Mcafee/Trellix EPO 5.10.0 Service Pack Repost 1, 4098, fails to install and rollback

by butsch 7. June 2023 15:15

Update to 5.10.0 Service Pack 1 BUILD 4098

There is an issue with EPO 5.10.0 Service Pack 1 RE-Post.

We have seen some EPO 5.10.0 Service Pack 1 gone through smooth and some larger EPO fail. Trellix member CDINET from Trellix Forum stated a tip how to install sucessfully.

 

Here is how to solve the update. Worst the MSI Installer rollback does not work and keeps the EPO in a state of not working. Thus it is important to have a Hypervisor FALLBACKUP or VEEAM if this fails.

Make sure you install all PRE SP1 Updates UP TO "ePO_5.10.0_Update_15" (This are add. steps and we asume your ARE at level UPD15 already for the SP1). Please see Trellix KB

On how to get to those Patche Update 15 Level.

Process to patch EPO 5.10 to latest Service Pack 1 from 5.10 UP15 succesfully:

Backup all you have because we have a high % this will fail. It's re-post Patch they already took back once.

Turn off/Shutdown all Mcafee/Trellix machines you have (EPO, DXL, Broker, TIE etc.)

Logon to TIE and DXL broker Console or SSH and use "shutdown –f 1"

Make a VM Snapshot for disaster fallback. The snapshot should be OFF and at same time because of DXL (If you use DXL)

Start all VM machines

On EPO Server disbales the two WMI related Services

Reboot the EPO Server

Install SP1 will be success

Change back the two WMI Services as seen in Screenshot

 

Services before:

change to:

Reboot once

 

Check Events

Change back the Services like they where before

Services before:

If you want to 100% sure check the Logs

trail

2023-06-07T10:54:26.226Z - info: Executed batch sql scripts for snapshot

2023-06-07T10:54:26.262Z - info: Successfully got connection

2023-06-07T10:54:26.266Z - info: Successfully got connection

2023-06-07T10:54:26.276Z - info: Successfully got connection

2023-06-07T10:54:26.290Z - info: Successfully got connection

2023-06-07T10:54:26.302Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/simagent64.exe'

2023-06-07T10:54:26.302Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:26.303Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/eposignle.exe'

2023-06-07T10:54:26.303Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:26.315Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/simagent.exe'

2023-06-07T10:54:26.315Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:26.317Z - info: Sucessfully executed SQL DELETE FROM [dbo].[EPOSnapshotFiles] WHERE [FilePath] = '/eposignse.exe'

2023-06-07T10:54:26.317Z - info: Successfully deleted entries EPOSnapshotFiles

2023-06-07T10:54:44.004Z - info: Service EPOEVENTPARSERSRV status is started

2023-06-07T10:54:55.599Z - error: Service start error :Error: Timed out attempting to start EPOAHAPACHESRV.

2023-06-07T10:54:55.709Z - error: Service start error :Error: Timed out attempting to start EPOAHAPACHESRV.

2023-06-07T10:55:05.723Z - info: Service EPOTOMCATSRV5100 status is started

2023-06-07T10:55:05.821Z - info: Determining if service EPOAHAPACHESRV is started or not

2023-06-07T10:55:16.299Z - info: Service EPOAHAPACHESRV status is started

 

 

Tags:

SECURITY | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

M365, Exchange Online Remote Powershell blocked by T1056 Mitre Trellix

by butsch 4. April 2023 03:00

Trellix ENS 10.X, T1056 - Key capture using Powershell detected, Host intrusion buffer overflow

ExP:Illegal API Use Blocked an attempt to exploit

C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE, which targeted the GetAsyncKeyState API.

 

Hello,

If you want to manage M365, Exchange Online there are several ways. You can use the PS button within the Admin Portal but then you need an Azure licence for a seperate account you made for IT.

We also tried the Remote shell to M365 on Several Server and working clients and found some important fact.

Most Antivirus Solution who do more than other and who reflect MITRE rules capture the Connection as phising attack for credentials as defined in MITRE T1056, Keylogger. Yo you will have to exclude the machines where IT people use Remote shell and ASK for credentials with the POPUP GUI (Not passing the password in the cli command)

 

https://learn.microsoft.com/en-us/powershell/exchange/connect-to-exchange-online-powershell?view=exchange-ps

Install-Module -Name ExchangeOnlineManagement –Force

Connect-ExchangeOnline

 

You can find and also exclude the API function call in Trellix EPO like this. I would like to state that you should only exclude the T1056 on machines where the Exchange Admin will work.

