| Release Notes | Version | General Availability |
| PD28262 | 4.6.2 | March 12, 2019 |
| PD28096 | 4.6 | November 13, 2018 |
| PD27834 | 4.4.2 | July 10, 2018 |
| PD27656 | 4.4.0 | May 8, 2018 |
| PD27545 | 4.2.2 | February 21, 2018 |
| PD27385 | 4.2 | November 29, 2017 |
| PD27544 | 4.0.6 | February 21, 2018 |
| PD27243 | 4.0.4 | September 6, 2017 |
| PD27138 | 4.0 | June 26, 2017 |
Advanced Threat Defense 4.x Known Issues
Technical Articles ID:
KB89507
Last Modified: 10/14/2019
Rated:
Last Modified: 10/14/2019
Rated:
Environment
McAfee Advanced Threat Defense (ATD) 4.x
Summary
Recent updates to this article
| Date | Update |
| October 14, 2019 | Added ATD-2110 to Critical Section. |
| September 11, 2019 | Updated 1260957 in Critical section. |
| August 28, 2019 | Added TSNS-7382 to the Non-critical known issues section. |
| August 19, 2019 | Added TSNS-7587 to the Critical known issues section. |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.
| Reference Number | Found in Version | Fixed in Version | Related Article | Issue Description |
| ATD-2110 | 4.x | KB92074 | Issue: Many email reports show attachments as unverified severity, and overall email verdict as -3: scan timeout. Workaround: Configure your sender MTA as shown below for delivering emails to the ATD Email Connector:
|
|
| TSNS-7587 | 4.x | N/A | KB91774 | Issue: Advanced Threat Defense Email Connector intermittently fails to forward email to a relay host specified using a dynamic DNS host name. Solution: Either stop using dynamic DNS, or add dummy relay host rules. See the related article for more information. |
| 1269878 | 4.6 | 4.8 | Issue: Documentation correction to "Prerequisites and considerations" in Chapter 7, "Clustering Advanced Threat Defense Appliances" in the Product Guide. Solution: This issue will be addressed with ATD 4.8 static documentation in PDF. Live Product Documentation has already been updated for the ATD 4.6 Product Guide: https://docs.mcafee.com/bundle/advanced-threat-defense-4.6.x-product-guide/page/GUID-02B0FB43-4A69-402F-8FD1-F38FAB64310C.html Workaround: The first bullet point of "Prerequisites and considerations" needs correction as below: Wrong description: You must use the eth-0 interfaces (management ports) of the Advanced Threat Defense Appliances for cluster communication. Also, for best performance, the eth-0 interfaces of all nodes must be in the same layer-2 network of the OSI reference model. Correct description: You must use the eth-0 interfaces (management ports) of the Advanced Threat Defense Appliances for cluster communication. NOTE: The eth-0 interfaces of all nodes must be in the same layer-2 network of the OSI reference model for better performance and to avoid network latency. |
|
| 1267950 | 4.6 | 4.8 | Issue: Inconsistent scan results are observed across ATD nodes in the same cluster. Solution: This issue is resolved in ATD 4.8. |
|
| 1266987 | 4.6 | 4.8 | Issue: Antivirus DAT update fails sporadically because of a corrupt configuration file in the back-end. Solution: This issue is resolved in ATD 4.8. Workaround: Toggle (enable, then disable) the GTI HTTP Proxy setting in the ATD manager. |
|
| 1274528 | 4.0 | 4.8 | Issue: ATD 4.x up until version 4.6.x does not show GAM Engine 7001.2017.3140 is installed. It shows GAM Engine 7001.2015.2026 is installed. Solution: ATD up until 4.6 does not support 7001.2017.3140. ATD supports 7001.2017.3140. |
|
| 1272814 | 4.6 | Issue: MAR timeout settings fail with HTML samples. Solution: This issue is resolved in ATD 4.8. |
||
| 1274080 | vATD 4.x | N/A | KB91578 | Issue: Virtual Advanced Threat Defense is unreachable over a network after you change the MAC address of the virtual network adapter from hypervisor. Cause: vATD does not support changing the MAC address of its virtual network adapter. Solution: Revert the MAC address to the original one. See the related article for details. |
| 1269632 | vATD 4.x | N/A | KB91593 | Issue: Microsoft Windows sandbox VM shows a blue screen and crashes in virtual Advanced Threat Defense running on Hyper-V host. Cause: You enabled processor compatibility for the vATD instance in Hyper-V. Solution: Disable processor compatibility for the vATD instance in Hyper-V. See the related article for details. |
| 1267129 | 4.6.2 | Issue: After you upgrade to ATD 4.6.2, configured secure NTP stops working. Cause: ATD to Secure NTP communication breaks due to the password being encrypted. Solution: Open and Save the secure NTP settings. |
||
| 1257618 | 4.6.0 | Issue: HTML report does not contain the Timeline section when opened from a locally downloaded Complete Results zip archive. Solution: This behavior is expected. Generate a PDF report and view the Timeline section. The resources for the images, including timeline images, reside in the ATD back-end system. So, they are inaccessible after the report is sent from ATD and is hosted on the end user's computer. To access proper results in locally downloaded Complete Results, open the PDF that is generated for this purpose. |
||
| 1261609 | 4.6.0 | Issue: ATD cluster status becomes unstable. Active director role flaps between primary node and backup node. Solution:
|
||
| 1260957 | 4.4.0 | 4.6.2 | KB91100 | Issue: High memory utilization in SNMP subagent. Solution: Disable SNMP then enable it back. See the Related Article. |
| 1260786 | 4.x | Issue: During boot, vATD reports the error:
Failed to start Load Kernel Modules.
