Loading...

Knowledge Center


Advanced Threat Defense 4.x Known Issues
Technical Articles ID:   KB89507
Last Modified:  10/14/2019
Rated:


Environment

McAfee Advanced Threat Defense (ATD) 4.x

Summary

Recent updates to this article
Date Update
October 14, 2019 Added ATD-2110 to Critical Section.
September 11, 2019 Updated 1260957 in Critical section.
August 28, 2019 Added TSNS-7382 to the Non-critical known issues section.
August 19, 2019 Added TSNS-7587 to the Critical known issues section.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

Contents
Click to expand the section you want to view:

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.
Reference Number Found in Version Fixed in Version Related Article Issue Description
ATD-2110 4.x   KB92074 Issue: Many email reports show attachments as unverified severity, and overall email verdict as -3: scan timeout.

Workaround: Configure your sender MTA as shown below for delivering emails to the ATD Email Connector:
  • Maximum concurrent SMTP connections: 300
  • Maximum messages per one SMTP connection: 1

    IMPORTANT: McAfee strongly recommends that you view the related article KB92074 for a complete issue write-up.
TSNS-7587 4.x N/A KB91774 Issue: Advanced Threat Defense Email Connector intermittently fails to forward email to a relay host specified using a dynamic DNS host name.

Solution: Either stop using dynamic DNS, or add dummy relay host rules. See the related article for more information.
1269878 4.6 4.8   Issue: Documentation correction to "Prerequisites and considerations" in Chapter 7, "Clustering Advanced Threat Defense Appliances" in the Product Guide.

Solution: This issue will be addressed with ATD 4.8 static documentation in PDF. Live Product Documentation has already been updated for the ATD 4.6 Product Guide:
https://docs.mcafee.com/bundle/advanced-threat-defense-4.6.x-product-guide/page/GUID-02B0FB43-4A69-402F-8FD1-F38FAB64310C.html

Workaround: The first bullet point of "Prerequisites and considerations" needs correction as below:

Wrong description:
You must use the eth-0 interfaces (management ports) of the Advanced Threat Defense Appliances for cluster communication. Also, for best performance, the eth-0 interfaces of all nodes must be in the same layer-2 network of the OSI reference model.

Correct description:
You must use the eth-0 interfaces (management ports) of the Advanced Threat Defense Appliances for cluster communication.
NOTE: The eth-0 interfaces of all nodes must be in the same layer-2 network of the OSI reference model for better performance and to avoid network latency.
1267950 4.6 4.8   Issue: Inconsistent scan results are observed across ATD nodes in the same cluster.

Solution: This issue is resolved in ATD 4.8.
1266987 4.6 4.8   Issue: Antivirus DAT update fails sporadically because of a corrupt configuration file in the back-end.

Solution: This issue is resolved in ATD 4.8.

Workaround: Toggle (enable, then disable) the GTI HTTP Proxy setting in the ATD manager.
1274528 4.0 4.8   Issue: ATD 4.x up until version 4.6.x does not show GAM Engine 7001.2017.3140 is installed. It shows GAM Engine 7001.2015.2026 is installed.

Solution: ATD up until 4.6 does not support 7001.2017.3140. ATD supports 7001.2017.3140.
1272814 4.6     Issue: MAR timeout settings fail with HTML samples.
Solution: This issue is resolved in ATD 4.8.
1274080 vATD 4.x N/A KB91578 Issue: Virtual Advanced Threat Defense is unreachable over a network after you change the MAC address of the virtual network adapter from hypervisor.

Cause: vATD does not support changing the MAC address of its virtual network adapter.

Solution: Revert the MAC address to the original one. See the related article for details.
1269632 vATD 4.x N/A KB91593 Issue: Microsoft Windows sandbox VM shows a blue screen and crashes in virtual Advanced Threat Defense running on Hyper-V host.

Cause: You enabled processor compatibility for the vATD instance in Hyper-V.

Solution: Disable processor compatibility for the vATD instance in Hyper-V. See the related article for details.
1267129 4.6.2     Issue: After you upgrade to ATD 4.6.2, configured secure NTP stops working.

Cause:  ATD to Secure NTP communication breaks due to the password being encrypted.

Solution: Open and Save the secure NTP settings.
1257618 4.6.0     Issue: HTML report does not contain the Timeline section when opened from a locally downloaded Complete Results zip archive.
 
