Loading...

Knowledge Center


Product compatibility issues with McAfee Agent 5.6.1 Hotfix 2
Technical Articles ID:   KB91655
Last Modified:  9/10/2019
Rated:


Environment

McAfee Agent (MA) 5.6.1 Hotfix 2 (build 5.6.1.298)
McAfee Application and Change Control (MACC) 8.x, 7.x, 6.x
McAfee Data Loss Prevention (DLP) Endpoint 11.2.x, 11.1.x, 10.0.0
McAfee Endpoint Security Firewall (ENSFW) 10.6.x, 10.5.x, 10.2.x

Summary

MA 5.6.1 Hotfix 2 has been removed from the Product Download sites. If you have already downloaded the release, but have not yet deployed it. McAfee strongly recommends that you do not deploy it, and use MA 5.6.1 Hotfix 3.

Problem

MA to ENSFW compatibility issue

Agent-to-server communication is broken under the following conditions:
  • When you deploy MA 5.6.1 Hotfix 2 to endpoints that have ENS installed
  • When ENS uses a non-default firewall policy

Masvc_.log records the errors:

Masvc(3096.3488) network.Notice: URL(https://192.168.1.1:443/spipe/pkg?AgentGuid={}&Source=Agent_3.0.0) request failed with curl error <56>, response code <0>, http connect code 502

ENS FirewallEventMonitor.log records:
 
Time: 07/10/2019 01:13:38 PM
Event: Traffic
IP address: ###.###.###.###
Description: MCAFEE AGENT SERVICE
Path: C:\PROGRAM FILES\MCAFEE\AGENT\MASVC.EXE
Message:  Blocked Outgoing TCP - Source ###.###.###.### : (62681) Destination ###.###.###.### : https (443)
Matched Rule: Block all traffic
 
Time: 07/10/2019 01:13:38 PM
Event: Traffic
IP address: 192.168.1.1
Description: MCAFEE AGENT SERVICE
Path:  C:\PROGRAM FILES\MCAFEE\AGENT\MASVC.EXE
Message: Blocked Incoming TCP - Source ###.###.###.### : https (443) Destination ###.###.###.### : (62681)
Matched Rule: Block all traffic

Problem

MA to DLP compatibility issue

After you deploy MA 5.6.1 Hotfix 2 to endpoints that have DLP Endpoint 11.2.0 or earlier installed, MA can no longer make policy changes for DLP if access protection is enabled.

Problem

MA to MACC compatibility issue
The Technical Support code-signing certificate for MA has been updated recently, and the change affected product functionality.
 
If you experience any issues with communication between MA and the Application Control plug-in, make sure that you are running the latest version of MA (MA 5.6.1 Hotfix 3).

Cause

The executables for MA 5.6.1 Hotfix 2 are signed with a new certificate.

ENSFW has a built-in rule that allows traffic from the masvc.exe process, even if a firewall rule is present to block it. But, the process must be signed with a specific certificate so that ENSFW can't block agent-to-server communications.

The built-in rule does not account for the certificate change. So, it is possible for ENS to block agent-to-server communication when you use a non-default firewall rule set.

Similarly, DLP has a self-protect feature called access protection which relies on the certificate to trust the process trying to communicate with DLP. Because DLP does not trust the certificate that the MA services are signed with, MA can't hand off the policy update to DLP to enforce.

Solution

If you have deployed MA 5.6.1 Hotfix 2 and have no impact, install MA 5.6.2.

To view other MA 5.6.x resolved or known issues, see KB90993.

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Workaround

Implement the following workaround if you have already deployed MA 5.6.1 HF2 and are experiencing either of the impacts described in this article. This workaround addresses the issue regardless of the impacted product.

Install any supported version of the McAfee Agent other than MA 5.6.1 HF2:
  • Because this issue affects only MA 5.6.1 HF2, you can deploy any older version of MA to address the issue or contact Technical Support for assistance. 
  • You can't upgrade MA using a client task from ePO if the ENS firewall is blocking the agent-to-server-communication. In that scenario, deploy the agent using the push agent install method in ePO. Or, use another method to deploy the MA that is documented in the McAfee Agent 5.6 Product Guide. For details, click here.
  • If you are not impacted by the ENSFW issue, you can upgrade the agent using a standard MA deployment task from ePO or any other agent deployment method. (For example, if your impact is the DLP policy change issue.)

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.