Loading...

Knowledge Center


McAfee Active Response 2.x Known Issues
Technical Articles ID:   KB88196
Last Modified:  11/13/2017

Environment

McAfee Active Response (MAR) 2.x

Summary

Recent updates to this article
Date Update
November 13, 2017 Added 2.2.0 Release Notes.
Issues 1209426, 1205281, 1193660, 11148152 all marked as fixed.
Issues: 1214069, 1208348, 1216971, 1217376, 1210099, 1214101, 1214051 added.
October 18, 2017 Added 2.1.0.270 Hotfix 2 Bundle release notes.
October 17, 2017 Added critical issue 1207202.
August 31, 2017 Added critical issue 1209426.
August 28, 2017 MAR 2.1.0 is Released to World (RTW). Added issue 1205281. Updated issue 1198057 as fixed in MAR 2.1.0.
August 1, 2017 Updated with links to all release notes.

{GENSUB.EN_US}
{GENRN.EN_US}
 
Active Response Version Release to World (RTW) Release Notes
2.2.0 November 11, 2017 PD27282
2.1.0.270 Hotfix 2 Bundle October 18, 2017 PD27297
2.1.0 August 28, 2017 PD27182
Hotfix 2.0.1.139.1 July 14, 2017 PD27115
2.0.1 March 31, 2017 PD26885
2.0 December 20, 2016 PD26819

{GENRLS.EN_US}
Known Issues

CRITICAL:
 
Reference Number Related Article Found in MAR version Resolved in MAR version Issue Description
1214069   2.2   Issue: You identify a threat in the Potential Threats list. You then remove one or more of its affected hosts from the System Tree, before taking remediation action.
However, you see the threat is not removed from the Potential Threats list.

Solution: Use the Dismiss action on the Workspace to remove Affected Hosts you know are no longer a problem.
1208348   2.2   Issue: The MAR Workspace disables the Stop and Remove action on Known Trusted files. But if the file is trusted by McAfee Certificates or by McAfee Validation and Trust Protection (VTP) service, then the file’s reputation in the Workspace appears as Not Set and the Stop and Remove action is enabled.
 
Solution: When a Stop and Remove action is taken from the Workspace, the RemoveFileSafe reaction from the Active Response catalog is executed on the endpoint. This reaction will stop and remove only those files that are not trusted by McAfee Certificates or McAfee VTP.
1216971   2.2   Issue: On Health Status, when you drill down to see impacted hosts in the Operating system not supported entry inside the Incompatible with Active Response section, the affected hosts shown might not be all the impacted hosts.

Solution:  Refresh the Impacted Hosts list.
1217376   2.2   Issue: CentOS and RedHat endpoints with McAfee Agent 5.0.6 are incorrectly reported as Incompatible in Health Status.
 
Solution: Disregard this incompatibility warning and deploy the Active Response client on those endpoints.
1210099   2.2   Issue: When Active Response server runs out of storage space, features in the Catalog, Advanced Search and Workspace stop working, and the issue will not be reported in Health Status.

Solution:  Make sure the minimum requirements for Active Response server are met. When experiencing problems in Advanced Search on the Catalog but having no error messages in Health Status, check the server for low storage capacity.
1214101   2.2   Issue: UsbConnectedStorageDevices collector shows an extra row with irrelevant data in Linux endpoints with a message showing: date: invalid date `+%F %T'
 
Solution: Disregard the search result for that specific row.
1214051   2.2   Issue: USBConnectedStorageDevices collector shows incorrect data for Mac endpoints when a virtual USB drives is connected.
It only shows USBMSC Identifier (non-unique) as the Vendor ID field.

Solution: None Available. But the presence of this information may is an indicator of a virtual USB device present.
1207202   2.0.1 2.1 Issue:  You enable Trace on the MAR client 2.0.1 and open Outlook. Outlook takes a long time to open and you then see the endpoint slow down and suffer performance issues.  

Solution:  Upgrade to MAR 2.1
    2.0   Issue: MAR 2.x is deployed using ePO 5.3; however, if you then upgrade to ePO 5.9, you see the MAR Server certificates are no longer valid and must be regenerated.

Solution:
  1. Navigate to Server Settings, Active Response.
  2. Click Edit.
  3. Click Regenerate Stores.
    This will update the Active Response Certificates.
  4. Click Save.
1209426   2.1.2 2.2.0 Issue: The installer for Active Response Aggregator released in the package for MAR 2.1.0 is defective.

Workaround: Perform the applicable workaround:
  • If you are upgrading from MAR 2.0 or earlier, use the Aggregator version 2.0.1.
  • If you are upgrading from MAR 2.0.1, do not upgrade Aggregator. Just leave the 2.0.1 version.
  • If you are performing a new deployment of MAR 2.1.0, use the Aggregator version 2.0.1.
All other components should be MAR version 2.1.0.

Aggregator version 2.0.1 is available from the McAfee Downloads site (www.mcafee.com/us/downloads/downloads.aspx) and ePO Software Manager.
1205281   2.1.0 2.2.0 Issue: Installation of the MAR 2.1.0 extensions bundle fails when Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) extensions are already installed in ePO.

