| MVISION Version | General Availability (GA) | Release Notes |
| MVISION EDR July Update | July 26, 2021 | Release Notes |
| MVISION EDR 3.5 | July 13, 2021 | Release Notes |
| MVISION XDR | May 17, 2021 | Release Notes |
| MVISION EDR 3.4 | April 27, 2021 | Release Notes |
| MVISION EDR Cloud December release |
December 5, 2020 | Release Notes |
| EDR Client 3.3.0.625 | December 1, 2020 | Release Notes |
| MVISION EDR Cloud November release |
November 6, 2020 | Release Notes |
| MVISION EDR 3.2 Hotfix 1 | September 22, 2020 | Release Notes |
| MVISION EDR 3.2 | August 12, 2020 | Release Notes (Client and Extension 3.2.0.567.2) |
| MVISION EDR 3.1 | April 21, 2020 | Release Notes NOTE: MVISION EDR is a cloud product. The GA date is the latest release. Cloud Release Notes are cumulative. |
| MVISION EDR 3.0 Hotfix 1 | December 20, 2019 | |
| MVISION EDR | October 22, 2019 |
MVISION EDR Known Issues
Artigos técnicos ID:
KB91275
Última modificação: 9/7/2021
Última modificação: 9/7/2021
Ambiente
McAfee MVISION EDR
McAfee MVISION XDR
McAfee MVISION XDR
Resumo
Recent updates to this article
Contents
Click to expand the section you want to view:
Back to top
| Date | Update |
| September 7, 2021 | Added SEC-36074 and SEC-46898 in the "Non-critical known issues" section. |
| August 27, 2021 | Added SEC-50492 in the "Non-critical known issues" section. |
| August 23, 2021 | Removed SEC-50092 because it is resolved. |
| July 27, 2021 | Added known issues SEC-50092, SEC-49207, SEC-49599, SEC-49287, SEC-46277, SEC-45793,SEC-46777, and SEC-48803 in the "Non-critical known issues" section. |
| July 1, 2021 | Added SEC-48028 in the "Critical known issues" section. |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
| Reference Number | Related Article | Found in MV-EDR version |
Resolved in MV-EDR version |
Issue Description |
| SEC-48028 | KB94656 | 3.5 | - | NOTE: This issue is applicable for EDR 3.5 clients and customers using S3 functionality. Issue: An issue exists where if EDR is configured to send traces to both the McAfee EDR Cloud and also to the customer’s own S3 service, traces are not sent to McAfee EDR Cloud. The issue is seen only when the S3 access credentials are misconfigured (e.g. invalid access key). If this issue is seen, ensure that your AWS credentials are valid and your AWS services and settings are correctly configured. NOTE: We recommend that customers test any IAM credentials to ensure that they allow objects to be written to the target S3 bucket, and monitor S3 bucket access and usage. |
| Reference Number | Related Article | Found in MV-EDR version |
Resolved in MV-EDR version |
Issue Description |
| SEC-36074 | - | Issue: Vulnerability Actions is not shown in actions. Pending SEC-50492. |
||
| SEC-46898 | - | Issue: The MVISION EPO/EDR client fails to upload a snapshot. | ||
| SEC-50492 | - | Issue: SIEM Action options are not available on the EDR dropdown for Device Actions in the EDR UI. | ||
| SEC-49207 | - | Issue: Historical search fails with AR-1104 intermittently through the UI during a programmatic or script performance test. | ||
| SEC-49599 | - | Issue: When AC is timing out responding to the query, the UI displays an error message: |
||
| SEC-46277 | - | Issue: Auto Suggestion operator does not work for compound query with CommandLine. | ||
| SEC-49287 | - | Issue: When you apply filters to do the analysis and later clear them, the results get refreshed through an API call. | ||
| SEC-48803 | - | Issue: The user does one of the following:
|
||
| SEC-46777 | - | Issue: Granular Exclusion: Exclusion with escape/special characters should be cleaned up before match. | ||
| SEC-45793 | - | - | Issue: In the Historical Search dashboard, when you type a commandLine query, suggestions do not appear. | |
| SEC-43301 | - | 3.2.0 | - | Issue: When you use the MVISION EDR API, you see that the API events are exceeding the defined event limits. Although the Case Management runbook supplied with the APIs mentions limits, it does not clearly state how to set limits in actual numbers. The API for rate limiting is: Rate limits can be applied to these actions:
{// Rate Limits default values. // Use API to change rate limits. // new case by tenant new-case = [ { max = 10 duration = "1 hour"} { max = 20 duration = "1 day"} ] // new evidence by case by tenant new-evidence-to-case = [{max = 10 duration = "1 hour"} ] // new evidence by tenant new-evidence = [{max = 10 duration = "1 hour"} ] } |
| SEC-41123 | - | 2.4.0.723 | - | Issue: Scheduled Reboot Reaction might not work on some Linux platforms (RHEL and SUSE) even though success is returned in Action History. Cause: The Scheduled Reboot Reaction uses the Linux "at" scheduling service to schedule the reboot. This service might not run by default on all Linux platforms. Workaround: Install the "at" service and ensure that the |
