| Reference Number | Related Article | Found in MAR version | Resolved in MAR version | Issue Description |
| PERINOLA-16297 | 2.4.3 | 2.4.4 | Issue: After you upgrade ePO 5.10 to Update 9, you see the following error when you navigate to any Active Response page in ePO: Solution: Install MAR 2.4.4. |
|
| TSET-5237 | 2.4 | 2.4.3 | Issue: Active Response stops responding (crashes) when the ENS 10.6.1 December 2019 update or ENS 10.7 February update has been installed in the environment. Solution: Install MAR 2.4.3. |
|
| 2.4 | Issue: MAR installation fails on a clean endpoint (without ENS) if the ENS version available in the ePO Master Repository Current Branch is 10.7. Cause: MAR depends on ENS. If ENS is not already installed in the endpoint, the MAR installer pulls the packages TP and ATP from the Master Repository. The installation of ENS 10.7 fails in that scenario, which causes the MAR installation to fail. Solution: Install ENS 10.7 before you trigger the MAR installation. |
|||
| ENSW-27358 | 2.4 | 2.4.2 | Issue: MAR can't be installed or upgraded on top of ENS 10.7 Release to Support evaluation builds greater than build 10.7.0.541. Solution: Upgrade to MAR 2.4.2. |
|
| N/A | 2.4 | Issue: Active Response Registered Server does not activate and shows Solution: Make sure that the configured Server Location is valid. Then, use the IMPORTANT: Active Response registered server is not updated automatically if it was manually edited and saved. If the Active Response registered server was manually edited, it must be removed and re-created during upgrade. |
||
| 1257901 | 2.4 | Issue: Too many complex searches at once might cause JVM heap to overrun. This situation stops the Solution: Expand JVM heap limits by adding Restrict ES heap size by changing Restart the service by running |
||
| 1256879 | 2.4 | Issue: Active Response Server 2.4 upgrade fails to leave the service uninstalled when pushed to a legacy Active Response 2.3 appliance. Solution: Check the required one-time migration procedure detailed in the MAR 2.4 Installation Guide. Redeploy Active Response Server 2.3 to recover functionality and custom content. |
||
| KB90915 | 2.4 | Issue: When you upgrade from a multi-server installation (2.3 and earlier) to a single-server setup (2.4 and later), you must migrate your configured content to avoid losing it. Solution: See the related article. |
||
| 1244782 | KB90784 | 2.2 | 2.3 | Issue: Installing MAR 2.2.x via ePolicy Orchestrator fails when Endpoint Security 10.6 is installed. Solution: Fixed in MAR client 2.3. |
| 1241963 | 2.3 | 2.3 HF4 2.4 HF1 |
Issue: You install or upgrade a McAfee product on a system with SysCore with Endpoint Security Exploit Prevention or Host Intrusion Prevention Exploit Prevention enabled. You then see either a blue screen displayed, or the system stops responding (hangs). Workaround: Disable the Exploit Prevention feature before you install or upgrade the software. Solution: Fixed in 2.3 Hotfix 4 and 2.4 Hotfix 1 (RTS). |
|
| 1176118 | 2.3 | 2.3 HF1 | Issue: Workspace does not receive remediation events automatically for Mac endpoints. You must manually dismiss the event. Workaround: Apply a remediation. Then check for processes being properly closed in the Trace chart for each host. Then manually dismiss the threat. Or, view the Threat Event Log for the relevant events and manually dismiss the events. |
|
| 2.3 | Issue: The Trace Plug-in is disabled by default when you upgrade to MAR 2.3 on macOS only. Solution: Navigate to your policy and enable it with the Enable Plug-in for macOS Endpoints options.