Select the EXPLOIT, checkbox, then bottom page left side, ADD Exclusion

 

Choose the POLICY you have for your Clients you want to change the single false

Again best would be NOT to exclude that MITRE for all enduser just for the IT machines.

Since Mcafee/Trellix ENS you can do POLICIES for all (Great range) and than add. to that more

fine granular policies for some machines or targets (Like we know from Windows gpo with WMI filter)

T1056

Threat Target Process Name:    POWERSHELL.EXE

Threat Target File Path:    C:\WINDOWS\SYSTEM32\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE

Event Category:    Host intrusion buffer overflow

Event ID:    18054

Threat Severity:    Critical

Threat Name:    ExP:Illegal API Use

Threat Type:    Exploit Prevention

Action Taken:    Blocked

Threat Handled:    True

Analyzer Detection Method:    Exploit Prevention

Location:    

Module Name:    Threat Prevention

Analyzer Technology Version:    

Analyzer Content Creation Date:    3/6/23 10:06:04 PM CET

Analyzer Content Version:    10.6.0.12731

AMCore Content Version:    

Analyzer Rule ID:    6183

Analyzer Rule Name:    T1056 - Key capture using Powershell detected

 

If you want to disable the 6183 Analyzer rule complete you could do here in your POLICY.

To see you have to choose "OTHERS". By default maybe this rule is not ON in your mcafee/Trellix enviroment. (Out of the box)

 

After the change the Connection should work:

 

Tags:

Exchange 2013 | Exchange 2016 | Exchange 2019 | M365/AZURE | SECURITY | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

Mcafee ENS 10.7 June 2022 new Exclude EXPLOIT Rules by Active Directory user or group

by butsch 28. July 2022 17:01

 

Mcafee posted a fixed version of the 10.7 june 20202 release. Hidden in the release notes you will find an important detail.

You can now EXCLUDE Signature/Exploit/IPS rules FOR certain Active Directory users or group by SID.

This is like a WMI filter for GPO Grou Policy to drill down more granular and to target Exclusion more effectiv.

A main problem until now is the exclusion with MD5 checksum wiuld be the safest and usefull. However if you

Have slerf updating software (Like a RAPID 7 Agent) you have changing MD5 Checksum.

That's no problem if you have an enterprise and Mcafee TIE-Server and ATD Sandbox which automatic sess

That there are older version of the Agent in history and checks several other things and then aproves the file for running or not.

 

For Exlcusion this will help to limit an Exlcusion for a certain file (Whout the MD5) to limit the exclusion to a certain user group or single user.

 

If "financetoolstupidcoder.exe" does hit 20 Exploit rules because it was so crappy coded then you can exclude all the Signature based rules

For the single user with the SID 5654654634338998888 (Your CFO who gives IT money). ;-)

 

We would like to point out that mcafee has the large solution with ATD (TIE-Server, ATD-Sandbox) which allows you to controll

EXE wiht MD5 but in SBS or even a 1000+ shop you sometimes simply can't handle a strict change and release managment.

 

This will help us all a lot.

 

 

 

 

 

Tags:

Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME | Client Management

McAfee free tool GETSUSP.EXE (Cloud scanner for URL and files)

by butsch 16. March 2021 20:26

 

Hallo,

 

Es gibt einen neuen Release eines Tools mit welchen man Clients scannen kann und alles was es nicht kennt (spanisch vorkommt) vollautomatisch zu Mcafee GTI sendet. Man kann damit unbekannte Files an McAfee einsenden zur Analyse.

Falls man eine E-Mail Adresse angibt bekommt man am Schluss den Report nach der Analyse. Die Files welche integriert sind kennt Mcafee GTI-CLOUD und alle Produkte «handeln» diese dann als sicherer und effektiver.

 

Das Tool macht 20% der 100% Feature vom grossen ENS und zeigt dann auch wie schnell ENS wäre wenn man nur Muster suchen würde.