| SEC-37830 | - | 3.3.0 | Issue: Action History shows as 'Completed' with error message after action "Scheduled Reboot". | |
| SEC-42307 | - | 3.4.0 | Issue: BigSur operating system is not listing on EDR UI. | |
| SEC-38300 | - | - | - | Issue: Two or more open tabs while using MVISION EDR, might cause a user to be logged out due to inactivity. The same applies for any other tab that uses products that rely on the same identity service. For example, MVISION ePO and MVISION Cloud. Cause: MVISION EDR checks for activity independently in each tab. After 20 minutes of inactivity, MVISION EDR invalidates the token, which logs off the user. Workaround: Minimizing the number, or closing any open tabs that remain inactive for longer than 20 minutes, reduces the probability of a logoff occurrence. |
| SEC-28420 | EKS+1 | EKS+2 | Issue: When you run Historical search queries that contain more than 3 days of information and use include/exclude filters, you see the error:
Solution: Narrow your query. Include less than 3 days of information or remove the include/exclude filters. |
|
| SEC-35451 | Issue: No event type is displayed for a process activity in the table view of the Process Activity section from the Monitoring Dashboard. Cause: For some specific process activity that occurs close in time to the start of the process, the result can be that this activity has a time stamp earlier than the process that originated the activity. The UI relates that process with the same time stamp than the process created time displaying two events in the same row. Workaround: Click the activity and view the different events that are related to that row in the table. Then, you can see the details of both events. |
|||
| SEC-35418 | Issue: There is a delay in the visibility of events that are generated in the endpoint through the Historical search for just one endpoint. Cause: MVISION EDR time filters use the time specified in the Endpoint which is the time when the activity occurred. But, an endpoint could have a wrong time configuration that is ahead of the current time or is behind it. If it is ahead, filters such as for the last 4 hours do not show that activity until the current time is reached. Solution: Correct the time configured in the endpoint. |
|||
| SEC-35413 | Issue: Filtering by "Observed Techniques" / "Suspicious Indicators" in the Monitoring dashboard does not show the corresponding activity that originated it. This situation occurs when there is no UI visibility of an event in the Process Activity. Instead you see: Cause: EDR has increased the number of events that are displayed in the Process activity section. But some of them can still be missing. It does not relate the suspicious activity to an activity in the chart or tables because content evolves with higher cadence than UI. Solution: Make sure that there are no filters applied to the graph. If the event is still not displayed, analysis must investigate all activity to properly identify the trigger of the suspicious indicator. |
|||
| SEC-35355 | Issue: Filtering by "Observed Techniques" or "Suspicious Indicators" in the Monitoring dashboard might not show the corresponding activity that originated it. This situation can occur when you don't load all activity apply filters that were applied in the Process Activity widget. Instead You see: Cause: To improve the speed to show the Process Activity once a new threat is selected in the monitoring dashboard, the UI loads data in two phases. The initial phase partially loads data. It prioritizes process genealogy information. As a result, the activity that originated an observed technique or suspicious indicator might not be loaded. Solution: Click the Show all activity option. All activity loads. Then filter again for the required Observed technique. |
|||
| SEC-35377 SEC-35378 |
EDR Client 3.3.0.625 | Issue: The Cause: On SUSE Linux Enterprise 15, This deprecation might also apply to other Linux distributions that no longer include the net-tools package by default. Solution: Because |
||
| SEC-36169 | EDR Client 3.2.0.567 Content Data Update 3.2.0.313 |
Content Data Update 3.3.0.368 | Issue: EDR snapshot tool does not work properly after an EDR content update. You run the snapshot tool, but the tool fails to take a snapshot. You see the following error: Cause: An EDR content update leaves conflicting job definitions. Solution: Remove the EDR Client content package from the Master Repository until an updated content is provided. On affected hosts to be investigated, use the Remove File reaction available in |
|
| STLS- 916 | Issue: MVISION EDR can't connect to the configured DXL broker. If you look in the DXL brokers IPE log, you see the error: Cause: There are two possible causes:
|
|||
