Loading...

Knowledge Center


Product compatibility issues with McAfee Agent 5.6.1 Hotfix 2
Technical Articles ID:   KB91655
Last Modified:  7/17/2019
Rated:


Environment

McAfee Agent (MA) 5.6.1 Hotfix 2 (build 5.6.1.298)
McAfee Application and Change Control (MACC) 8.x, 7.x, 6.x
McAfee Data Loss Prevention (DLP) Endpoint 11.2.x, 11.1.x, 10.0.0
McAfee Endpoint Security Firewall (ENSFW) 10.6.x, 10.5.x, 10.2.x

Summary

MA 5.6.1 Hotfix 2 has been removed from the Product Download sites. If you have already downloaded the release but have not yet deployed it, McAfee strongly recommends that you do not deploy it, and use MA 5.6.1 Hotfix 3.

Problem

MA to ENSFW compatibility issue

Agent-to-server communication is broken under the following conditions:
  • When you deploy MA 5.6.1 Hotfix 2 to endpoints that have ENS installed
  • When ENS uses a non-default firewall policy

Masvc_.log records the errors:

Masvc(3096.3488) network.Notice: URL(https://192.168.1.1:443/spipe/pkg?AgentGuid={}&Source=Agent_3.0.0) request failed with curl error <56>, response code <0>, http connect code 502

ENS FirewallEventMonitor.log records:
 
Time: 07/10/2019 01:13:38 PM
Event: Traffic
IP address: ###.###.###.###
Description: MCAFEE AGENT SERVICE
Path: C:\PROGRAM FILES\MCAFEE\AGENT\MASVC.EXE
Message:  Blocked Outgoing TCP - Source ###.###.###.### : (62681) Destination ###.###.###.### : https (443)
Matched Rule: Block all traffic
 
Time: 07/10/2019 01:13:38 PM
Event: Traffic
IP address: 192.168.1.1
Description: MCAFEE AGENT SERVICE
Path:  C:\PROGRAM FILES\MCAFEE\AGENT\MASVC.EXE
Message: Blocked Incoming TCP - Source ###.###.###.### : https (443) Destination ###.###.###.### : (62681)
Matched Rule: Block all traffic

Problem

MA to DLP compatibility issue

After you deploy MA 5.6.1 Hotfix 2 to endpoints that have DLP Endpoint 11.2.0 or earlier installed, MA can no longer make policy changes for DLP if access protection is enabled.

Problem

MA to MACC compatibility issue
The Technical Support code-signing certificate for MA has been updated recently, and product functionality has been affected by the change.
 
Make sure that you are running the latest version of MA (MA 5.6.1 Hotfix 3) if you experience any issues with communication between MA and the Application Control plug-in.

Cause

The executables for MA 5.6.1 Hotfix 2 are signed with a new certificate.

ENSFW has a built-in rule that allows traffic from the masvc.exe process, even if a firewall rule is present to block it. But, the process must be signed with a specific certificate so that ENSFW can't block agent-to-server communications.

The built-in rule does not account for the certificate change. So, it is possible for ENS to block agent-to-server communication when you use a non-default firewall rule set.

Similarly, DLP has a self-protect feature called access protection which relies on the certificate to trust the process trying to communicate with DLP. Because DLP does not trust the certificate that the MA services are signed with, MA can't hand off the policy update to DLP to enforce.

Solution

If you have deployed MA 5.6.1 Hotfix 2 and have no impact, install MA 5.6.1 Hotfix 3, which is available from the Product Downloads site at: http://mcafee.com/us/downloads/downloads.aspx.

If you are impacted by this issue, use the workaround below or contact Technical Support.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

To receive information about McAfee product updates, sign up for the Support Notification Service at https://sns.secure.mcafee.com/signup_login.

Workaround

Implement the following workaround if you have already deployed MA 5.6.1 HF2 and are experiencing either of the impacts described in this article. This workaround addresses the issue regardless of the impacted product.

Install any supported version of the McAfee Agent other than MA 5.6.1 HF2:
  • Because this issue affects only MA 5.6.1 HF2, you can deploy any older version of MA to address the issue or contact Technical Support for assistance. 
  • You will not be able to upgrade MA using a client task from ePO if the ENS firewall is blocking the agent-to-server-communication. In that scenario, you will need to deploy the agent using the push agent install method in ePO or one the other methods to deploy the MA, which are documented in the McAfee Agent 5.6 Product Guide. For details, click here.
  • If you are not impacted by the ENSFW issue, for example if your impact is the DLP policy change issue, you can upgrade the agent using a standard MA deployment task from ePO or any other agent deployment method.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.