Loading...

Knowledge Center


Endpoint Security Adaptive Threat Protection 10.x Known Issues
Technical Articles ID:   KB88788
Last Modified:  7/10/2018
Rated:


Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.6.x, 10.5.x, 10.2.x

For ENS supported environments, see KB82761.

For ENS Firewall, Threat Prevention, and Web Control known issues, see KB82450.
For ENS known issues applicable in ePolicy Orchestrator Cloud, see KB79063.

Summary

Recent updates to this article
Date Update
July 10, 2018 Updated the "Product release information" section with ENS 10.5.4 July Update.
June 29, 2018 Non-critical known issues: Added issue 1235803.
June 28, 2018 Updated the "Product release information" section that ENS 10.5.4 June Update is Release to World (RTW).
June 12, 2018 Updated for ENS 10.6.0 (Release to World (RTW)) and ENS 10.5.4 June Update (currently Release to Support (RTS)).
May 30, 2018 Non-critical known issues: Updated issue 1236856, 1233360, and 1224063 as expected to be resolved in ENS 10.5.4 June Update.

{GENSUB.EN_US}

Contents
Click to expand the section you want to view:
{GENRLS.EN_US}
ENS Version Release to Support (RTS) Release to World (RTW) Release Notes
10.6.0 May 8, 2018 June 12, 2018 PD27443 (ePO managed)
PD27781 (ePO Cloud managed)
10.5.4 July Update N/A July 10, 2018 PD27842
10.5.4 June Update June 12, 2018 June 27, 2018 PD27796
10.5.4 Hotfix 1 N/A May 8, 2018 PD27763
10.5.4 March 29, 2018 April 24, 2018 PD27442 (ePO managed)
PD27598 (ePO Cloud managed)
10.5.3 Hotfix 3 (HF3) March 13, 2018

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
N/A PD27624
10.5.3 Hotfix 2 (HF2) February 13, 2018

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
N/A PD27522
10.5.3 Hotfix 1 (HF1) N/A January 9, 2018 PD27439
10.5.3 October 30, 2017 November 13, 2017 PD27192
10.5.2 Hotfix 2 (HF2) N/A October 17, 2017

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
PD27314
10.5.2 Threat Prevention extension Hotfix 1213762 (HF1213762) N/A October 11, 2017 PD27301
10.5.2 Hotfix 1 (HF1) N/A September 12, 2017

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
PD27252
10.5.2 July 19, 2017 August 28, 2017 PD27025
10.5.1 Hotfix 2 (HF2) - Repost N/A June 23, 2017 PD27121
10.5.1 Hotfix 1 (HF1) N/A May 16, 2017 PD27071
10.5.1 N/A March 30, 2017 PD26967
10.5.0 N/A December 19, 2016 PD26802
10.2.2 N/A November 13, 2017 PD27193
10.2.1 N/A March 30, 2017 PD26908
10.2.0 Hotfix 1164434 (HF1164434) N/A November 7, 2016 PD26758
10.2.0 N/A August 11, 2016 PD26588
Reference Number Related Article Found in
ENS ATP Version
Resolved in ENS ATP Version Issue Description
1205801   10.5.2 10.5.2 Hotfix 2
10.5.3
Issue: A small memory leak in mfeatp.exe might be observed because of the handling of MSXML6.

Resolution: This issue is resolved in ENS 10.5.2 Hotfix 2 and ENS 10.5.3. McAfee recommends that ENS ATP is not used on servers until you install ENS 10.5.2 Hotfix 2 or ENS 10.5.3.
Reference Number Related Article Found in
ENS ATP Version
Resolved in ENS ATP Version Issue Description
Issues found in ENS ATP 10.5.4
1235803   10.5.4   Issue: In environments with short living processes with an unknown reputation, such as a compiler, ENS produces a performance penalty on the overall execution. This penalty occurs because the time required to get a reputation is longer than the reputation retrieval.

Workaround: To avoid the performance penalty, you can add an exclusion for the known path where the originator of the short living process resides. For example, the compiler path.
Issues found in ENS ATP 10.5.3
1236856
1233360
1224063
KB90496 10.5.3 10.5.4 June Update
10.6.0
Issue: Memory consumption by mfeatp.exe continues to grow beyond 300 MB. mfeatp.exe is provided as part of ENS ATP.

Workaround: Currently the only known workaround is to uninstall ATP.

Resolution: This issue is resolved in ENS 10.5.4 June Update, and in ENS 10.6.0. See the related article for more information.
1225548   10.5.3 10.6.0 Issue: ENS ATP logs the following error even though the reputation for the file is already finalized:
 
mfeatp(1500.2936) <SYSTEM> Orchestrator.JCM.Error: Failed to finalize reputation for file <file name>. ErrorCode 0xc030002f

Resolution: This issue is resolved in ENS 10.6.0. ENS 10.6.0 logs the following instead:
 
mfeatp(7444.10616) <SYSTEM> Orchestrator.JCM.Debug: Reputation already finalized for file <file name>. ReturnCode 0xc030002f
1224244
1224177
KB90189 10.5.3 10.5.3 Hotfix 2 Issue: The following issues might occur with ENS ATP events:
  • ENS ATP events are not being generated, and you see an exception for mfeesp.exe in the Application Event Log.
  • Events are corrupted. For example, events display as generated on a fixed date of 1/31/1900 rather than the actual time when they were generated.
Resolution: This issue is resolved in ENS 10.5.3 Hotfix 2. See the related article for more information.
1218004   10.5.3   Issue: ENS ATP does not honor Threat Intelligence Exchange and Global Threat Intelligence Certificate Reputation.

Workaround: Set McAfeeRevocation to False.
1213432   10.5.3 DXL 4.0.0
DXL 3.1.0 Hotfix 9
Issue: ENS ATP crashes on various DLLs and restarts every 30 minutes.

Cause: There is a conflict with older Data Exchange Layer (DXL) versions.

Resolution: Perform one of the following options:
  • Upgrade to DXL 4.0.0 (build 4.0.0.402.1 or later).
  • Upgrade to DXL 3.1.0 Hotfix 9 (build 3.1.0.608.1 or later).
Issues found in ENS ATP 10.5.2
1209012   10.5.2 10.5.2 Hotfix 1 Issue: On servers, a small long-term memory leak in the ATP module might be observed.

Resolution: This issue is resolved in ENS 10.5.2 Hotfix 1.
Issues found in ENS ATP 10.5.1
1203276 KB89813 10.5.1 10.5.3 Issue: ENS ATP blocks a file despite being set as "Known Trusted" by Enterprise reputation exception. The ENS ATP reputation for the file is not set correctly. Even if the Enterprise reputation is configured as "Known Trusted" on the local Threat Intelligence Exchange Server, the local ATP client is unable to enforce the "Known Trusted" reputation.

Resolution: This issue is resolved in ENS 10.5.3. See the related article for more information.
1179963   10.5.1 Will Not Fix Issue: When you use Kerberos authentication in the proxy server, Real Protect reports the connection failed and the ATP log reports RcStatus code 19. This issue occurs when the proxy server is configured by IP address in the ENS Common policy setting and the ENS/Real Protect client fails to reach the proxy server. So, the Real Protect scan might make a direct connection.

Resolution: This issue will not be resolved. Because of a known limitation in Kerberos, when you use Kerberos authentication in the proxy server, it is always recommended that you configure the proxy server by fully qualified domain name (FQDN)/DNS name rather than by IP address in the ENS Common policy setting. (An example FQDN/DNS name is testkerbproxy.domain.com.) For a system proxy in the Common policy, also follow the FQDN/DNS naming convention when you specify the proxy server in the browser proxy configuration, such as in the browser manual proxy setting, and WPAD or PAC file.
Issues found in ENS ATP 10.5.0
1171034   10.5.0 10.5.1 Issue: After you change the reputation of a file on the TIE server, ATP does not receive the reputation change notification.

Resolution: This issue is resolved in ENS 10.5.1.
1167980   10.5.0 10.5.1 Issue: TIE server 2.x allows administrators to override the file reputation before they first change the certificate reputation corresponding to that file to "unknown." In other words, file and certificate reputations can be changed independently.
TIE server 1.x does not allow administrators to override the file reputation before they first change the certificate reputation corresponding to that file to "unknown." In other words, file and certificate reputation have a dependency.

Workaround: For file reputation overrides to work with TIE server 2.0, administrators need to mark the certificate reputation as "unknown" before they override the file reputation, as in TIE server 1.x.

Resolution: This issue is resolved in ENS 10.5.1.
1166116   10.5.0 ePO 5.9 Issue: If you view the Grouped By Certificate monitor on the bottom of the ATP dashboard in ePolicy Orchestrator 5.3.2, the table does not have any column headers.

Resolution: This issue is resolved in ePolicy Orchestrator 5.9.
1161102   10.5.0 As Designed Issue: If the ENS console is open when the ATP module is installed, you must close and reopen the console for the ATP module to display properly in the console.