Solution: ATD shares code between physical appliances and vATD. The service that is noted as FAILED during the vATD boot is loading a kernel module relevant only to the hardware appliance. So, it fails when loaded by vATD. This error message can be safely ignored. |
||
| 1260533 | 4.6 | KB91070 | Issue: You migrate to ATD 4.6.0 and the automatic VM creation runs as part of the migration process. But, you see that the VM creation status indicator reports as Failed after the automatic VM creation has finished. Issue: The ATD console screen reports that the DHCP service fails to start during operating system boot sequence. Solution: See the Related Article. |
|
| 1251840 | 4.6 | KB91018 | Issue: VMs in a hybrid cluster are not activated correctly. Solution: See the Related Article. |
|
| 1258604 | 4.6 | KB91019 | Issue: VM creation fails intermittently after you migrate to ATD 4.6.0. Solution: See the Related Article. |
|
| 1239214 | 4.2 | 4.4 | Issue: You are unable to set virtualized nesting Windows 2012R2 Datacenter for Hyper-V. Solution: Virtual ATD does not support Windows 2012R2 Datacenter for Hyper-V. ATD 4.2 Release Notes lists Windows Server 2012 R2 Datacenter under supported environment, which is a documentation error. ATD 4.4 product documentations reflect it, which do not list Windows Server 2012 R2 Datacenter in supported platform. |
|
| 1240458 | 4.0.4 | KB90599 | Issue: ATD does not report disk utilization alert via the syslog channel. Solution: See the Related Article. |
|
| 4.0 | Issue: Incoming email is not delivered to the receiving server. Cause: The Cisco Possible Delivery feature is not compliant with SMTP RFC 5321. This noncompliance results in a loss of emails at the receiving end, which is blamed on ATD. Solution: When the ATD scan timeout is greater than 300 seconds, you must disable Possible Delivery on your Cisco Iron Port appliance. Otherwise, the connection times out and the result is a loss of mail. NOTE: McAfee recommends that you keep a copy of your emails at the email gateway or server. The reason is to avoid loss of mails if there is a fail to receive condition on ATD. The scan timeout is located under: ATD Manager, Manage, Email Connector, Configuration, Scanning Emails, Maximum time per email to wait for all scans to complete |
|||
| 1234016 | 4.4.0 | Issue: vATD is not supported on Haswell, Nehalem, and older processors. For example, Vmcreation fails if vATD is deployed on processor architecture older than Nehalem. Solution: Always deploy vATD on Sandy Bridge or on newer processor architecture |
||
| 1238467 1238840 |
4.2.0 | KB90539 | Issue: Email Connector tears down SMTP connection before returning 250 in DATA phase, Email Report intermittently shows Failed to Receive, or both. Solution: See the Related Article. |
|
| 1236946 | 4.2.2 | Detection Package 4.2.2.180301 | KB90508 | Issue: VMDK to IMG conversion stops responding and displays Converting image as a status indefinitely. Cause: The conversion process fails in the back-end, but the ATD Manager is not updated. Solution: Close the stuck browser window, open the ATD Manager, and log on as admin. Navigate to Content Update and install Detection Package 4.2.2.180301. See the related article for more information. |
| 1232715 | 4.2.2 | 4.4 | KB90396 | Issue: You cannot apply the time zone GMT + N hours. Solution: This issue is resolved in ATD 4.4. See the Related Article for more information. |
| 1229960 1226150 |
4.2.0 4.2.2 |
4.4 | KB90385 | Issue: Memory leak is found in an adapter tool for McAfee Active Response integration. Solution: This issue is resolved in ATD 4.4. See the Related Article for more information. |
| 1232010 1232741 |
4.2.2 | 4.4.2 | KB90386 | Issue: Application crash is reported in sandbox VM, and internet access is impeded in the VM. Solution: The problem is resolved in ATD 4.4.2. See the Related Article for more information. |
| 1222843 | 4.0 | 4.2.2 | KB90371 | Issue: Unrotated log file fills up a disk partition. Solution: Upgrade to ATD 4.2.2. See the Related Article for more information. |
| 1227022 | 4.2 | 4.4 | Issue: When you press the List Files button, the Remote backup file service tries to connect via FTP even though you selected SFTP. Solution: This issue is resolved in ATD 4.4. Workaround: Configure ATD to use an FTP server to perform your remote backups. |
|