 

Einziger Nachteil es sollte jeweils aktuell sein. Also wenn man es braucht dann bitte neu downloaden. Dafür ist es ein Single EXE und man kann damit URL, Office/PDF oder CUSTOM Directory scannen.

 

https://www.mcafee.com/enterprise/en-us/downloads/free-tools/terms-of-use.html?url=https://downloadcenter.mcafee.com/products/mcafee-avert/getsusp/getsusp64.exe

 

  • Was Mcafee GTI nicht kennt frägt er am Schluss und macht automatisch (Ohne Mcafee NAI Vertrag) ein Upload zu Mcafee.
  • Falls man es im Enterprise Bereich braucht bitte unter Preference den Proxy eintragen.

 

Falls die Files in Ordnung sind kennen dann Mcafee und alle Security Alliance Partner das File (Trend, Symantec). Ebenso die Firmen welche von den drei grossen Echtzeit Patterns einkaufen und tauschen. Mcafee VSE ENS kennt dann die Files

und stuft diese sicherer ein.

 

 

How to Use GetSusp | McAfee Free Tools

https://www.mcafee.com/enterprise/en-in/downloads/free-tools/how-to-use-getsusp.html

 

 

 

 

Proxy und wenn Ihr Infos wollt WANN McAfee die Files analysiert hat….

 

Tags:

Client Management | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME | Links - Important

McAfee Security for Exchange 8.6, Display Bug warning Dat out of date

by butsch 1. September 2020 19:38

EPO integrated McAfee Security for Exchange 8.6 SP2

If you have a fully integrated Mcafee Security for Exchange which you manage the POLICY and SETTINGS from the EPO (Not on the Exchange itself)

you may see an error in the GUI where it says "Your Anti-Virus DAT may be out of DATE".

That is just the warning if check the DAT it's fine and up to date.

DAT Update Button in GUI on Exchange itself does not seem to update

The server actually has the latest DAT. As example on the left side below you see 9730 which is the DAT from 31.08.2020 as example.

Just the Update function does not understand the server received the DAT from the EPO instead from WAN.

Often Exchange behind Load Balancer like Kemp or F5 have limited WAN Internet access.

Some Tips:

  • On smaller Exchange > Sometimes you can solve this by changing the Schedule like from 08:00 to 08:01 (Just add a minute) And update > Maybe fine
  • If not behind Load Balancer > You may have to check your WAN access from the Exchange Server and if he can get the DAT from Mcafee
  • If you download the DAT manual from Mcafee and try to install you will see that you already have the newest version.

Screenshot from 1. September 2020

Check in EPO under Products

If you can't get it to working for whatever reason, PUSH the DAT from McAfee EPO direct to the Exchange Server

where McAfee Security for Exchange runs. The Error in the GUI will stay.

Tags:

Exchange 2016 | Exchange 2013 | Exchange 2010 | Microsoft Exchange | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

McAfee ENS WEB CONTROL outlook.exe chart.dll crash

by butsch 19. May 2020 17:06

 

01.09.2020, this is solved in 10.7.0.1607 JULY 2020 Release

Produktversion (Endpoint Security Platform)

10.7.0.1961 JUL 2020 Release

Produktversion (Endpoint Security Threat Prevention)

10.7.0.2021 JUL 2020 Release

Web Control

10.7.0.1607 JUL 2020 Release

 

 

 

On several W10 machines we have seen Outlook.exe crash with Mcafee ENS Endpoint Security 10.7 Web Control active.

This behavior is seen up to Release 10.7.0.1675 and HOTFIX 10.7.0.1733 on 19.05.2020 and is because of the function "E-Mail annotations" in Mcafee Web Control Module from ENS (Endpoint security).

This function will check existing URL in existing E-Mail and if the URL is Malicious Block or warn the user WITHIN the E-Mail.

For Mcafee to draw that warning it needs chart.dll. On some systems there is know old story with mix of chart.dll (We are unsure of 32/64 or language MIX like German and English lead finally MS side to this error but Google is full of it). Mainly it's because Windows itself has a chart.dll and there is a version from Office. Those are different.

