Loading...

Knowledge Center


Endpoint Security Adaptive Threat Protection 10.x Known Issues
Technical Articles ID:   KB88788
Last Modified:  1/11/2018

Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.5.x, 10.2.x

For ENS supported environments, see KB82761.

For ENS Firewall, Threat Prevention, and Web Control known issues, see KB82450.
For ENS known issues applicable in ePolicy Orchestrator Cloud, see KB79063.

Summary

Recent updates to this article
{GENSUB.EN_US}
 
Date Update
January 11, 2018 Updated for ENS 10.5.3 Hotfix 1.
November 14, 2017 Added issue 1218004.
November 13, 2017 Updated for ENS 10.5.3 and ENS 10.2.2.
October 24, 2017 Added issue 1203276.
October 18, 2017 Added ENS 10.5.2 Hotfix 2 to the product release information table. Updated issue 1205801 as fixed in ENS 10.5.2 Hotfix 2, issue 1160578 as fixed in ePolicy Orchestrator 5.9, and issue 1146516 as expected to be fixed in ENS 10.5.3.

Contents
Click to expand the section you want to view:

{GENRN.EN_US}
 
ENS Version Release to Support (RTS) Release to World (RTW) Release Notes
10.5.3 Hotfix 1 (HF1) N/A January 9, 2018 PD27439
10.5.3 October 30, 2017 November 13, 2017 PD27192
10.5.2 Hotfix 2 (HF2) N/A October 17, 2017

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
PD27314
10.5.2 Threat Prevention extension Hotfix 1213762 (HF1213762) N/A October 11, 2017 PD27301
10.5.2 Hotfix 1 (HF1) N/A September 12, 2017

NOTE: This hotfix is available only from Technical Support.
See the Related Information section below for contact details.
PD27252
10.5.2 July 19, 2017 August 28, 2017 PD27025
10.5.1 Hotfix 2 (HF2) - Repost N/A June 23, 2017 PD27121
10.5.1 Hotfix 1 (HF1) N/A May 16, 2017 PD27071
10.5.1 N/A March 30, 2017 PD26967
10.5.0 N/A December 19, 2016 PD26802
10.2.2 N/A November 13, 2017 PD27193
10.2.1 N/A March 30, 2017 PD26908
10.2.0 Hotfix 1164434 (HF1164434) N/A November 7, 2016 PD26758
10.2.0 N/A August 11, 2016 PD26588
 
{GENRLS.EN_US}
Reference Number Related Article Found in
ENS ATP Version
Resolved in ENS ATP Version Issue Description
Issues found in ENS ATP 10.5.2
1205801   10.5.2 10.5.2 Hotfix 2 / 10.5.3 Issue: A small memory leak in mfeatp.exe might be observed because of the handling of MSXML6.

Resolution: This issue is resolved in ENS 10.5.2 Hotfix 2 and ENS 10.5.3. McAfee recommends that ENS ATP is not used on servers until you install ENS 10.5.2 Hotfix 2 or ENS 10.5.3.
Reference Number Related Article Found in
ENS ATP Version
Resolved in ENS ATP Version Issue Description
Issues found in ENS ATP 10.5.3
1218004   10.5.3   Issue: ENS ATP does not honor Threat Intelligence Exchange and Global Threat Intelligence Certificate Reputation.

Workaround: Set McAfeeRevocation to False.
1213432   10.5.3   Issue: ENS ATP crashes on various DLLs and restarts every 30 minutes.

Cause: There is a conflict with older Data Exchange Layer (DXL) versions.

Workaround: Perform one of the following options:
  • Upgrade to DXL 4.0 (build 4.0.0.402.1 or later).
  • Upgrade to DXL 3.1.0 Hotfix 9 (build 3.1.0.608.1 or later).
Issues found in ENS ATP 10.5.2
1209012   10.5.2 10.5.2 Hotfix 1 Issue: On servers, a small long-term memory leak in the ATP module might be observed.

Resolution: This issue is resolved in ENS 10.5.2 Hotfix 1.
Issues found in ENS ATP 10.5.1
1203276 KB89813 10.5.1 10.5.3 Issue: ENS ATP blocks a file despite being set as "Known Trusted" by Enterprise reputation exception. The ENS ATP reputation for the file is not set correctly. Even if the Enterprise reputation is configured as "Known Trusted" on the local Threat Intelligence Exchange Server, the local ATP client is unable to enforce the "Known Trusted" reputation.

Resolution: This issue is resolved in ENS 10.5.3. See the related article for more information.
1179963   10.5.1 As Designed Issue: When you use Kerberos authentication in the proxy server, Real Protect reports the connection failed and the ATP log reports RcStatus code 19. This issue occurs when the proxy server is configured by IP address in the ENS Common policy setting and the ENS/Real Protect client fails to reach the proxy server. Hence, the Real Protect scan might make a direct connection.

Resolution: This behavior is as designed. Because of a known limitation in Kerberos, when you use Kerberos authentication in the proxy server, it is always recommended to configure the proxy server by Fully Qualified Domain Name (FQDN)/DNS name rather than by IP address in the ENS Common policy setting. (An example FQDN/DNS name is testkerbproxy.domain.com.) For a system proxy in the Common policy, also follow the FQDN/DNS naming convention when you specify the proxy server in the browser proxy configuration (in the browser manual proxy setting, WPAD or PAC file, and so on).
Issues found in ENS ATP 10.5.0
1171034   10.5.0 10.5.1 Issue: After you change the reputation of a file on the TIE server, ATP does not receive the reputation change notification.