| 1222566 | 4.0 | 4.2.2 | KB90209 | Issue: Content Update does not list the latest available package when direct internet access is blocked and a proxy server is needed to connect to the internet. Solution: Upgrade to ATD 4.2.2. |
| 4.2 | KB90200 | Issue: ATD 4.2 documentation no longer lists VMware Workstation as a supported method for creating VM images. Solution: ATD 4.2 supports VMware Workstation, with VMware ESXi and Microsoft Hyper-V to, create analyzer VMs. NOTE: The VMDK preparation tool is not available in the ATD 4.2 manager. IMPORTANT: This known issues article previously stated ATD 4.2 supports only VMware ESXi and Microsoft Hyper-V to create analyzer VMs. This statement was incorrect. ATD 4.2 also supports VMware Workstation to create analyzer VMs. |
||
| 1221575 | 4.2 | KB90107 | Issue: You see that DXL status is DOWN after you migrate to ATD 4.2. Solution:
|
|
| 1221089 | 4.2.0.20 | 4.2.0.22 | Issue: Sample submission fails when your submission URL uses the ATD host name. For example: https://atd.my.company:443/. Solution: This issue is resolved in the ATD 4.2.0.22 content update package. The package is available from the ATD manager, under Manage, Image & Software, Content Update, Application Software. Future ATD releases will include this content update package. Workaround: Use the ATD IP address in your URL. For example: https://192.1.1.10:443/ |
|
| 1219011 | 4.0 | 4.2.2 | Issue: ePO Operating System profiling is not supported for Microsoft Windows 2012 and 2016 servers. Solution: Upgrade to ATD 4.2.2. |
|
| 1216076 | 4.0 | Issue: Custom web certificates synchronized in secondary nodes are not used by web server and x-mode. | ||
| 4.2 | Issue: Configuration of ATD to use Primary and Backup nodes in Microsoft Azure is not supported. In the event the Primary Node stops functioning, the failover does not work and the Backup node does not start. Workaround: Configure ATD to use Primary and Secondary nodes in Microsoft Azure. If the Primary node fails, the Secondary node starts and takes over. |
|||
| 1213997 | 4.0 | 4.2 | KB89885 | Issue: Email Connector directs emails to wrong host instead of to the smart host specified in host name. Solution: This issue is resolved in ATD 4.2. See the Related Article for the details. Workaround: Use IP address for the Smart Host Hostname setting. See the Related Article for full steps. |
| 1211626 | 4.0.4 | 4.2 | KB89851 | Issue: After you upgrade from ATD 4.0.2 to 4.0.4, your Xmode or Activation screen served on port 6080/TCP, starts to use the default ATD certificate. It uses this default certificate instead of the custom web certificate you previously uploaded. Solution: This issue is resolved in ATD 4.2. See the Related Article for the details. |
| 1187242 | 4.0 | 4.2 | KB90022 | Issue: A DNS query from the sandbox VM is incorrectly sent to the preferred DNS server instead of the configured malware DNS server. Solution: This issue is resolved in ATD 4.2. See the Related Article for the details. |
| 1203571 | 4.0.2 | 4.0.4 | KB89749 | Issue: Under rare circumstances, ATD becomes unresponsive because of kernel errors. Workaround: Technical Support can manually update the kernel over a remote session, as a workaround. See the Related Article for details. Solution: This issue is resolved in ATD 4.0.4. |
| 4.0 | Issue: For previous versions of ATD, McAfee mandated that you enable the Allow Multiple Logins option for the admin user on the User Management page when you upgrade ATD. Solution: Although it is no longer mandatory, McAfee still recommends that you select Allow Multiple Logins for the admin user record before you perform the upgrade. (The Migration Guide for ATD 4.0 does not explicitly mention selecting this option even though it is recommended.) |
|||
| 1202968 | 4.0.2 | KB89569 | Issue: Before you upgrade ATD from 3.8.2.23 to 4.0.2, you install and successfully configure web and CA certificates to the ATD appliance. After you complete the upgrade to ATD 4.0.2, you can no longer access the ATD manager. Solution: A solution for this issue is available via a remote session, by Technical Support. See the Related Article for details. |
|
| 4.0 | KB89552 | Issue: After you migrate from ATD 3.8.x to 4.0, Microsoft Windows or Office, requests that you perform product activation. Solution: See the Related Article. |
||