|
|||
| 1214069 | 2.2 | 2.3 | Issue: You identify a threat in the Potential Threats list. You then remove one or more of its affected hosts from the System Tree before taking remediation action. But, you see that the threat is not removed from the Potential Threats list. Solution: Remove Affected Hosts you know are no longer a problem. Use the Dismiss action on the Workspace for this removal. |
|
| 1208348 | 2.2 | Issue: The MAR Workspace disables the Stop and Remove action on Known Trusted files. But, if the file is trusted by McAfee Certificates or by McAfee Validation and Trust Protection (VTP) service, the file’s reputation in the Workspace appears as Not Set. Also, the Stop and Remove action is enabled. Solution: When a Stop and Remove action is taken from the Workspace, the |
||
| 1210099 | 2.2 | Issue: When Active Response server runs out of storage space, features in the Catalog, Advanced Search, and Workspace stop working. The issue is not reported in Health Status. Solution: Make sure that the minimum requirements for Active Response server are met. When you experience problems in Advanced Search on the Catalog but have no error messages in Health Status, check the server for low storage capacity. |
||
| 1214051 | 2.2 | Issue: The It only shows Solution: None Available. But the presence of this information might be an indicator of a virtual USB device present. |
||
| 1207202 | 2.0.1 | 2.1 | Issue: You enable Trace on the MAR client 2.0.1 and open Outlook. Outlook takes a long time to open and you then see that the endpoint slows down and suffers performance issues. Solution: Upgrade to MAR 2.1. |
|
| 2.0 | Issue: MAR 2.x is deployed using ePO 5.3. But, if you then upgrade to ePO 5.9, you see that the MAR Server certificates are no longer valid and must be regenerated. Solution:
|
|||
| 1209426 | 2.1.2 | 2.2.0 | Issue: The installer for Active Response Aggregator released in the package for MAR 2.1.0 is defective. Workaround: Perform the applicable workaround:
Aggregator version 2.0.1 is available from the Product Downloads site and ePO Software Manager. |
|
| 1205281 | 2.1.0 | 2.2.0 | Issue: Installation of the MAR 2.1.0 extensions bundle fails when Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) extensions are already installed in ePO. Workaround: To avoid the installation failure when the DXL and TIE extensions are already installed in ePO, perform the following steps to install the MAR 2.1.0 extensions bundle:
|
|
| 1193660 | 2.0 | 2.1.0 | Issue: ePO 5.9.0 incorrectly displays MAR 2.0 health check status. | |
| 1198057 | 2.0 | 2.1.0 | Issue: You are working in an environment with at least 50 potential threats recorded. When you move the Time filter to 90 days, you see the error:
Solution: This issue is resolved in MAR 2.1.0.
|
|
| 1148152 | 2.0 | 2.1 | Issue: Because of a problem with how AAC Control manages resources, installation of MAR 2.0 clients can fail on Windows endpoints where other McAfee products are installed. Solution: Restart the endpoint and start installation again. |
|
| 2.0 | Issue: On Microsoft Windows versions 7, 8.1, and 10 the endpoint might experience performance degradation during boot and shutdown if the latest ENS 10.2.1 package is not installed. Solution: Make sure that endpoints are updated to ENS 10.2.1 before installation. |
|||
| 2.0 | Issue: The Help extensions for Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) that are relevant to a MAR 2.0 deployment are not included in the MAR 2.0 extensions bundle. (The MAR Help extension is included.) Solution: Install the DXL and TIE Help extensions manually from the ePolicy Orchestrator (ePO) Software Manager. |
|||
| 1163497 | 2.0 | 2.0.1 | Issue: MAR client reports false positive threats for issues related to processes that generate process and network, file system, or Windows Registry events that occur due to normal operation. Cause: The Potential Threats list on the Active Response Workspace is populated with processes found on endpoints that have called the attention of the MAR client. The MAR client primarily monitors process events, network events, filesystem events, and Windows Registry events. For example, the Resolution: There can be cases where a seemingly trusted process might exhibit malicious behavior. Check the following:
|
|
| 2.0 | Issue: After you perform the Make Known Trusted action on a threat, the threat does not disappear from the Potential Threats list. Cause: Threats that are remediated by setting the TIE reputation to Known Trusted might still produce events on endpoints. Although the user might want to assume that these running processes are safe, the processes still produce MAR events. The reason is because other processes could use the trusted process in a malicious way. Solution: To focus on recent activity, use the time selector in the Workspace. Hide from the Potential Threats list those events that have been marked as Known Trusted. Also, after 90 days have passed since the first time the trusted process was seen, it is removed from the workspace. NOTE: If the trusted process reappears on the Workspace as a threat, it means that there is new activity that the incident responder must inspect. |
|||
| 2.0 | Issue: When you use the Stop And Remove action through the Active Response Workspace, the process created by running a remote file is closed. But, the remote file is removed from the network shared drives or folders. Files included are ones that are not stored locally on the endpoint, but are logically linked to the endpoint. For example, Windows shared folders connected to the endpoint as drives. Cause: By design Active Response can't access network shared files due to security constraints. Workaround: If MAR is installed on the file server that is linked to or accessed by the endpoint where the threat is detected, use an Active Response search to find the file and remove it. |
Back to top
