Loading...

Knowledge Center


Troubleshooting DAT update failures with Endpoint Security for Linux
Technical Articles ID:   KB91276
Last Modified:  3/15/2019

Environment

McAfee Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x

Problem

When performing a DAT update, whether locally or through an ePolicy Orchestrator (ePO) update task, the task starts and stops within a minute and fails to update the DATs. Sometimes the agent reports that the DAT update succeeded, but further analysis reveals the DATs are never updated.

Cause

Below are three possible reasons for DAT updates to fail with ENSLTP:
  1. The McAfee Agent (MA) only has the General Availability (GA) version installed. With MA, there are several Local Procedure Call (LPC) communication issues present in the GA versions of MA 5.0.6 and 5.5.0 that can cause updates to fail for ENSLTP.

    The macompatsvc log might show the following error:
     
    lpc.Error: Check software exist failed for software ENDP_AM_10x0LYNX, lpc error = <error message>
       
  2. There is not enough drive space in the ENSLTP installation folder.

    In the isectpd log, the following error displays during the DAT update process:
     
    Nov 20 15:29:19 <servername> ERROR ConfigController [2427] Unable to set engine and DAT info in Config Controller
    Nov 20 15:29:19 <servername> ERROR TpAgentUpdate [2427] Failed to update DAT (part of DAT Update task)
    Nov 20 15:29:19 <servername> ERROR ConfigStoreUtility [2427] Not writing to file as memory available is less than 200 MB, current available memory : 90058752

    Run the command df -h /opt to check the free space on the partition on which the folder resides. ENSLTP needs at least 4 GB free on the drive that contains the /opt folder. Here is an example of the output:
     
    Filesystem                      Size  Used Avail Use% Mounted on
    /dev/mapper/vg00-opt            3.0G  2.4G  608M  81% /opt
      
  3. The previous ENSLTP or VirusScan Enterprise for Linux (VSEL) module is still present in the folder /etc/cma.d.

    Run the command ls -al /etc/cma.d to check for this problem. These folders are the possible ones that could be present that would cause the issue:
    • /etc/cma.d/ENDP_AM_1050LYNX
    • /etc/cma.d/ENDP_AM_1020LYNX
    • /etc/cma.d/LYNXSHLD1920
      NOTE: If VSEL was previously installed, this folder could be present.
    • /etc/cma.d/LYNXSHLD2000
      NOTE: If VSEL was previously installed, this folder could be present.

    The following is example output when the problem is present:
     
    /etc/cma.d:
    total 28
    drwxr-xr-x    4 root root  4096 Dec 11 19:50 .
    drwxr-xr-x. 105 root root 12288 Dec 11 21:45 ..
    lrwxrwxrwx    1 root root    22 Apr 10  2018 CMNUPD__3000 -> /etc/ma.d/CMNUPD__3000

    NOTE: The following entry should not be present.

    For ENSLTP 10.6.x:

    drwx------    2 root root  4096 Apr 10  2018 ENDP_AM_1050LYNX  
    lrwxrwxrwx    2 root root  4096 Dec 11 19:50 ENDP_AM_1060LYNX -> /etc/ma.d/ENDP_AM_1060LYNX
    lrwxrwxrwx    1 root root    22 Apr 10  2018 EPOAGENT3700LYNX -> /etc/ma.d/EPOAGENT3000
    -rw-r--r--    1 root root    83 Dec 11 22:05 lpc.conf

    For ENSLTP 10.5.x:

    drwx------    2 root root  4096 Apr 10  2018 ENDP_AM_1020LYNX 
    drwx------    2 root root  4096 Dec 11 19:50 ENDP_AM_1050LYNX
    lrwxrwxrwx    1 root root    22 Apr 10  2018 EPOAGENT3700LYNX -> /etc/ma.d/EPOAGENT3000
    -rw-r--r--    1 root root    83 Dec 11 22:05 lpc.conf

Solution

The following are the solutions to each issue:
  1. Install the following minimum MA versions to address the LPC issues:
    • 5.0.6 - 5.0.6.550 (Hotfix 1238995 (Released to Support (RTS))
    • 5.5.0 - 5.5.0.482 (Hotfix 1230772 (RTS))
    • 5.5.1 - 5.5.1.388 (GA)
    • 5.6.0 (GA)
     
  2. Increase the disk space on the drive that contains the /opt folder so there is at least 4 GB free.
     
  3. Delete the previous ENSLTP or VSEL version plug-in folder and restart MA. These folders are the possible ones that could be present that would cause the issue:
    • /etc/cma.d/ENDP_AM_1050LYNX
    • /etc/cma.d/ENDP_AM_1020LYNX
    • /etc/cma.d/LYNXSHLD1920
      NOTE: If VSEL was previously installed, this folder could be present.
    • /etc/cma.d/LYNXSHLD2000
      NOTE: If VSEL was previously installed, this folder could be present.
If the above solutions do not address the issue, enable debug logging for both MA and ENSLTP and reproduce the issue. Collect an ENSLTP Minimum Escalation Requirements (MER) file using KB88197.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.