Error your see:

"Required file chart.dll not found in your path. Install Microsoft Outlook again"

"Die erfoderliche Datei chart.dll wurde"

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

 

Event

Name der fehlerhaften Anwendung: OUTLOOK.EXE, Version: 16.0.4954.1000, Zeitstempel: 0x5df956bf

Name des fehlerhaften Moduls: KERNELBASE.dll, Version: 10.0.18362.628, Zeitstempel: 0x54734dee

Ausnahmecode: 0xc06d007e

Fehleroffset: 0x00113db2

ID des fehlerhaften Prozesses: 0x2bac

Startzeit der fehlerhaften Anwendung: 0x01d5e67e5d8b1520

Pfad der fehlerhaften Anwendung: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Pfad des fehlerhaften Moduls: C:\WINDOWS\System32\KERNELBASE.dll

Berichtskennung: 55ace164-ec8b-4166-8170-8616d13f0366

Vollständiger Name des fehlerhaften Pakets:

Anwendungs-ID, die relativ zum fehlerhaften Paket ist:

 

Version 16.0.4924.1000 +"chart.dll"

 

For Mcafee to draw that warning it needs chart.dll. On some systems there is know old story with mix of chart.dll (We are unsure of 32/64 or language MIX like German and English lead finally MS side to this error but Google is full of it). Mainly it's because Windows itself has a chart.dll and there is a version from Office. Those are different.

You can see what happens here. The YELLOW is when it does not find the chart.dll at that certain path.

 

 

SOLUTION:

McAfee ENS > Web Control > Optionen > Advanced Options > TURN off the FIRST OPTION (Uncheck)

View German Mcafee ENS

View EPO Policy English

 

This is what the function does. It highlights malicious URL. Here a sample from a Mcafee SECURITY FOR Exchange

Alert warning which had a malicious URL link. (This is a double alert but just to show what we talk about)

 

 

 

 

You don't have to reinstall Outlook.exe, Office, or ENS Modules. Just turn off the option.

Some Links with chart.dll (Not related to McAfee)

https://answers.microsoft.com/en-us/office/forum/office_2016-outlook/2016-outlook-has-error-message-required-file/772b47c6-ead1-4d6f-9ad1-41da627cb9c7

Links with Mcafee at askwoody.com

https://www.askwoody.com/forums/topic/outlook-2016-and-chart-dll-error-multiple-pcs/

https://community.mcafee.com/t5/Endpoint-Security-ENS/Outlook-2016-and-chart-dll-error/m-p/651239

Tags:

Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME | W10

Missing entry in Fortigate Application Filter ROOT.CERTIFICATE.URL and OCSP source of W10 Setup failing

by butsch 31. October 2018 21:35

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.

 

Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment

 

Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL pki.infineon.com (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.

 

Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.

 

Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.

 

The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.

 

 

 

Workaround:

URL we need open in our sample: pki.infineon.com which prevents a complete Enterprise Deployment system to fail

 

 

 

Sample from Fortigate for other Certs they missed:

 

F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )

 

In our case:

 

F-SBID( --name "Root.Certificate.pki.infineon.com"; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see:

Butsch.ch | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC

So you understand that this is a problem which persists over all firewall producers:

https://support.symantec.com/en_US/article.HOWTO9584.html

Symantec: About the Install Readiness Check for Certificate Revocation List access

https://success.trendmicro.com/solution/1058226

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:

Checkpoint:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection

Mcafee:
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/25000/PD25504/en_US/epo_530_pg_0-00_en-us.pdf

 

 

 

Tags:

Deployment | Microsoft SCCM/MEM/MDT | Scripting | Ivanti Frontrange Enteo | W10 | M365/AZURE | SECURITY | FW Fortigate | FW Sophos | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

McAfee EPO Server SQL Server Performance tips

by butsch 4. July 2018 02:10

 

 

McAfee EPO Server SQL Server Performance tips

This is based on McAfee Information for their McAfee EPO DB running under SQL 2005/2008R2/2012 upwards

The EPO Database itself should be:

Autoshrink = False

Auto Close = False

Auto update Statistics = True

 

Auto shrink and auto close are database options that should be set to false. Auto update statistics should be set to true, except for very rare circumstances where the update of statistics is hindering the query performance and there is a customized manner to update statistics on a different interval. See the Performance Optimizer Product Guide for details on how to configure these database options.

 

File auto growth DB Files 256MB, unlimited

File auto growth DB Log files 128MB, unlimited

 

This is just a base recommandation. We learned back with NT4 and RAID Setup that this is important to calculate blocksize. Ask your Storage, VMware people if they still know anything about it. You will be suprised how much they know or not.