Workaround: To avoid the installation failure when the DXL and TIE extensions are already installed in ePO, perform the following steps to install the MAR 2.1.0 extensions bundle:
  1. Upgrade all DXL extensions (listed below) to the versions contained in the MAR 2.1.0 extensions bundle:
    • DXL Broker
    • DXL Client
    • DXL Client Mgt
  2. Upgrade the TIE extension (listed below) to the version contained in the MAR 2.1.0 extensions bundle:
    • TIE Server
  3. Install the MAR 2.1.0 extensions bundle.
1193660   2.0 2.1.0 Issue: MAR 2.0 health check status is displayed incorrectly by ePO 5.9.0.
1198057   2.0 2.1.0 Issue: You are working in an environment with at least 50 potential threats recorded. When you move the Time filter to 90 days, you see the error:

HTTP 404 Not Found
 
Solution: This issue is resolved in MAR 2.1.0.
1148152   2.0 2.1 Issue: Due to a problem with how AAC Control manages resources, installation of MAR 2.0 clients can fail on Windows endpoints where other McAfee products are installed.

Solution: Restart the endpoint and start installation again.
    2.0   Issue: On Microsoft Windows versions 7, 8.1, and 10 the endpoint may experience performance degradation during boot and shutdown if the latest ENS 10.2.1 package is not installed.

Solution: Ensure that endpoints are updated to ENS 10.2.1 before installation.
    2.0   Issue: The Help extensions for Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) that are relevant to a MAR 2.0 deployment are not included in the MAR 2.0 extensions bundle, as is the case with the MAR Help extension.
 
Solution: Install the DXL and TIE Help extensions manually from the ePolicy Orchestrator (ePO) Software Manager.
 1163497   2.0   Issue:  MAR client reports false positive threats for issues related to processes that generate process and network, filesystem, or Windows Registry events that occur due to normal operation.

Cause: The Potential Threats list on the Active Response Workspace is populated with processes found on endpoints that have called the attention of the MAR client. The MAR client primarily monitors process events, network events, filesystem events, and Windows Registry events.

For example, the explorer.exe process may appear as a potential threat on the Workspace if it produced process, network, filesystem, or Windows Registry events. Although it is expected that explorer.exe can legitimately perform these operations, MAR is unable to determine if the activity is legitimate.

Resolution: There can be cases where a seemingly trusted process might exhibit malicious behavior. You should check: 
  • Is the trusted process what it claims to be? The process could be impersonated by malware.
  • Does the process have a valid hash?
  • Is the file being executed from the correct path?
  • Are there code injection events from other processes that could affect the trusted process?
    2.0   Issue: After you perform the Make Known Trusted action on a threat, the threat does not disappear from the Potential Threats list.

Cause: Threats that are remediated by setting the TIE reputation to Known Trusted may still produce events on endpoints. Although the user may want to assume these running processes are safe, the processes still produce MAR events because other processes could use the trusted process in a malicious way.
 
Solution: Use the time selector in the Workspace to focus on recent activity and hide from the Potential Threats list those which have been marked as Known Trusted. Also, after 90 days have passed since the first time the trusted process was seen, it will be removed from the workspace.
 
NOTE: If the trusted process re-appears on the Workspace as a threat, it means that there is new activity that should be inspected by the incident responder.
    2.0   Issue: When you use the Stop And Remove action through the Active Response Workspace, the process created by running a remote file will be terminated, but the remote file will not be removed from the network shared drives or folders. This includes files that are not stored locally on the endpoint, but are logically linked to the endpoint, as is the case with Windows shared folders connected to the endpoint as drives.

Cause: By design Active Response cannot access network shared files due to security constraints.

Workaround: If MAR is installed on the file server that is linked to or accessed by the endpoint where the threat is detected, you can use an Active Response search to find the file and remove it.

Non-critical:
Reference Number Related Article Found in MAR version Resolved in MAR version Issue Description
 1163125   2.0   Issue: If an executable (.exe) file is signed by multiple certificates, information for a single certificate is shown in the event.

Workaround: You can use the Save to File option in the Trace timeline to view information about the certificate signing parent chain, if available.
1167621   2.0   Issue: The action of making a threat Known Malicious or Trusted from the EDR manager fails for a threat run on a client connected to Global Threat Intelligence (GTI). When an endpoint is disconnected from the on-prem TIE server, which is part of the MAR 2.0 deployment, the user may still take Make known trusted or Make known malicious actions from the Workspace. If the TIE server is operational, it will attempt to replicate this reputation change on all endpoints. However, any endpoints that are disconnected from the on-prem TIE server will not receive this reputation update and TIE clean-up actions will not be executed.

Workaround: Users should be aware that endpoints can be disconnected from on-prem TIE but connected to the GTI reputation service. In this case, the on-prem reputation change is ineffective at the endpoint until the endpoint reconnects to the on-prem TIE server.
    2.0   Issue: No reputation details are displayed on the right side of the Workspace. The Threat Details pane in the Workspace is populated by the TIE Server. If the TIE server fails to provide information to the Workspace, for example because there is a communication problem between TIE and ePO, then the Workspace will attempt to populate the threat’s hashes in Threat Details with information from TMP. Other fields will be empty in the Threat Details.
    2.0   Issue: The NetworkFlow Collector fails to detect loopback connections of Connection Opened or Closed.

This limitation has two effects. On one side the triggers configured to detect Network events from loopback traffic will not be triggered. On the other side, the Active Response search will not show these type of connections when using the NetworkFlow Collector.

Solution: This limitation is caused by the way the Windows TPC/IP stack is implemented and design decisions from Active Response.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.