Loading...

Knowledge Center


How to verify that Real Protect is installed correctly and that endpoints can communicate with the McAfee cloud for detections
Technical Articles ID:   KB88828
Last Modified:  6/13/2019
Rated:


Environment

McAfee Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.x

Summary

Use the information in this article to ensure that Real Protect in the ENS ATP module is installed correctly, and to ensure that endpoints can communicate with the McAfee cloud for detections.

Real Protect test file programs
To test Real Protect detection functionality, use the password protected file RealProtect-TestFile.zip in the Attachment section of this article.

NOTES:
  • The password for the .zip file is clean. Password protection has been applied to the .zip file to ensure that it is not blocked when sent via email. Passwords normally meet higher security standards.
  • RP-S TestFile.exe and RP-D TestFile.exe are test programs to check Real Protect client and cloud-based detections. They are harmless.
After you extract RealProtect-TestFile.zip, you can run the files to trigger a Real Protect detection.

ENS 10.5.x Real Protect requires connectivity to either Global Threat Intelligence (GTI) or Threat Intelligence Exchange (TIE) Server to function correctly and detect files. ENS 10.6.x Real Protect adds the ability to run client scanning offline, without requiring connectivity to GTI or TIE Server.

McAfee products that use Real Protect send the associated lookup queries to the domain: realprotect1.mcafee.com

Real Protect client detection test
To ensure that Real Protect client scanning is functioning correctly, follow these steps:
  1. Ensure that ENS with the ATP module installed is running.
  2. Open Windows Explorer and navigate to the folder that contains the test utility RP-S TestFile.exe.
  3. Double-click RP-S TestFile.exe. This action starts the program.
If Real Protect client scanning is functioning correctly in ENS, it detects the file and prevents the file from running.

NOTE: Real Protect does not detect the file on subsequent attempts to run the file from the same location.

Real Protect cloud detection test
To ensure that Real Protect cloud scanning is functioning correctly, follow these steps:
  1. Ensure that ENS with the ATP module installed is running.
  2. Ensure that the option Clean when reputation threshold reaches is enabled in the ATP Options policy, under Action Enforcement. This option must be enabled for a Threat Event for RP-D to be generated on the endpoint.
  3. Open Windows Explorer and navigate to the folder that contains the test utility RP-D TestFile.exe.
  4. Double-click RP-D TestFile.exe. This action starts the program.

    NOTE: The RP-D TestFile.exe must be running for a minute for the detection to trigger.
If Real Protect cloud scanning is functioning correctly in ENS, it detects the file and prevents the file from running.

NOTE: Real Protect does not detect the file on subsequent attempts to run the file from the same location.

Real Protect log IDs
Each time Real Protect completes a scan of a file, it creates an entry in the AdaptiveThreatProtection_Activity.log with an ID that indicates the result of the scan. You can use the ID to troubleshoot issues with Real Protect.

Example from AdaptiveThreatProtection_Activity.log:
 
1/24/2017 10:51:15 AM   mfeatp(4056.4556) Orchestrator.RepChangeListener.Activity: Real Protect cloud scanner trace complete for process id 8044, file c:\Windows\SysWOW64\SearchProtocolHost.exe with reason id 5
 
The possible IDs are as follows:
0 - Process found with clean reputation
1 - Process found with unknown reputation
2 - Time out
3 - Unknown failure
4 - Unsupported version
5 - Not enough events
6 - McAfee managed product request does not scan
7 - Phase 1 remediation is over
8 - Process terminated
9 - No network
10 - Process was spikey and was not scanned
11 - Process is cached with unknown reputation

Attachment

RealProtect-TestFile.zip
667K • < 1 minute @ broadband


Rate this document

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.