| 4.0 | Issue: You cannot use the following IP subnet range addresses for ATD 4.0 network interfaces:
NOTE: ATD is shipped with internal subnets for VMs (192.168.55.0/24 and 191.168.122.0/24 networks). ATD is shipped with a static routing table for these internal subnets. So, adding ATD to your network means adding those subnets to your network. If your network coincidentally has the same subnet, you see a routing issue between ATD and your existing 192.168.55.0/24 and 191.168.122.0/24 networks. |
|||
| 4.0 | Issue: You can upgrade Virtual ATD from 3.10 or 3.10.2; but, you must use the system-4.0.2.42.61877.msu file and use the process as documented in the Virtual ATD Addendum guide. | |||
| 4.0.2 | Issue: After you upgrade to Virtual ATD 4.0.2.42, you see that some entries under System Health are listed as Degraded and the System Health(Overall) status listed as Uninitialized. Solution: Reapply your license. If you experience further issues, contact Technical Support and request that your license is checked and refreshed. |
|||
| 4.0.2 | Issue: After you upgrade to Virtual ATD 4.0.2.42, you can no longer connect to DXL. Solution:
|
|||
| 1200244 | 4.0 | 4.0.4 | Issue: Web Server Certificate configuration is not retained after an upgrade. Workaround: Upload the web server certificate again. Solution: This issue is resolved in ATD 4.0.4. |
Back to top
| Reference Number | Found in Version | Fixed in Version | Related Article | Issue Description |
| TSNS-7382 | 4.6 | 4.8 | Issue: You see different scan results when the Analyze archive contents individually option is Enabled or Disabled. Solution: This issue will be resolved in ATD 4.8. |
|
| ATD-2122 | 4.6 | 4.8 | Issue: Active Response does not time out when an HTML sample scan exceeds the mar-timeout setting. The Querying for Compromised Hosts section in the analysis report lists a scan time far longer than the configured setting. Solution: This issue will be resolved in ATD 4.8. |
|
| 1272909 | 4.6 | 4.8 | Issue: You delete the Minimum file size setting value and save your changes. The ATD Manager displays 0 for this setting. But, when you run the show filesizes CLI command, you see that the original non-zero value has been retained. Solution: This cosmetic issue is resolved in ATD 4.8. |
|
| 1269664 | 4.6.2 | 4.8 | Issue: Screenshots in analysis reports are distorted or corrupted. Solution: This issue is resolved in ATD 4.8. |
|
| 1267213 | 4.6.2 | Issue: TAXII server authentication fails if password length is not 3*N+2 characters long. Where N can be a value of 1,2,3,4 and so on. Solution: Configure a password length that matches this equation, for example 5, 8, 11, 14, 17 (and so on) characters. |
||
| 1261031 | 4.6 | Issue: Manager logon screen reports your user account is locked out after several failed logon attempts. You see this message even though the feature is disabled. Workaround: You can still log on to ATD if you provide the correct password, even after you see the error message. |
||
| 1247015 | 4.4.2 | Issue: After you upgrade to ATD 4.4.2, the CLI console logon screen says that its ATD version number is 4.2.2.16.64450. Solution: This issue is cosmetic. Disregard the banner. To verify your ATD system version number, log on to the CLI with cliadmin credentials, then run the show command. |
||
| 1246618 | 4.4.2 | Issue: Incorrect file type for .eml files shown in analysis reports. File type detected is listed as Microsoft Office suite or WScript, but must be electronic mail. Workaround: There is no workaround. Although the file type is incorrectly reported, the .eml file is still analyzed correctly. |
||
| 1240369 | 4.4.0.26 | 4.4 | KB90590 | Issue: The Activation window does not load when you access the ATD Manager with a host name or FQDN. Your browser displays an HTTP 404 code. Solution: The issue is addressed in ATD 4.4, but Technical Support can address the fix from the back-end of the ATD, over a remote session. To open a Service Request, see the Related Article. Workaround:
|
| 1236191 | 4.2.0 | Issue: McAfee Email Gateway shows result as ATD scan failed for archive samples, when you disable the Analyze archive contents individually option in the analyzer profile. Solution: Ensure that the option Analyze archive contents individually is enabled in the analyzer profile. |
||
| 1237764 | 4.4.0 | Issue: Test connection to backup or restore host fails, when the target is an ATD appliance. Solution: Avoid using ATD as a backup or restore server. |
