endpoint reconnects to the on-premises TIE server.
    2.0   Issue: No reputation details are displayed on the right side of the Workspace. The Threat Details pane in the Workspace is populated by the TIE Server. If the TIE server fails to provide information to the Workspace, the Workspace tries to populate the threat’s hashes in Threat Details with information from TMP. (An example of why the TIE server fails to provide information is a communication problem between TIE and ePO.) Other fields are empty in the Threat Details.
    2.0   Issue: The NetworkFlow Collector fails to detect loopback connections of Connection Opened or Closed.

This limitation has two effects. On one side, the triggers configured to detect Network events from loopback traffic are not triggered. On the other side, the Active Response search does not show these types of connections when using the NetworkFlow Collector.

Solution: The cause of this limitation is the way the Windows TPC/IP stack is implemented and design decisions from Active Response.
1235857
 
  2.2 2.3 Issue: When you upgrade your Mac to 10.13.4, you see the error:
Active Response: Not Working, in the McAfee shield product status.
This error indicates an incompatibility with AAC because of duplicate symbols for sha256 calculation.

Solution:
  • Fixed in MAR client 2.3.
  • AAC compatibility will be resolved with ENSM 10.5
1267676   2.4   Issue: Installation of MAR 2.4.x on Mac Mojave (10.14) is successful but policies are not enforced and MAR does not report to ePO.

Cause: Mac Mojave uses FMP that is 64-bit.
MAR is a 32-bit application and does not integrate with FMP

Solution: Remove MAR from Macs running Mojave.


Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.