Solution: This behavior is expected. Generate a PDF report and view the Timeline section. The resources for the images, including timeline images, reside in the ATD back-end system. So, they are inaccessible after the report is sent from ATD and is hosted on the end user's computer.

To access proper results in locally downloaded Complete Results, open the PDF that is generated for this purpose.
1261609 4.6.0     Issue: ATD cluster status becomes unstable. Active director role flaps between primary node and backup node.

Solution:
  • Install the December 11, 2018 ATD 4.6.0 Detection Package (atd-detection-img-4.6.0.181210).
  • ATD 4.6.2 will incorporate the fix.
1260957 4.4.0 4.6.2 KB91100 Issue: High memory utilization in SNMP subagent.
 
Solution: Disable SNMP then enable it back. See the Related Article.
1260786 4.x     Issue: During boot, vATD reports the error: 
Failed to start Load Kernel Modules.

Solution: ATD shares code between physical appliances and vATD.
The service that is noted as FAILED during the vATD boot is loading a kernel module relevant only to the hardware appliance.
So, it fails when loaded by vATD. This error message can be safely ignored.
1260533 4.6   KB91070 Issue: You migrate to ATD 4.6.0 and the automatic VM creation runs as part of the migration process. But, you see that the VM creation status indicator reports as Failed after the automatic VM creation has finished.

Issue: The ATD console screen reports that the DHCP service fails to start during operating system boot sequence.

Solution: See the Related Article.
1251840 4.6   KB91018 Issue: VMs in a hybrid cluster are not activated correctly.

Solution: See the Related Article.
1258604 4.6   KB91019 Issue: VM creation fails intermittently after you migrate to ATD 4.6.0.

Solution: See the Related Article.
1239214 4.2 4.4   Issue: You are unable to set virtualized nesting Windows 2012R2 Datacenter for Hyper-V.

Solution: Virtual ATD does not support Windows 2012R2 Datacenter for Hyper-V. ATD 4.2 Release Notes lists Windows Server 2012 R2 Datacenter under supported environment, which is a documentation error. ATD 4.4 product documentations reflect it, which do not list Windows Server 2012 R2 Datacenter in supported platform.
1240458 4.0.4   KB90599 Issue: ATD does not report disk utilization alert via the syslog channel.

Solution: See the Related Article.
  4.0     Issue: Incoming email is not delivered to the receiving server. 
Cause: The Cisco Possible Delivery feature is not compliant with SMTP RFC 5321. This noncompliance results in a loss of emails at the receiving end, which is blamed on ATD.

Solution: When the ATD scan timeout is greater than 300 seconds, you must disable Possible Delivery on your Cisco Iron Port appliance. Otherwise, the connection times out and the result is a loss of mail.

NOTE: McAfee recommends that you keep a copy of your emails at the email gateway or server. The reason is to avoid loss of mails if there is a fail to receive condition on ATD.
The scan timeout is located under: ATD Manager, Manage, Email Connector, Configuration, Scanning Emails, Maximum time per email to wait for all scans to complete
1234016 4.4.0     Issue: vATD is not supported on Haswell, Nehalem, and older processors.
For example, Vmcreation fails if vATD is deployed on processor architecture older than Nehalem.

Solution: Always deploy vATD on Sandy Bridge or on newer processor architecture
1238467
1238840
4.2.0   KB90539 Issue: Email Connector tears down SMTP connection before returning 250 in DATA phase, Email Report intermittently shows Failed to Receive, or both.

Solution: See the Related Article.
1236946 4.2.2 Detection Package 4.2.2.180301 KB90508 Issue: VMDK to IMG conversion stops responding and displays Converting image as a status indefinitely.

Cause: The conversion process fails in the back-end, but the ATD Manager is not updated.

Solution: Close the stuck browser window, open the ATD Manager, and log on as admin. Navigate to Content Update and install Detection Package 4.2.2.180301. See the related article for more information.
1232715 4.2.2 4.4 KB90396 Issue: You cannot apply the time zone GMT + N hours.

Solution: This issue is resolved in ATD 4.4. See the Related Article for more information.
1229960
1226150
4.2.0
4.2.2
4.4 KB90385 Issue: Memory leak is found in an adapter tool for McAfee Active Response integration.

Solution: This issue is resolved in ATD 4.4. See the Related Article for more information.
1232010
1232741
4.2.2 4.4.2 KB90386 Issue: Application crash is reported in sandbox VM, and internet access is impeded in the VM.