| SEC-33805 | Issue: Duplicate listings of ePO servers are seen in the Configuration Page, under Configure data sources. Cause: Connection issues. Solution: Refresh the UI. You can ignore the issue. This issue is cosmetic and does not affect product function. |
|||
| SEC-34655 | Issue: You take a manual action to quarantine or End-quarantine a device in the Investigation dashboard. But, the state is not updated until it is refreshed. Then, the End-quarantine action does not display after a quarantine action. Cause: Investigation does not refresh options after an action. Solution: Refresh the UI. |
|||
| SEC-33791 | Issue: After you switch between threats in the monitoring screen, process activity displays the message: It then loads the correct process activity. Cause: Engineering updated the widget to load faster and in phases, causing this issue. Solution: Wait until the process activity fully loads. |
|||
| SEC-31708 | 3.2.0.567 | Issue: Investigations via phishing email do not display or add artifacts. (U.S. ONLY) | ||
| SEC-31410 | 3.2.0.567 | 3.2.0.571 | Issue: The EDR client process ( Workaround: Disable the Unattended Content Updates on the EDR Policy, General tab. |
|
| 3.0.0.404 | 3.2.0.567 | Issue: Can't end Quarantine in an endpoint that is using a VPN Solution:
|
||
| 3.1.0.478 | 3.2.0.567 | Issue: You see high CPU use and slowdown on 32-bit Windows clients. Workaround: Disable the Trace for affected endpoints. Or, if experiencing issues with specific processes, exclude them. See the Product Guide for further information about making these changes. Solution: This issue is resolved in 3.2.0.567. |
||
| 3.1.0.478 | Issue: During the upgrade of EDR Client on Windows 7, a pop-up message displays for a few seconds with the title: This message does not affect the installation. The product successfully installs. Cause: The Windows service Interactive Services Detections is enabled. This service is disabled by default and is available only on Windows 7. Workaround: Temporarily disable the Windows service Interactive Services Detections during the upgrade of EDR Client. |
|||
| 3.1.0.478 | Content Data Update 3.2.0.308 | Issue: EDR Content Data Update 3.0 fails to download when EDR Client 3.1 or later is installed. Cause: Content Data Update 3.0 does not recognize version 3.1 or later. Workaround: Check in the latest Content Data Update 3.1 or later to the Master Repository. The update is available from the ePO Software Catalog. |
||
| 3.0.0.404 | 3.1.0.478 | Issue: The EDR Trace database grows larger than the maximum size configured in the policy. The database is at: |
||
| KB92292 | MACC extensions 8.2.6 and 8.3. | Issue: The Cause: McAfee Execution Control in MACC 8.x added default Execution Control Rules and McAfee rule groups. These rule groups need to be updated to allow the newer version to run. Workaround: See the related article. Solution: This issue is fixed with the release of MACC extensions 8.2.6 and 8.3. |
||
| ENS Exploit Prevention content released March 2020, or later, fixes this issue. | Issue: An EDR Reaction fails to execute in the endpoint. Cause: An option in ENS prevents EDR from running some Workaround: Add an exclusion to the EDR service in the ENS Exploit Prevention policy:
|
|||
| 3.0.0.355 | 3.1.0.478 | Issue: On Windows 10 build 1607 (RS1), applications such as Microsoft Office, Adobe Acrobat Reader, and Chrome, fail to start. Workaround 1: Install all Windows updates for build 1607 (RS1). Workaround 2:
NOTE: By disabling this option, the EDR client does not detect when a process injects another process. |
||
| 3.0.0.355 | Issue: Installation of some applications that perform intensive file moves, removals, or changes, displays errors and fails to complete. Cause: The EDR client locks these files during the installation. Workaround 1: Disable the Trace plug-in during the installation. Workaround 2: Add the installer or process that runs it to the ignored files into the Trace Policy. |
|||
| 3.0.0.355 | 3.2.0.567 | Issue: When you quarantine an endpoint connected to a VPN, the endpoint becomes unreachable. You can't send the reaction to End the Quarantine. Workaround:
|
||
| 3.0.0.404 | 3.0.0.432 | Issue: The network verbosity feature is enabled by default. The results are unnecessary collection in the endpoints and unnecessary traffic in the customer network. Workaround: For on-premises ePO, open all active EDR policies in ePO and save each one without making any changes. This action disables the verbosity configuration. For MVISION ePO environments, clone My Default policy, edit, save without any changes, and then assign it to all your endpoints. |
||
| 3.0.0.355 | 3.0.0.404 | Issue: On Windows Redstone 5 and later, Internet Explorer or Edge might lose internet connection when using a proxy configuration file. But, other browsers like Chrome or Firefox continue working properly. Workaround: Manually enter your proxy settings in Internet Explorer or Edge. |