 

The file growth settings for the ePO and tempdb databases should be set to auto-grow by 256MB for data files and 128MB for log files. The maximum size should be set to unlimited. It is not recommended to use the auto-grow by percent as it can lead to subsequently larger file growths. See the Performance Optimizer Product Guide for more details.

 

Yes we know, spend CHF 20'000.- for another SSD Raid or shelf and ask your Manager.

Data files and log files should be placed onto separate disks for maximum I/O throughput. See the Performance Optimizer Product Guide for more details.

 

Index and Fragmentation

Indexes with fragmentation greater than 30% should be rebuilt. Fragmentation between 20%-30% requires that the index be reorganized. Optimal index performance is achieved when fragmentation is removed on a regular schedule. See KB67184 and the Performance Optimizer Product Guide for more information.

Review the server task action settings. See the McAfee ePO Product Guide for the chapter on configuring server tasks. If the server task has been provided by a point product, review the guide for that product to ensure that all configuration settings are correct.

Review the scheduled server tasks. If too many server tasks are scheduled to run at the same time, reschedule some for a different time. See the McAfee ePO Product Guide for the chapter on configuring server tasks.

Please see our other McAfee EPO Enterprise PRO Tips

http://www.butsch.ch/post/MCAFEE-EPO-SQL-shrink-large-files-in-small-steps.aspx

http://www.butsch.ch/post/Mcafee-EPO-Server-4X-Database-or-Space-growing-EPOevents.aspx

http://www.butsch.ch/post/Mcafee-EPO-Server-45-Upgrade-to-46-mit-SQL-Express-2005-SP2-to-SP4.aspx

If you need commercial help with McAfee EPO/TIE/DLP/ATD Migration contact us.

 

Tags:

Client Management | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

Spectre – Meltdown - MS Bluescreen - Microsoft says AV producer has to Set Registry Flag

by butsch 6. January 2017 06:17

06.01.2018, 01:33 CET, Europe

Do not set the specific Registry key that Microsoft announced a few days ago manual until you checked 100% and understood what it does. This was wrongly interpreted and understood by several blogs and even larger news agencies. The way it should be done (As seen by Microsoft on Friday) is that the Antivirus producer will set the specific registry flag key which will make the Update available to you by download from Windows Update direct. You can also download from Windows Update catalog if you did this THEN (This weekend) on one machine. We recommend waiting with patching W7/W10 until Monday and this is clearer.

From our point of view it's unclear as example what people with W10, 1709 Fall Creators Update with Edge in Hypervisor Sandbox and Windows Defender should do (And thus no other AV software)?

There all comes from Microsoft? Anybody seen that update there?

 

Attention:

Microsoft clearly states that there have been Bluescreen on some machines. A thing most of you forgot and did not see since years. Several blogs the specific update caused problems even while installing. They only way to install it via wusa.exe and command line PLUS at the end kill server hanging tasks with scripts.

 

Note Customers will not receive the January 3, 2018, security updates and will not be protected from current security vulnerabilities unless their antivirus software sets the following registry key:

Microsoft has identified a compatibility issue with a small number of antivirus software products.

The compatibility issue arises when antivirus applications make unsupported calls into Windows kernel memory. These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot. To help prevent stop errors that are caused by incompatible antivirus applications, Microsoft is only offering the Windows security updates that were released on January 3, 2018, to devices that are running antivirus software that is from partners who have confirmed that their software is compatible with the January 2018 Windows operating system security update.

If you have not been offered the security update, you may be running incompatible antivirus software, and you should consult the software vendor.

Microsoft is working closely with antivirus software partners to ensure that all customers receive the January Windows security updates as soon as possible.

More Information

Note Customers will not receive the January 3, 2018, security updates and will not be protected from current security vulnerabilities unless their antivirus software sets the following registry key:

Do not set the Specific Registry key that Microsoft announced a few days ago manual and if so ONLY if you validated that all your security products are compatible and listed on producer special KB or blog entry.

As per MS the producer of the AV Software has to do so after final testing

Key=HKEY_LOCAL_MACHINE

key=SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat

Value=cadca5fe-87d3-4b96-b7fb-a231484277cc

Type=REG_DWORD

 

Since we recommend Mcafee here is there actual list which runs fine with the Update.

