| Reference Number | Related Article | Found in MAR version | Resolved in MAR version | Issue Description |
| PERINOLA-16297 | 2.4.3 | 2.4.4 | Issue: After you upgrade ePO 5.10 to Update 9, you see the following error when you navigate to any MAR page in ePO: Solution: Install MAR 2.4.4. |
|
| TSET-5237 | 2.4 | 2.4.3 | Issue: MAR stops responding (crashes) when the Endpoint Security (ENS) 10.6.1 December 2019 update or ENS 10.7 February update has been installed in the environment. Solution: Install MAR 2.4.3. |
|
| 2.4 | Issue: MAR installation fails on a clean endpoint (without ENS) if the ENS version available in the ePO Master Repository Current Branch is 10.7. Cause: MAR depends on ENS. If ENS isn't already installed in the endpoint, the MAR installer pulls the packages TP and ATP from the Master Repository. The installation of ENS 10.7 fails in that scenario, which causes the MAR installation to fail. Solution: Install ENS 10.7 before you trigger the MAR installation. |
|||
| ENSW-27358 | 2.4 | 2.4.2 | Issue: MAR can't be installed or upgraded on top of ENS 10.7 Release to Support evaluation builds greater than build 10.7.0.541. Solution: Upgrade to MAR 2.4.2. |
|
| N/A | 2.4 | Issue: MAR Registered Server doesn't activate and shows Solution: Make sure that the configured Server Location is valid. Then, use the IMPORTANT: MAR registered server isn't updated automatically if it was manually edited and saved. If the MAR registered server was manually edited, it must be removed and re-created during upgrade. |
||
| 1257901 | 2.4 | Issue: Too many complex searches at once might cause the JVM heap to overrun. This situation stops the Solution: Expand JVM heap limits by adding Restrict the ES heap size by changing Restart the service by running |
||
| 1256879 | 2.4 | Issue: MAR Server 2.4 upgrade fails to leave the service uninstalled when pushed to a legacy MAR 2.3 appliance. Solution: Check the required one-time migration procedure detailed in the MAR 2.4 Installation Guide. Redeploy MAR Server 2.3 to recover functionality and custom content. |
||
| KB90915 | 2.4 | Issue: When you upgrade from a multi-server installation (2.3 and earlier) to a single-server setup (2.4 and later), you must migrate your configured content to avoid losing it. Solution: See the related article. |
||
| 1244782 | KB90784 | 2.2 | 2.3 | Issue: Installing MAR 2.2.x via ePolicy Orchestrator (ePO) fails when ENS 10.6 is installed. Solution: Fixed in MAR client 2.3. |
| 1241963 | 2.3 | 2.3 HF4 2.4 HF1 |
Issue: You install or upgrade a product on a system with SysCore with ENS Exploit Prevention or Host Intrusion Prevention Exploit Prevention enabled. You then see either a blue screen displayed, or the system stops responding (hangs). Workaround: Disable the Exploit Prevention feature before you install or upgrade the software. Solution: Fixed in 2.3 Hotfix 4 and 2.4 Hotfix 1 (RTS). |
|
| 1176118 | 2.3 | 2.3 HF1 | Issue: Workspace doesn't receive remediation events automatically for Mac endpoints. You must manually dismiss the event. Workaround: Apply a remediation. Then, check for processes being properly closed in the Trace chart for each host. Then, manually dismiss the threat. Or, view the Threat Event Log for the relevant events and manually dismiss the events. |
|
| 2.3 |
Issue: The Trace Plug-in is disabled by default when you upgrade to MAR 2.3 on macOS only.
Solution: Navigate to your policy and enable it with the Enable Plug-in for macOS Endpoints options.
|
|||
| 1214069 | 2.2 | 2.3 | Issue: You identify a threat in the Potential Threats list. You then remove one or more of its affected hosts from the System Tree before taking remediation action. But, you see that the threat isn't removed from the Potential Threats list. Solution: Remove Affected Hosts you know are no longer a problem. Use the Dismiss action on the Workspace for this removal. |
|
| 1208348 | 2.2 | Issue: The MAR Workspace disables the Stop and Remove action on Known Trusted files. But, if the file is trusted by McAfee Certificates or by McAfee Validation and Trust Protection (VTP) service, the file's reputation in the Workspace appears as Not Set. Also, the Stop and Remove action is enabled. Solution: When a Stop and Remove action is taken from the Workspace, the |
||
| 1210099 | 2.2 | Issue: When the MAR server runs out of storage space, features in the Catalog, Advanced Search, and Workspace stop working. The issue isn't reported in Health Status. Solution: Make sure that the minimum requirements for the MAR server are met. When you experience problems in Advanced Search on the Catalog but have no error messages in Health Status, check the server for low storage capacity. |
||
| 1214051 | 2.2 | Issue: The It only shows Solution: None available. But, the presence of this information might be an indicator of a virtual USB device present. |
||
| 1207202 | 2.0.1 | 2.1 | Issue: You enable Trace on the MAR client 2.0.1 and open Outlook. Outlook takes a long time to open and you then see that the endpoint slows down and suffers performance issues. Solution: Upgrade to MAR 2.1. |
|
| 2.0 |
Issue: MAR 2.x is deployed using ePO 5.3. But, if you then upgrade to ePO 5.9, you see that the MAR Server certificates are no longer valid and must be regenerated.