||
| 3.0.0.432 | Issue: The EDR service does not start if MVISION EDR is installed on an endpoint with ENSM installed. Workaround: Technical Support has a script to fix the issue. Contact support to obtain this script. |
|||
| Fixed by upgrading to MA 5.6.3 | Issue: Proxy autoconfiguration script files, such as In this situation, Internet Explorer can still use the proxy.pac file, but MA (assuming its proxy settings are configured to MA reports no usable proxy found in the mcscript.log. Workaround: Reboot the endpoint. |
|||
| Issue: In MVISION ePO, Mac and Linux EDR clients are not yet supported. Solution: Not available. For environment information, see KB91345 - Supported platforms for MVISION EDR. |
||||
| 3.1.0.478 | Issue: The MVISION EDR client service stops working if you install or upgrade the MVISION Endpoint client after it was installed on a Windows system. Solution: Restart the service by restarting the operating system. |
|||
| 3.0.0.404 | Issue: During EDR Client installation, Visual C++ Redistributable Package removes binaries for non-target architectures. Specifically, This issue is a Microsoft runtime issue in Visual C++ Redistributable Package. Solution: Apply the updated distributable available at: https://support.microsoft.com/en-us/help/3138367/update-for-visual-c-2013-and-visual-c-redistributable-package |
|||
| Issue: Can't install MVISION EDR client with ENS 10.6.2/6.3 in Linux because of failed dependencies: You see the error: Solution: Upgrade to ENS 10.6.4 or later. |
||||
| 3.0.0.404 | Issue: The Monitoring or Historical Search dashboards might display incorrect information about the device. Incorrect information includes such as operating system version, MAC address, or ePO tags. | |||
| Issue: The Include and Exclude filters in the Historical Search Dashboard, do not filter the Alerts and Detections |
||||
| Issue: Hierarchy in the process tree from the Process Activity widget breaks. Cause: The parent process is not present. As a result, the sequential and timeline view in Process Activity, does not show the process tree correctly. Workaround: Select another detection instance for the same threat from the Device section in the Monitoring dashboard. |
||||
| Issue: When you disable telemetry feedback options, the feedback option requires that you accept the sharing of telemetry data. If you do not accept it, the send button on the feedback section is not enabled. Solution: Enable telemetry settings:
|
||||
| Issue: Duplicated alerts are seen. When a Process Injection is detected as a threat in the Monitoring dashboard, the Injector process and the Injected process are shown as potential threats. So, they can be perceived as duplicated threats. | ||||
| Client 3.0.0.175 | Issue: [Agent] When you disable or enable the trace plug-in, the traces are not sent to the cloud until you reboot the endpoint. Solution: If you enable the trace plug-in on an endpoint through the MVISION EDR endpoint policy after it was previously disabled, you must reboot the endpoint to have trace data sent again. Endpoint activity is not monitored until the reboot is completed. |
|||
| MVISION EDR extension version 3.0.0.758 | Issue: Unable to open MVISION homepage from on-prem ePO. The MVISION EDR homepage link from the McAfee ePO menu does not work. Solution: To access the MVISION EDR page, go to the URL https://ui.soc.mcafee.com. Solution: Fixed in MVISION EDR Client version 3.0.0.175. |
|||
| Issue: After installation, the EDR extension server settings display a Host Timeout Error. SIEM connection on the MVISION EDR settings available in Server settings on McAfee ePO show connection as: Solution: When the SIEM is configured correctly, this setting changes to Connection Successful as expected. |
||||
| Issue: Device Name is not displayed under Affected Devices, Threat Details session in Monitoring workspace. Solution: Follow the deployment steps as documented in the Installation Guide or UI wizard. If the MVISION EDR client is deployed in the endpoints before it completes the extension installation flow, some device information might not be displayed. Information such as host name or IP address, might not be displayed in the Device panel of the Monitoring dashboard. To fix the problem, reboot the unlisted device. |
Back to top
Informações relacionadas
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Produtos afetados
Idiomas:
Este artigo está disponível nos seguintes idiomas:
English United StatesSpanish Spain
French
Italian
Portuguese Brasileiro
Glossário de termos técnicos
Realçar termos do glossário
Reserve alguns momentos para navegar por nosso Glossário de termos técnicos.
