Notes of 20181230

1. ePO

ePO 5.10, upload certificate and select allow in ENS common policy , unable to save

all the cert pointed to a same position (even in a temporary policy) , so please do NOT delete any certificate , if no need please deselect allow option

There will be some automatically uploaded certificate without checking allow, we can't cancel the upload, this function added after ENS 10.5.2, refer to KB88085, use MFECanary.exe 

2. ENS/VSE/MA mctray or other dll injection

*phenomenon(if something abnormal shown, need add trusted then reinstall the affected product)

MA icon disappeared, ENS/VSE shows abnormal

use mfesysprep tool to check the dll injection, if there are some injection, search "untrusted" in mfe log

then add the cert or post father program to developer to add exclusion together with mfe log 

this function is designed to prevent double agent vulnerability, do not allow any other untrusted dll occupy McAfee address

 

3. Installation failed ENS

except for dll injection, for win7 there are only 8 filter driver, if other program occupied 8 filter driver then we can not install AMCORE then ENS installation failed

 

4. We can sort in system tree by tag, or from AD (much safe with match OU)

if there are some policies applied by group, then we can't move them, we can apply policies by tag first then sort systems

add tags by policy:

 

5. MAC OS DLP and ENSTP use a same platform (if you remove one then another issue occurred because can't find the platform)

there are not any standalone platform, if you want to install platform, please install TP directly

 

6. ENS 10.5.3 memory leak, file a bz

7. resolved issue on ePO 5.10.0 CU2 - system tree empty

ePO 5.9.1 orion debug will affect login site

8. solidcore, inventory dosen't show up in ePO

- in datachanel push fetch inventory task
- in SCOR_DATA_CHANNEL table we can see the change

- CLI must lockdown

- see solidcore client task log

- fetch inventory locally 

sadmin ls -rax > C:\inv.xml

then manually import the inventory.xml to ePO

Go to System tree in ePO console, select that system
go to actions>Application Control> Import Inventory
 

- Repro the issue again on other client machines as:
在客户端重现问题，并运行下列两个命令重置提取清单时间，并在EPO上开启solidcore orion debug：
sadmin config set pullinvlastaccesstime=default
sadmin config set invdifflastaccesstime=default
Go to ePO server and enable Solidcore orion debug as mentioned in 
https://kc.mcafee.com/corporate/index?page=content&id=KB81604&locale=en_US&viewlocale=en_US
 
Already done today.
今天远程过程中做了什么：
Open C:\programdata\McAfee\Agent\AgentEvents
打开AgentEvents文件夹
open MA window and click send Events and make sure no events left in AgentEvents folder.
打开MA状态监视器，点击收集并发送属性，确保AgentEvents文件夹中没有剩余文件
Delete Solidcore log files from C:\programdata\McAfee\Solidcore\Logs
删除原有solidcore日志
Do pull inventory for the machine and monitor the AgentEvents folder. When you see 100’s of xmls being put in this folder. Copy the folder and paste it at another location including its xmls.
单独为这台客户端运行收集清单任务，并持续观察AgentEvents文件夹
当看到一百多个xml文件出现时将这些文件复制到另一个位置（作为备份）
Do Send Events in MA window. 
在MA状态监视器点击收集并发送属性发送事件
Check in event parser logs if xmls were parsed
检查EPO上的event parser日志中是否有显示xml文件被解析
Look into orion.log if there is any error
观察orion 日志中是否有报错
Collect xmls folder, gatherinfo, event parser logs and orion logs and share with us if you don’t see inventory on ePO.
如果在EPO上没有看到清单，请将上面收集的客户端XML文件，gatherinfo日志和EPO上orion日志，eventparser日志上传给我们