Solution:
|
|||
| 1209426 | 2.1.2 | 2.2.0 |
Issue: The installer for MAR Aggregator released in the package for MAR 2.1.0 is defective.
Workaround: Perform the applicable workaround:
All other components must be MAR version 2.1.0.
Aggregator version 2.0.1 is available from the Product Downloads site and ePO Software Manager. |
|
| 1205281 | 2.1.0 | 2.2.0 |
Issue: Installation of the MAR 2.1.0 extensions bundle fails when Threat Intelligence Exchange (TIE) and Data Exchange Layer (DXL) extensions are already installed in ePO.
Workaround: To avoid the installation failure when the DXL and TIE extensions are already installed in ePO, perform the following steps to install the MAR 2.1.0 extensions bundle:
|
|
| 1193660 | 2.0 | 2.1.0 | Issue: ePO 5.9.0 incorrectly displays the MAR 2.0 health check status. | |
| 1198057 | 2.0 | 2.1.0 |
Issue: You're working in an environment with at least 50 potential threats recorded. When you move the Time filter to 90 days, you see the error below:
Solution: This issue is resolved in MAR 2.1.0.
|
|
| 1148152 | 2.0 | 2.1 | Issue: Because of a problem with how AAC Control manages resources, installation of MAR 2.0 clients can fail on Windows endpoints where other products are installed. Solution: Restart the endpoint and start installation again. |
|
| 2.0 | Issue: On Microsoft Windows versions 7, 8.1, and 10 the endpoint might experience performance degradation during boot and shutdown if the latest ENS 10.2.1 package isn't installed. Solution: Make sure that endpoints are updated to ENS 10.2.1 before installation. |
|||
| 2.0 | Issue: The Help extensions for TIE and DXL that are relevant to a MAR 2.0 deployment aren't included in the MAR 2.0 extensions bundle (the MAR Help extension is included). Solution: Install the DXL and TIE Help extensions manually from the ePO Software Manager. |
|||
| 1163497 | 2.0 | 2.0.1 |
Issue: MAR client reports false-positive threats for issues related to processes that generate process and network, file system, or Windows Registry events that occur due to normal operation.
Cause: The Potential Threats list on the MAR Workspace is populated with processes found on endpoints that have called the attention of the MAR client. The MAR client primarily monitors process events, network events, filesystem events, and Windows Registry events. For example, the Resolution: There can be cases where a seemingly trusted process might exhibit malicious behavior. Check the following:
|
|
| 2.0 | Issue: After you perform the Make Known Trusted action on a threat, the threat doesn't disappear from the Potential Threats list. Cause: Threats that are remediated by setting the TIE reputation to Known Trusted might still produce events on endpoints. Although the user might want to assume that these running processes are safe, the processes still produce MAR events. The reason is because other processes could use the trusted process in a malicious way. Solution: To focus on recent activity, use the time selector in the Workspace. Hide from the Potential Threats list those events that have been marked as Known Trusted. Also, after 90 days have passed since the first time the trusted process was seen, it is removed from the workspace. NOTE: If the trusted process reappears on the Workspace as a threat, it means that there's new activity that the incident responder must inspect. |
|||
| 2.0 | Issue: When you use the Stop And Remove action through the Active Response Workspace, the process created by running a remote file is closed. But, the remote file is removed from the network shared drives or folders. Files included are ones that aren't stored locally on the endpoint, but are logically linked to the endpoint. For example, Windows shared folders connected to the endpoint as drives. Cause: By design, MAR can't access network-shared files due to security constraints. Workaround: If MAR is installed on the file server that is linked to or accessed by the endpoint where the threat is detected, use an MAR search to find the file and remove it. |
Back to top