Resolution: This issue is resolved in ENS 10.5.1.
1167980   10.5.0 10.5.1 Issue: TIE server 2.x allows administrators to override the file reputation before they first change the certificate reputation corresponding to that file to "unknown." In other words, file and certificate reputations can be changed independently.
TIE server 1.x does not allow administrators to override the file reputation before they first change the certificate reputation corresponding to that file to "unknown." In other words, file and certificate reputation have a dependency.

Workaround: For file reputation overrides to work with TIE server 2.0, administrators need to mark the certificate reputation as "unknown" before they override the file reputation, as in TIE server 1.x.

Resolution: This issue is resolved in ENS 10.5.1.
1166116   10.5.0   Issue: If you view the Grouped By Certificate monitor on the bottom of the ATP dashboard in ePolicy Orchestrator 5.3.2, the table does not have any column headers.

Workaround: Use a later version of ePolicy Orchestrator.
1161102   10.5.0 As Designed Issue: If the ENS console is open when the ATP module is installed, you must close and reopen the console for the ATP module to display properly in the console.

Resolution: This behavior is as designed.
1160578   10.5.0 ePO 5.9 Issue: When you use Internet Explorer 11, if you drill down on ATP detections reported back to ePolicy Orchestrator in the ATP dashboard report, an error dialog displays. The functionality works despite the error dialog.

Workaround: Use a different browser such as Firefox or Chrome.

Resolution: This issue is resolved in ePolicy Orchestrator 5.9.
1160153   10.5.0 As Designed Issue: A process detected as malicious by Real Protect, its child process, and files dropped by the detected process, is sometimes not be backed up using a single Quarantine ID. Remediation of Real Protect detection involves cleaning (Delete or Repair) of the process itself, child processes, and dropped files. During the remediation process, there is a possibility that some items might be cleaned by Engine and some might be cleaned by Real Protect. In such scenarios, each item remediated by Engine is backed up in the Quarantine store with a different Quarantine ID. All items remediated by Real Protect have a single Quarantine ID. Usually, all items are cleaned by Real Protect in a single quarantine session, so all items are grouped under a single Quarantine ID.

Resolution: This behavior is as designed. If you want to restore all items of a Real Protect detection, ensure that you look at multiple consecutive quarantine items (Grouped by Time Quarantined) in the Quarantine Manager. For a single remediation session of Real Protect detection, items remediated by Engine have the quarantine name with TIE/Suspect! and items remediated by Real Protect have the quarantine name that starts with Real Protect.
1158995   10.5.0   Issue: Real Protect does not delete the directories created by a malicious application. Real Protect remediates each item created or changed by the target application, but the metadata about whether the item is created or changed is not provided for remediation. The remediation module does not delete the directories to avoid loss of any other data.
1157091   10.5.0 10.5.2 Issue: If you drill down on an ATP event in the ePolicy Orchestrator Threat Event Log, the Detecting Product Version field does not include a build number in the version number.

Resolution: This issue is resolved in ENS 10.5.2.
1152719   10.5.0   Issue: The enabled state property of underlying ATP technologies, such as, Dynamic Application Containment and Real Protect, is not reported as a product property in ePolicy Orchestrator. Also, no compliance status is reported for ATP.
1152714   10.5.0   Issue: In Queries & Reports, in the Available Columns section, the ATP Properties title shows as Endpoint Security Threat Intelligence Properties. If an extension registers multiple product families with different display names, a random display name is chosen to be used for defining queries. The TIE extension was renamed to the ATP extension and the ATP extension supports both TIE and ATP clients, so it registers multiple product families.
Issues found in ENS ATP 10.2.0
1181583
1179536
1177446
KB88758 10.2.0 10.5.1 Issue: When Dynamic Application Containment (DAC) is enabled, Advanced Threat Defense submissions do not occur, the Filename is not reported for files with "Unknown" reputations, or both.

Workaround: Disable the DAC threshold. See the related article for more information.

Resolution: This issue is resolved in ENS 10.5.1. See the related article for more information.
1146516   10.2.0 10.5.3 Issue: The client UI displays the message Prompt reputation threshold must be equal to or higher than Dynamic Application Containment when the notification threshold is less than the Dynamic Application Containment (DAC) threshold. But, the client settings incorrectly allow this combination to be saved. 

Resolution: This issue is resolved in ENS 10.5.3.
1140086   10.2.0   Issue: A file with an unknown reputation is not contained by Dynamic Application Containment (DAC).
1138644   10.2.0   Issue: The Dynamic Application Containment (DAC) Requester field is not localized.
1136840 KB89079 10.2.0   Issue: McAfee Agent installation is blocked because Dynamic Application Containment contains the file FramePkg.exe due to "unknown" reputation as indicated by Threat Intelligence.

Workaround: Create a Dynamic Application Containment exclusion for the file FramePkg.exe. See the related article for more information.
1128863   10.2.0   Issue: Duplicated Dynamic Application Containment (DAC) exclusions are allowed on the client. The client UI does not detect duplicate DAC exclusions like the ePolicy Orchestrator Policy Editor does. There is no negative result from the duplicated exclusions.

Workaround: Manually check for duplicate DAC exclusions.
1125493   10.2.0 10.5.1 Issue: The client UI does not dynamically update as applications are contained and released from containment.

Workaround: To refresh the list of contained applications, close and reopen the client UI.

Resolution: This issue is resolved in ENS 10.5.1.

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.