Mcafee 06.01.2018

The following products have been tested and are confirmed as compatible

Testing is ongoing for all McAfee products and no compatibility issues with the Microsoft update have been found so far. We expect all of our testing to be complete on endpoint products by End of Day Monday, January 8th.

 

* Data Exchange Layer (DXL) 3.1.0 and later

* Data Loss Prevention 9.4 and later

* Drive Encryption 7.0 and later

* ePolicy Orchestrator 5.9 and later (Sadly no Enterprise runs 5.9 ;-)

* Endpoint Security 10.2 and later

* File and Removable Media Protection 5.0.4 and later

* Host IPS 8.0 Patches 4, 7, 9, 10

* McAfee Active Response 1.1 and later

* McAfee Agent 4.8 Patch 3 and later

* McAfee Application Control 6.2.0 and later

* McAfee Client Proxy 1.2 and later

* MOVE 4.5 and later

* Native Encryption (MNE) 4.0 and later

* SiteAdvisor Enterprise 3.5 Patch 5 and later

* System Information Reporter (SIR) 1.0.1 and later

* Threat Intelligence Exchange (TIE) Client for VSE 1.0.2 and later

* VirusScan Enterprise 8.8 Patches 4, 8, 9, and 10

* VirusScan Enterprise for Storage 1.2 and later

Tags:

Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

Intel/Migration Mcafee EPO VSE 8.8 auf Endpoint 10.X First Look and Tips

by butsch 2. September 2016 15:17

Migration Mcafee VSE 8.8 auf Endpoint 10.X Migration First Look

Put together by Butsch from all the presentation online, Channel presentations and first lab dives with 10.X

 

Current Release is Mcafee Endpoint Security 10.2

Most of the things we be cleaner (Some things will be merged)

HIPS

 

As example 4 OLD VSE 8.8 POLICY Merged in 1 "ON ACCESS SCAN Policy"

New here:

 

NEU: Workstation und Server NICHT mehr möglich in gleicher Policy (Dropdown)

 

  1. Migration Workstation Automatic
  2. After that, the Servers MANUALLY )OR both manually)
  3. You will have to separate "Workstation" and "Server" in the GUI under an OU (I hope you anyway doo above 100+ endpoints!) (Or use TAG for Policies)

NEW: You will have do a separate POLICY for "Workstation" and "Servers"

Some does not work anymore: Exclusion alt **\WILDCARDS ohne DRIVE LETTER > GEHT nicht mehr in EPS 10.X

There is a Remark in Migration Wizard who will tell you again!

 

What you need before you think to start

 

  • Basis fuer Update für bestehende Umgebungen
  • Base your nee das existing customer running EPO

There is a special Migration Help tool which you can install

You can select which Policy's to migrate and change Policy's during Migration

 

 

Quiz Questions from Butsch

 

When can i do what?

Is there any risk for my environment?

Is the Migration safe?

Before the 10.1 PACKAGE is deployed NOTHING will happen to the CLIENTS. You can migrate POLICYS BEFORE and THAN at the end deploy the VSE 10.

As soon as YOU deploy the VSE 10.1 package the Migration CLIENT side begins. As with a regular PATCH 8 for VSE or 7.5 to 8 migrations you TEST DEPLOY

a few client s for a week or days and THEN you can deploy (Migrate) the other clients. All other clients will KEEEP pulling the VSE 8.x POLICYS.

$

 

Question: We just want Virus Protection; we don't want HIPS or Site Advisor because we have other clients like Fort client or Windows Firewall.

  • There are still 3 parts and modules
  • You can DEPLOY them with separate Deployment Jobs
  • Only what you deploy of that gets on the client and like with other endpoints you don't have 75% Parts of the clients which you don't use because integrated with other brands already

 

 

 

 

 

 

 

See more Infos:

https://www.youtube.com/watch?v=H4vUFnhaHro

https://community.mcafee.com/docs/DOC-8364

https://community.mcafee.com/docs/DOC-8364#jive_content_id_VIDEO__Migrating_from_McAfee_VirusScan_Enterprise_88_to_McAfee_Endpoint_Security

 

Tags:

Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME | Client Management



Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: