Loading...

Knowledge Center


McAfee Active Response 2.x Known Issues
Technical Articles ID:   KB88196
Last Modified:  9/24/2018

Environment

McAfee Active Response (MAR) 2.x

Summary

Recent updates to this article
Date Update
September 25, 2018 Added Release Notes for version 2.4 in "Product release information."
Added a new critical issue regarding upgrading to 2.4 or later.
September 4, 2018 Added Release Notes for 2.3.0 Hotfix 3.
Updated 2.3.0 Hotfix 2 as withdrawn.
August 15, 2018 Added 1244782.
August 14, 2018 Added Release Notes 2.3.0 Hotfix 2.
Added 1241963, Updated 1176118.
July 10, 2018 Added Release Notes for 2.3.0 Hotfix 1.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.


Contents
Click to expand the section you want to view:
 
 
Active Response Version General Availability (GA) Release Notes
2.4.0 September 25, 2018 PD27895
2.3.0 Hotfix 3 September 4, 2018 PD27964
2.3.0 Hotfix 2 August 14, 2018 Withdrawn
2.3.0 Hotfix 1 July 10, 2018 PD27862
2.3.0 June 12, 2018 PD27435
2.2.0 November 11, 2017 PD27282
2.1.0.270 Hotfix 2 Bundle October 18, 2017 PD27297
2.1.0 August 28, 2017 PD27182
Hotfix 2.0.1.139.1 July 14, 2017 PD27115
2.0.1 March 31, 2017 PD26885
2.0 December 20, 2016 PD26819
Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.

Reference Number Related Article Found in MAR version Resolved in MAR version Issue Description
  KB90915 2.4   Issue: When you upgrade from a multiple server installation (2.3 and earlier) to a single server setup (2.4 and later), you must migrate your configured content to avoid losing it.

Solution: See the Related Article.
1244782 KB90784 2.2 2.3 Issue: Installing MAR 2.2.x via ePolicy Orchestrator fails when Endpoint Security 10.6 is installed

Solution: Fixed in MAR client 2.3
1241963   2.3   Issue: You install or upgrade a McAfee product on a system with SysCore with Endpoint Security Exploit Prevention or Host Intrusion Prevention Exploit Prevention enabled. You then see either a blue screen displayed, or the system stops responding (hangs).
 
Workaround: Disable the Exploit Prevention feature before you install or upgrade the software.
 
1176118   2.3 2.3 HF1 Issue: Workspace does not receive remediation events automatically for Mac endpoints. You must manually dismiss the event.

Workaround: Apply a remediation, then check for processes being properly closed in the Trace chart for each host. Then manually dismiss the threat.
Or, view the Threat Event Log for the relevant events and manually dismiss the events.
    2.3   Issue: The Trace Plug-in is disabled by default when you upgrade to MAR 2.3 on macOS only.

Solution: Navigate to your policy and enable it using the Enable Plug-in for macOS Endpoints options.
  1. Click Menu, Policy, Policy Catalog.
  2. Select the Trace tab.
  3. Check the Enable Plug-in for macOS Endpoints (Beta).
1214069   2.2 2.3 Issue: You identify a threat in the Potential Threats list. You then remove one or more of its affected hosts from the System Tree, before taking remediation action. But, you see that the threat is not removed from the Potential Threats list.

Solution: Use the Dismiss action on the Workspace to remove Affected Hosts you know are no longer a problem.
1208348   2.2   Issue: The MAR Workspace disables the Stop and Remove action on Known Trusted files. But, if the file is trusted by McAfee Certificates or by McAfee Validation and Trust Protection (VTP) service, the file’s reputation in the Workspace appears as Not Set. Also, the Stop and Remove action is enabled.
 
Solution: When a Stop and Remove action is taken from the Workspace, the RemoveFileSafe reaction from the Active Response catalog is executed on the endpoint. This reaction stops and removes only those files that are not trusted by McAfee Certificates or McAfee VTP.
1210099   2.2   Issue: When Active Response server runs out of storage space, features in the Catalog, Advanced Search, and Workspace stop working, and the issue is not reported in Health Status.

Solution: Make sure that the minimum requirements for Active Response server are met. When experiencing problems in Advanced Search on the Catalog but having no error messages in Health Status, check the server for low storage capacity.
1214051   2.2   Issue: USBConnectedStorageDevices collector shows incorrect data for Mac endpoints when a virtual USB drive is connected.
It only shows USBMSC Identifier (non-unique) as the Vendor ID field.

Solution: None Available. But the presence of this information might be an indicator of a virtual USB device present.
1207202   2.0.1 2.1 Issue: You enable Trace on the MAR client 2.0.1 and open Outlook. Outlook takes a long time to open and you then see that the endpoint slows down and suffers performance issues.  

Solution: Upgrade to MAR 2.1.
    2.0   Issue: MAR 2.x is deployed using ePO 5.3; but, if you then upgrade to ePO 5.9, you see that the MAR Server certificates are no longer valid and must be regenerated.

Solution:
  1. Navigate to Server Settings, Active Response.
  2. Click Edit.
  3. Click Regenerate Stores.
    This step updates the Active Response Certificates.
  4. Click Save.
1209426   2.1.2 2.2.0 Issue: The installer for Active Response Aggregator released in the package for MAR 2.1.0 is defective.

Workaround: Perform the applicable workaround:
  • If you are upgrading from MAR 2.0 or earlier, use the Aggregator version 2.0.1.
  • If you are upgrading from MAR 2.0.1, do not upgrade Aggregator. Leave the 2.0.1 version.
  • If you are performing a new deployment of MAR 2.1.0, use the Aggregator version 2.0.1.
All other components must be MAR version 2.1.0.

Aggregator version 2.0.1 is available from the McAfee Downloads site (www.mcafee.com/us/downloads/downloads.aspx) and ePO Software Manager.
1205281   2.1.0 2.2.0 Issue: Installation of the MAR 2.1.0 extensions bundle fails when Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) extensions are already installed in ePO.

Workaround: To avoid the installation failure when the DXL and TIE extensions are already installed in ePO, perform the following steps to install the MAR 2.1.0 extensions bundle:
  1. Upgrade all DXL extensions (listed below) to the versions contained in the MAR 2.1.0 extensions bundle:
    • DXL Broker
    • DXL Client
    • DXL Client Mgt
  2. Upgrade the TIE extension (listed below) to the version contained in the MAR 2.1.0 extensions bundle:
    • TIE Server
  3. Install the MAR 2.1.0 extensions bundle.
1193660   2.0 2.1.0 Issue: ePO 5.9.0 incorrectly displays MAR 2.0 health check status.
1198057   2.0 2.1.0 Issue: You are working in an environment with at least 50 potential threats recorded. When you move the Time filter to 90 days, you see the error:

HTTP 404 Not Found
 
Solution: This issue is resolved in MAR 2.1.0.
1148152   2.0 2.1 Issue: Due to a problem with how AAC Control manages resources, installation of MAR 2.0 clients can fail on Windows endpoints where other McAfee products are installed.

Solution: Restart the endpoint and start installation again.
    2.0   Issue: On Microsoft Windows versions 7, 8.1, and 10 the endpoint might experience performance degradation during boot and shutdown if the latest ENS 10.2.1 package is not installed.

Solution: Ensure that endpoints are updated to ENS 10.2.1 before installation.
    2.0   Issue: The Help extensions for Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) that are relevant to a MAR 2.0 deployment are not included in the MAR 2.0 extensions bundle. (The MAR Help extension is included.)
 
Solution: Install the DXL and TIE Help extensions manually from the ePolicy Orchestrator (ePO) Software Manager.
 1163497   2.0 2.0.1 Issue: MAR client reports false positive threats for issues related to processes that generate process and network, filesystem, or Windows Registry events that occur due to normal operation.

Cause: The Potential Threats list on the Active Response Workspace is populated with processes found on endpoints that have called the attention of the MAR client. The MAR client primarily monitors process events, network events, filesystem events, and Windows Registry events.