Solution: The problem is resolved in ATD 4.4.2. See the Related Article for more information.
1222843 4.0 4.2.2 KB90371 Issue: Unrotated log file fills up a disk partition.

Solution: Upgrade to ATD 4.2.2. See the Related Article for more information.
1227022 4.2 4.4   Issue: When you press the List Files button, the Remote backup file service tries to connect via FTP even though you selected SFTP.

Solution: This issue is resolved in ATD 4.4.

Workaround: Configure ATD to use an FTP server to perform your remote backups.
1222566 4.0 4.2.2 KB90209 Issue: Content Update does not list the latest available package when direct internet access is blocked and a proxy server is needed to connect to the internet.

Solution: Upgrade to ATD 4.2.2.
  4.2   KB90200 Issue: ATD 4.2 documentation no longer lists VMware Workstation as a supported method for creating VM images.

Solution: ATD 4.2 supports VMware Workstation, with VMware ESXi and Microsoft Hyper-V to, create analyzer VMs.
NOTE: The VMDK preparation tool is not available in the ATD 4.2 manager.

IMPORTANT: This known issues article previously stated ATD 4.2 supports only VMware ESXi and Microsoft Hyper-V to create analyzer VMs.
This statement was incorrect. ATD 4.2 also supports VMware Workstation to create analyzer VMs.
1221575 4.2   KB90107 Issue: You see that DXL status is DOWN after you migrate to ATD 4.2.

Solution:
  1. Disable ePO integration in the ATD manager and save the change.
  2. Re-enable ePO integration and save the change.
See the Related Article for full steps.
1221089 4.2.0.20 4.2.0.22   Issue: Sample submission fails when your submission URL uses the ATD host name.
For example: https://atd.my.company:443/.

Solution: This issue is resolved in the ATD 4.2.0.22 content update package. The package is available from the ATD manager, under Manage, Image & Software, Content Update, Application Software. Future ATD releases will include this content update package.

Workaround: Use the ATD IP address in your URL. For example: https://192.1.1.10:443/
1219011 4.0 4.2.2   Issue: ePO Operating System profiling is not supported for Microsoft Windows 2012 and 2016 servers.

Solution: Upgrade to ATD 4.2.2.
1216076 4.0     Issue: Custom web certificates synchronized in secondary nodes are not used by web server and x-mode.
  4.2     Issue: Configuration of ATD to use Primary and Backup nodes in Microsoft Azure is not supported. In the event the Primary Node stops functioning, the failover does not work and the Backup node does not start.

Workaround: Configure ATD to use Primary and Secondary nodes in Microsoft Azure. If the Primary node fails, the Secondary node starts and takes over.
1213997 4.0 4.2 KB89885 Issue: Email Connector directs emails to wrong host instead of to the smart host specified in host name.

Solution: This issue is resolved in ATD 4.2. See the Related Article for the details.

Workaround: Use IP address for the Smart Host Hostname setting. See the Related Article for full steps.
1211626 4.0.4 4.2 KB89851 Issue: After you upgrade from ATD 4.0.2 to 4.0.4, your Xmode or Activation screen served on port 6080/TCP, starts to use the default ATD certificate. It uses this default certificate instead of the custom web certificate you previously uploaded.

Solution: This issue is resolved in ATD 4.2. See the Related Article for the details.
1187242 4.0 4.2 KB90022 Issue: A DNS query from the sandbox VM is incorrectly sent to the preferred DNS server instead of the configured malware DNS server.

Solution: This issue is resolved in ATD 4.2. See the Related Article for the details.
1203571 4.0.2 4.0.4 KB89749 Issue: Under rare circumstances, ATD becomes unresponsive because of kernel errors.

Workaround: Technical Support can manually update the kernel over a remote session, as a workaround. See the Related Article for details.

Solution: This issue is resolved in ATD 4.0.4.
  4.0     Issue: For previous versions of ATD, McAfee mandated that you enable the Allow Multiple Logins option for the admin user on the User Management page when you upgrade ATD.

Solution: Although it is no longer mandatory, McAfee still recommends that you select Allow Multiple Logins for the admin user record before you perform the upgrade. (The Migration Guide for ATD 4.0 does not explicitly mention selecting this option even though it is recommended.)
1202968 4.0.2   KB89569 Issue: Before you upgrade ATD from 3.8.2.23 to 4.0.2, you install and successfully configure web and CA certificates to the ATD appliance. After you complete the upgrade to ATD 4.0.2, you can no longer access the ATD manager.

Solution: A solution for this issue is available via a remote session, by Technical Support. See the Related Article for details.
  4.0   KB89552 Issue: After you migrate from ATD 3.8.x to 4.0, Microsoft Windows or Office, requests that you perform product activation.

Solution: See the Related Article.
  4.0     Issue: You cannot use the following IP subnet range addresses for ATD 4.0 network interfaces:
  • 192.168.55.0/24
  • 191.168.122.0/24 
Solution: Do not use these subnets for ATD 4.0 network interfaces. This solution applies to both the physical and virtual ATD appliances.

NOTE: ATD is shipped with internal subnets for VMs (192.168.55.0/24 and 191.168.122.0/24 networks). ATD is shipped with a static routing table for these internal subnets. So, adding ATD to your network means adding those subnets to your network. If your network coincidentally has the same subnet, you see a routing issue between ATD and your existing 192.168.55.0/24 and 191.168.122.0/24 networks.
  4.0     Issue: You can upgrade Virtual ATD from 3.10 or 3.10.2; but, you must use the system-4.0.2.42.61877.msu file and use the process as documented in the Virtual ATD Addendum guide.
  4.0.2     Issue: After you upgrade to Virtual ATD 4.0.2.42, you see that some entries under System Health are listed as Degraded and the System Health(Overall) status listed as Uninitialized.

Solution: Reapply your license. If you experience further issues, contact Technical Support and request that your license is checked and refreshed.
  4.0.2     Issue: After you upgrade to Virtual ATD 4.0.2.42, you can no longer connect to DXL.

Solution:
  1. Update your MsgBusCert certificate. See KB89214 for steps to follow.
  2. In the ATD manager, open the ePO/DXL settings.
  3. Disable (deselect) the Allow ePO Login setting.
  4. Apply the change and wait five minutes.
  5. Enable Allow ePO Login.
  6. Apply the change and wait five minutes.
  7. Configure and enable your DXL configuration.
  8. Apply the change and wait five minutes.
1200244 4.0 4.0.4   Issue: Web Server Certificate configuration is not retained after an upgrade.

Workaround: Upload the web server certificate again.

Solution: This issue is resolved in ATD 4.0.4.


Back to top
Reference Number Found in Version Fixed in Version Related Article Issue Description
TSNS-7382 4.6 4.8   Issue: You see different scan results when the Analyze archive contents individually option is Enabled or Disabled.
Solution: This issue will be resolved in ATD 4.8.
ATD-2122 4.6 4.8   Issue: Active Response does not time out when an HTML sample scan exceeds the mar-timeout setting. The Querying for Compromised Hosts section in the analysis report lists a scan time far longer than the configured setting.

Solution: This issue will be resolved in ATD 4.8.
1272909 4.6 4.8   Issue: You delete the Minimum file size setting value and save your changes. The ATD Manager displays 0 for this setting. But, when you run the show filesizes CLI command, you see that the original non-zero value has been retained.

Solution: This cosmetic issue is resolved in ATD 4.8.
1269664 4.6.2 4.8   Issue: Screenshots in analysis reports are distorted or corrupted.

Solution: This issue is resolved in ATD 4.8.
1267213 4.6.2     Issue: TAXII server authentication fails if password length is not 3*N+2 characters long. Where N can be a value of 1,2,3,4 and so on.

Solution: Configure a password length that matches this equation, for example 5, 8, 11, 14, 17 (and so on) characters.
1261031 4.6     Issue: Manager logon screen reports your user account is locked out after several failed logon attempts. You see this message even though the feature is disabled.
 
Workaround: You can still log on to ATD if you provide the correct password, even after you see the error message.
1247015 4.4.2     Issue: After you upgrade to ATD 4.4.2, the CLI console logon screen says that its ATD version number is 4.2.2.16.64450.

Solution: This issue is cosmetic. Disregard the banner. To verify your ATD system version number, log on to the CLI with cliadmin credentials, then run the show command.
1246618 4.4.2     Issue: Incorrect file type for .eml files shown in analysis reports. File type detected is listed as Microsoft Office suite or WScript, but must be electronic mail.

Workaround: There is no workaround. Although the file type is incorrectly reported, the .eml file is still analyzed correctly.
1240369 4.4.0.26 4.4 KB90590 Issue: The Activation window does not load when you access the ATD Manager with a host name or FQDN. Your browser displays an HTTP 404 code.

Solution: The issue is addressed in ATD 4.4, but Technical Support can address the fix from the back-end of the ATD, over a remote session.
To open a Service Request, see the Related Article.

Workaround:
  1. Open the ATD Manager by specifying its IP address. For example, https://192.168.10.10/.
  2. Log on to the ATD, and operate in VM Profile creation.
  3. Click Activate to start the Activation window.
1236191 4.2.0     Issue: McAfee Email Gateway shows result as ATD scan failed for archive samples, when you disable the Analyze archive contents individually option in the analyzer profile.

Solution: Ensure that the option Analyze archive contents individually is enabled in the analyzer profile.
1237764  4.4.0     Issue: Test connection to backup or restore host fails, when the target is an ATD appliance.

Solution: Avoid using ATD as a backup or restore server.
1238822  4.4.0 4.4.2   Issue: SNMP traps are generated for DXL status up and down, in case MATD is heavily loaded.

Solution: The problem is resolved in ATD 4.4.2.
1237789   4.4.0     Issue: SFTP to ATD fails for atdadmin user, after ISO installation (with backup).

Solution: Reboot ATD.
1233887 4.0   KB90509 Issue: Screenshots in the HTML analysis report are not displayed. You see broken links instead.

Solution: This behavior is based on a limitation of product design, which McAfee will not change.

Workaround: Check the PDF report instead of the HTML report from the ATD Manager. If an HTML report is required, download the complete result, and obtain the HTML report with screenshots.
See the Related Article for more information about this issue.
1228930 4.2 4.4   Issue: DXL communication status is always listed as UP (green) even though ePO integration is disabled.

Solution: Resolved in ATD 4.4.
1222190 4.2 4.2.2 KB90166 Issue: ATD uses fixed SAN fields when you generate a Certificate Signing Request from the manager.

Solution: Upgrade to ATD 4.2.2. See the related article for more information.
1223276 4.2.0.22     Issue: When you update to version 4.2.0.22: atd-application-img-4.2.0.22-4.2.0.x86_64.rpm, you see a pop-up box display the following notification:
Unknown error occurred, may be communication error during update.
 
Solution: This issue is not an update failure, it occurs because the manager connection times out.
You are advised to log back on to the ATD manager after a short time of 2–3 minutes. You then see that the update has successfully been applied.
1182383 4.2 NA KB90022 Issue: ATD 4.2 changed to prevent the management interface from being used, for potentially malicious or dirty traffic.
See the Related Article for details.
1219002  4.2 4.4   Issue: Multiple logon and logoff messages are written to the syslog and audit logs.

Solution: Resolved in ATD 4.4.
1217741 4.2     Issue: The LB Blacklist synchronize feature is not supported under reverse proxy feature for REST submission.
1208475 4.0 4.2   Issue: After you change the appliance name in the CLI, the host name is not updated in ePO and the ATD shell.

Solution: Upgrade to ATD 4.2.0.
1206989 4.0 4.2.2   Issue: A scheduled backup sometimes fails with an exception.

Solution: Upgrade to ATD 4.2.2.
1205376 4.0 4.2   Issue: The serial console stops working after you upgrade to ATD 4.0.x.

Solution: Upgrade to ATD 4.2.0.

Workaround: Add the following line at the end of the file /opt/amas/scripts/atd.local before exit:
 
/bin/systemctl start 'serial-getty@ttyS0'
  4.0.2     Issue: The ATD 4.0.2 Dashboard shows McAfee AV Engine version as 5900, and the Content Update page (Manage, Image & software, Content Update) shows McAfee AV Engine version as 5800.

Solution: This issue is a cosmetic one. There is no separate DAT available for the 5900 AV engine. The engine version is parsed from the DAT, which is why the Content Update page shows the AV engine version as 5800 instead of 5900.
1191242 4.0     Issue: The http_redirect setting is not retained after migration.

Workaround: Configure and apply this setting again.
1187832 4.0     Issue: Validation fails for German operating systems. You see the following error:
 
Systemfehler 1376 aufgetreten and Die angegebene locale Gruppe ist nicht vorhanden 

You then see the following error:
 
ADMINISTRATOR FAIL
 
Workaround: Ignore these error messages and continue with VM creation. You see the Host verification PASS report and creation work.
1198393 4.0     Issue: The profiling report does not reflect the mail entries submitted before upgrade.
1198325 4.0     Issue: Filtered files are displayed as ATD cache in the profiling report of email connector.


Back to top

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.