||
| 1238822 | 4.4.0 | 4.4.2 | Issue: SNMP traps are generated for DXL status up and down, in case MATD is heavily loaded. Solution: The problem is resolved in ATD 4.4.2. |
|
| 1237789 | 4.4.0 | Issue: SFTP to ATD fails for atdadmin user, after ISO installation (with backup). Solution: Reboot ATD. |
||
| 1233887 | 4.0 | KB90509 | Issue: Screenshots in the HTML analysis report are not displayed. You see broken links instead. Solution: This behavior is based on a limitation of product design, which McAfee will not change. Workaround: Check the PDF report instead of the HTML report from the ATD Manager. If an HTML report is required, download the complete result, and obtain the HTML report with screenshots. See the Related Article for more information about this issue. |
|
| 1228930 | 4.2 | 4.4 | Issue: DXL communication status is always listed as UP (green) even though ePO integration is disabled. Solution: Resolved in ATD 4.4. |
|
| 1222190 | 4.2 | 4.2.2 | KB90166 | Issue: ATD uses fixed SAN fields when you generate a Certificate Signing Request from the manager. Solution: Upgrade to ATD 4.2.2. See the related article for more information. |
| 1223276 | 4.2.0.22 | Issue: When you update to version 4.2.0.22: atd-application-img-4.2.0.22-4.2.0.x86_64.rpm, you see a pop-up box display the following notification:
Unknown error occurred, may be communication error during update.
Solution: This issue is not an update failure, it occurs because the manager connection times out.
You are advised to log back on to the ATD manager after a short time of 2–3 minutes. You then see that the update has successfully been applied. |
||
| 1182383 | 4.2 | NA | KB90022 | Issue: ATD 4.2 changed to prevent the management interface from being used, for potentially malicious or dirty traffic. See the Related Article for details. |
| 1219002 | 4.2 | 4.4 | Issue: Multiple logon and logoff messages are written to the syslog and audit logs. Solution: Resolved in ATD 4.4. |
|
| 1217741 | 4.2 | Issue: The LB Blacklist synchronize feature is not supported under reverse proxy feature for REST submission. | ||
| 1208475 | 4.0 | 4.2 | Issue: After you change the appliance name in the CLI, the host name is not updated in ePO and the ATD shell. Solution: Upgrade to ATD 4.2.0. |
|
| 1206989 | 4.0 | 4.2.2 | Issue: A scheduled backup sometimes fails with an exception. Solution: Upgrade to ATD 4.2.2. |
|
| 1205376 | 4.0 | 4.2 | Issue: The serial console stops working after you upgrade to ATD 4.0.x. Solution: Upgrade to ATD 4.2.0. Workaround: Add the following line at the end of the file /opt/amas/scripts/atd.local before exit: /bin/systemctl start 'serial-getty@ttyS0'
|
|
| 4.0.2 | Issue: The ATD 4.0.2 Dashboard shows McAfee AV Engine version as 5900, and the Content Update page (Manage, Image & software, Content Update) shows McAfee AV Engine version as 5800. Solution: This issue is a cosmetic one. There is no separate DAT available for the 5900 AV engine. The engine version is parsed from the DAT, which is why the Content Update page shows the AV engine version as 5800 instead of 5900. |
|||
| 1191242 | 4.0 | Issue: The http_redirect setting is not retained after migration. Workaround: Configure and apply this setting again. |
||
| 1187832 | 4.0 | Issue: Validation fails for German operating systems. You see the following error: You then see the following error: ADMINISTRATOR FAIL
Workaround: Ignore these error messages and continue with VM creation. You see the Host verification PASS report and creation work. |
||
| 1198393 | 4.0 | Issue: The profiling report does not reflect the mail entries submitted before upgrade. | ||
| 1198325 | 4.0 | Issue: Filtered files are displayed as ATD cache in the profiling report of email connector. |
Back to top
Related Information
To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
- If you are a registered user, type your User Id and Password, and then click Log In.
- If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
Affected Products
Beta
Translate
with
Select a desired language below to translate this page.
Languages:
This article is available in the following languages:
GermanEnglish United States
Spanish Spain
French
Italian
Japanese
Korean
Dutch
Portuguese Brasileiro
Chinese Simplified
Chinese Traditional