For example, the explorer.exe process might appear as a potential threat on the Workspace if it produced process, network, filesystem, or Windows Registry events. Although it is expected that explorer.exe can legitimately perform these operations, MAR is unable to determine if the activity is legitimate.

Resolution: There can be cases where a seemingly trusted process might exhibit malicious behavior. Check the following: 
  • Is the trusted process what it claims to be? Malware could impersonate the process.
  • Does the process have a valid hash?
  • Is the file being executed from the correct path?
  • Are there code injection events from other processes that could affect the trusted process?
    2.0   Issue: After you perform the Make Known Trusted action on a threat, the threat does not disappear from the Potential Threats list.

Cause: Threats that are remediated by setting the TIE reputation to Known Trusted might still produce events on endpoints. Although the user might want to assume that these running processes are safe, the processes still produce MAR events because other processes could use the trusted process in a malicious way.
 
Solution: Use the time selector in the Workspace to focus on recent activity and hide from the Potential Threats list those events that have been marked as Known Trusted. Also, after 90 days have passed since the first time the trusted process was seen, it is removed from the workspace.
 
NOTE: If the trusted process reappears on the Workspace as a threat, it means that there is new activity that the incident responder must inspect.
    2.0   Issue: When you use the Stop And Remove action through the Active Response Workspace, the process created by running a remote file is closed. But, the remote file is removed from the network shared drives or folders. Files included are ones that are not stored locally on the endpoint, but are logically linked to the endpoint, as is the case with Windows shared folders connected to the endpoint as drives.

Cause: By design Active Response cannot access network shared files due to security constraints.

Workaround: If MAR is installed on the file server that is linked to or accessed by the endpoint where the threat is detected, use an Active Response search to find the file and remove it.


Back to top
Reference Number Related Article Found in MAR version Resolved in MAR version Issue Description
 1163125   2.0   Issue: If an executable (.exe) file is signed by multiple certificates, information for a single certificate is shown in the event.

Workaround: You can use the Save to File option in the Trace timeline to view information about the certificate signing parent chain, if available.
1167621   2.0   Issue: The action of making a threat Known Malicious or Trusted from the EDR manager fails for a threat run on a client connected to Global Threat Intelligence (GTI). When an endpoint is disconnected from the on-premise TIE server, which is part of the MAR 2.0 deployment, the user might still take Make known trusted or Make known malicious actions from the Workspace. If the TIE server is operational, it tries to replicate this reputation change on all endpoints. But, any endpoints that are disconnected from the on-premise TIE server do not receive this reputation update and TIE clean-up actions are not executed.

Workaround: Endpoints can be disconnected from on-premise TIE, but connected to the GTI reputation service. In this case, the on-premise reputation change is ineffective at the endpoint until the endpoint reconnects to the on-premise TIE server.
    2.0   Issue: No reputation details are displayed on the right side of the Workspace. The Threat Details pane in the Workspace is populated by the TIE Server. If the TIE server fails to provide information to the Workspace, the Workspace tries to populate the threat’s hashes in Threat Details with information from TMP. (An example of why the TIE server fails to provide information is a communication problem between TIE and ePO.) Other fields are empty in the Threat Details.
    2.0   Issue: The NetworkFlow Collector fails to detect loopback connections of Connection Opened or Closed.

This limitation has two effects. On one side, the triggers configured to detect Network events from loopback traffic are not triggered. On the other side, the Active Response search does not show these types of connections when using the NetworkFlow Collector.

Solution: This limitation is caused by the way the Windows TPC/IP stack is implemented and design decisions from Active Response.
1235857
 
  2.2 2.3 Issue: When you upgrade your Mac to 10.13.4, you see the error:
Active Response: Not Working, in the McAfee shield product status.
This error indicates an incompatibility with AAC because of duplicate symbols for sha256 calculation.

Solution:
  • Fixed in MAR client 2.3.
  • AAC compatibility will be resolved with ENSM 10.5


Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.