Resolution: This behavior is as designed.
1160578   10.5.0 ePO 5.9 Issue: When you use Internet Explorer 11, if you drill down on ATP detections reported back to ePolicy Orchestrator in the ATP dashboard report, an error dialog displays. The functionality works despite the error dialog.

Workaround: Use a different browser such as Firefox or Chrome.

Resolution: This issue is resolved in ePolicy Orchestrator 5.9.
1160153   10.5.0 As Designed Issue: A process detected as malicious by Real Protect, its child process, and files dropped by the detected process, is sometimes not backed up using a single Quarantine ID. Remediation of Real Protect detection involves cleaning (Delete or Repair) of the process itself, child processes, and dropped files. During the remediation process, there is a possibility that some items might be cleaned by Engine and some might be cleaned by Real Protect. In such scenarios, each item remediated by Engine is backed up in the Quarantine store with a different Quarantine ID. All items remediated by Real Protect have a single Quarantine ID. Usually, Real Protect cleans all items in a single quarantine session, so all items are grouped under a single Quarantine ID.

Resolution: This behavior is as designed. If you want to restore all items of a Real Protect detection, ensure that you look at multiple consecutive quarantine items (Grouped by Time Quarantined) in the Quarantine Manager. For a single remediation session of Real Protect detection, items remediated by Engine have the quarantine name with TIE/Suspect! and items remediated by Real Protect have the quarantine name that starts with Real Protect.
1158995   10.5.0 Will Not Fix Issue: Real Protect does not delete the directories created by a malicious application. Real Protect remediates each item created or changed by the target application, but the metadata about whether the item is created or changed is not provided for remediation.

Resolution: This issue will not be resolved. The remediation module does not delete the directories to avoid loss of any other data.
1157091   10.5.0 10.5.2 Issue: If you drill down on an ATP event in the ePolicy Orchestrator Threat Event Log, the Detecting Product Version field does not include a build number in the version number.

Resolution: This issue is resolved in ENS 10.5.2.
1152719   10.5.0   Issue: The enabled state property of underlying ATP technologies, such as, Dynamic Application Containment and Real Protect, is not reported as a product property in ePolicy Orchestrator. Also, no compliance status is reported for ATP.
1152714   10.5.0   Issue: In Queries & Reports, in the Available Columns section, the ATP Properties title shows as Endpoint Security Threat Intelligence Properties. If an extension registers multiple product families with different display names, a random display name is chosen to be used for defining queries. The TIE extension was renamed to the ATP extension and the ATP extension supports both TIE and ATP clients, so it registers multiple product families.

Resolution: This issue is expected to be resolved in ePolicy Orchestrator 5.10.
Issues found in ENS ATP 10.2.0
1181583
1179536
1177446
KB88758 10.2.0 10.5.1 Issue: When Dynamic Application Containment (DAC) is enabled, Advanced Threat Defense submissions do not occur, the file name is not reported for files with "Unknown" reputations, or both.

Workaround: Disable the DAC threshold. See the related article for more information.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1146516   10.2.0 10.5.3 Issue: The client UI displays the message Prompt reputation threshold must be equal to or higher than Dynamic Application Containment when the notification threshold is less than the Dynamic Application Containment (DAC) threshold. But, the client settings incorrectly allow this combination to be saved. 

Resolution: This issue is resolved in ENS 10.5.3.
1140086   10.2.0 As Designed Issue: A file with an unknown reputation is not contained by Dynamic Application Containment (DAC).

Resolution: This behavior is as designed.
1138644   10.2.0 10.6.0 Issue: The Dynamic Application Containment (DAC) Requester field is not localized.

Resolution: This issue is resolved in ENS 10.6.0.
1136840 KB89079 10.2.0 Will Not Fix Issue: McAfee Agent installation is blocked because Dynamic Application Containment contains the file FramePkg.exe due to "unknown" reputation as indicated by Threat Intelligence.

Resolution: This issue will not be resolved. Create a Dynamic Application Containment exclusion for the file FramePkg.exe. See the related article for more information.
1128863   10.2.0 Will Not Fix Issue: Duplicated Dynamic Application Containment (DAC) exclusions are allowed on the client. The client UI does not detect duplicate DAC exclusions like the ePolicy Orchestrator Policy Editor does. There is no negative result from the duplicated exclusions.

Resolution: This issue will not be resolved. Manually check for duplicate DAC exclusions.
1125493   10.2.0 10.5.1 Issue: The client UI does not dynamically update as applications are contained and released from containment.

Workaround: To refresh the list of contained applications, close and reopen the client UI.

Resolution: This issue is resolved in ENS 10.5.1.


Back to top

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese