Technical Articles ID:
KB91275
Last Modified: 2024-03-27 13:31:31 Etc/GMT
Environment
Trellix EDR
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
Summary
Recent updates to this article
Date
Update
March 27, 2024
Updated the "Product release information" section with Trellix EDR 4.2.0 Hotfix 2.
March 22, 2024
Added SEC-180214 to the "Non-critical known issues" section.
March 1, 2024
Updated Product release information.
February 20, 2024
Added SEC-181828 to the "Non-critical known issues" section.
January 10, 2024
Updated the following:
Added release information for the January 9 on-premise update (Linux).
Added Resolved in version for SEC-109027.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Issue: Deploying EDR 4.1.0 from the ePO SaaS Product Deployment page fails for Linux and macOS endpoints.
Workaround: See the related article.
SEC-106105
4.0.0
Issue: Columns containing IPV4/IPV6 values aren't converted to readable values.
The columns contain data exported to your S3 bucket.
The sources are ePO Audit Logs and Threat event source types from the MDR workflow.
Workaround: The data exported from our data sources to configured external S3 buckets will have IP addresses presented as a signed integer (negative number). When consuming the data exported into S3 buckets, apply appropriate conversion logic to convert the number back to an IP address.
Use the below conversion logic to convert the number back into an IP address, when processing the data from the S3 bucket.
public String longToIp(int ip) ß Input argument is signed int
{
//add 2^31 to put the integer representation in the range [0,2^32-1] because of MAX_INT being 2^31-1
long ip1 = ((ip + 2147483647) + 1);
return ((ip1 >> 24) & 0xFF) + "."
+ ((ip1 >> 16) & 0xFF) + "."
+ ((ip1 >> 8) & 0xFF) + "."
+ (ip1 & 0xFF);
}
To convert these base64 encoded strings to IVP6 format (java), use the below conversion logic:
public static void main(String[] args) throws UnknownHostException
{
String encoded = "AAAAAAAAAAAAAP//Cmjguw=="; <- Base 64 encoded string of IPV6.
byte[] decoded = Base64.getDecoder().decode(encoded); <- Decoded byte array
Inet6Address ip1 = Inet6Address.getByAddress(null, decoded,0); <- Converting byte array to IPV6.
System.out.println(ip1.getHostAddress()); <- Stdout host address. 0:0:0:0:0:ffff:a68:e0bb%0 (IPV6 of above encoded string, remove the last %0)
}
SEC-104788
4.0.0
Issue: Trace functionality isn't working in some virtual environments owing to a third-party DLL dependency that fails to load.
Solution: Currently planned for 4.1.0.
An updated version of the third-party DLL resolves the issue. We currently plan to include this updated DLL 4.1.0.
Issue: The March 15, 2022 MVISION EDR 4.0 release contains only the Windows client package. Linux and macOS packages aren't included in the March 15 package.
NOTE: This issue is applicable for EDR 3.5 clients and customers using S3 functionality.
Issue: An issue exists wherein if EDR is configured to send traces to both the EDR Cloud and also to the customer's own S3 service, traces aren't sent to the EDR Cloud. This issue is seen only when the S3 access credentials are misconfigured (for example, an invalid access key). If you encounter this issue, make sure that your AWS credentials are valid and that your AWS services and settings are correctly configured.
NOTE: We recommend that customers test any IAM credentials to make sure that they allow objects to be written to the target S3 bucket, and monitor S3 bucket access and usage.
Issue: Parent folder delete operations are blocked when a file is open with full share mode on Windows Server 16 and 19.
Workaround: Contact Support for the recommended exclusion to use.
Solution: Upgrade to Windows Server 22.
Issue: Parent folder move/rename operations are blocked when a file is open with full share mode on Windows Server.
Workaround: Contact Support for the recommended exclusion to use.
SEC-181828
4.0.0
Issue: On Windows 7, the KillProcessByName reaction isn't working.
Workaround: Upgrade the Windows Management Framework to version 5.1 or later.
SEC-179416
4.2.0
Issue: On Windows, the ePO-push-based content update of version 4.2.0 fails if the ePO extension is of version 4.1.1.
Workaround: Upgrade the ePO extension to version 4.2.0, or switch to a dynamic content update.
SEC-179670
4.2.0
Issue: macOS traces aren't collected until you reboot.
Workaround:
Reboot the VM.
If a reboot isn't an option, follow the steps below:
Install the EDR software.
A popup requesting permission to run the extension appears and redirects the user to System Preferences. Avoid clicking "Allow" or toggling the extension on.
Navigate to the FDA panel within System Preferences and grant Full Disk Access to the "Trellix Endpoint Security" extension and "fmpd."
Return to the previous page and now use the "Allow" button (or toggle, if multiple extensions are being loaded simultaneously) to permit the extension to be loaded.
NOTE: This issue only occurs on a fresh system where EDR is installed for the first time, and shouldn't occur if the right sequence of steps is followed to provide Full Disk Access to the system extensions.
ENSM-5607
4.1.1
Issue: [macOS14Sonoma] You're unable to start the applications from the Menulet and the Menulet disappears when clicked. This issue only affects ARM-based machines (Silicone Chipsets including M1 and M2).
Workaround: You can start the application from the /Applications folder.
UCFL-2868
4.1.1
Issue: Traces aren't seen for some of the system binaries (such as addgroup, adduser, ping6, etc.) that are a part of rule 20222.
Cause: These binaries are symbolically linked to other binaries or a script (pearl, shell, etc.).
Alternatively, the location of these binaries are different across distros.
Solution: We've updated the TDM rule 20222 to match the command line executed, and we've also updated the path of certain binaries.
SEC-174962
4.1.1
Issue: On macOS, Python Customer Collectors might not work properly until additional python dependencies are installed on the endpoint.
Cause: When Python 3 is installed on the endpoint, EDR uses the newer version of Python over any older version installed. For python python3 to function correctly, the python developer tools must be installed for Python Collectors to function correctly. If python3 is already in a working condition on the endpoint, there will be no issue with these collectors.
Solution: Download and install the Python development tools.
Issue: On macOS, the reaction StopandRemoveFileSafe, when used with the full file path, doesn't kill the process.
SEC-174846
4.1.1
Issue: EDR leaves behind Trellix system extensions when FW is still installed.
SEC-175342
4.1.1
Issue: On macOS, the terminal outputs an error with uninterpreted characters when restarting the EDR service.
SEC-174961
4.1.1
Issue: On MacOS, when TA is uninstalled via the standalone installer, EDR shows as Expired in Console until EDR is reinstalled.
SEC-175199
4.1.1
Issue: On MacOS, mfemvedr creates two child zombie processes upon deployment.
SEC-173076
4.1.1
Issue: For MacOS, the package name is MVISION EDR but is Tellix EDR for Product name in ePO.
SEC-173003
4.1.1
Issue: The Trellix background is a little off-center in the Mac UI installer.
SEC-109027
3.3.0 HF1
4.2.0
Issue: With EDR installed on your Linux system, file hashing configured, and large network shares mapped, you might see performance issues.
SEC-172425
4.1.0
4.1.1
Issue: EDR 4.1.0 introduces hard linking when files are deleted to improve performance. Because of this, hard links remain in C:\ProgramData\McAfee\MAR\hardLinks if the original file has been locked by another process.
These files don't occupy any additional space on the disk as they're shallow copies of the original files. But, they do remain until the file is unlocked, or stay indefinitely after EDR is uninstalled.
Solution: A fix for this issue is included in EDR 4.1.1.
EDR 4.1.0 doesn't allow removal of these files until they're unlocked.
But, they should be unlocked after a reboot and cleaned in 10 minutes. You can check what the locked file is by running the following: fsutil hardlink list C:\ProgramData\McAfee\MAR\hardLinks\<FileName>
SEC-107063
4.0.0
4.1.1
Issue: Microsoft Office applications stop responding (crash) when heavily embedded macro files are loaded and processed.
Workaround: Deselect the Enable deep inspection of Windows API calls EDR policy for affected hosts.
Solution: Fixed in 4.1.1.
SEC-109132
4.0.0
4.1.1
Issue: Microsoft Office applications stop responding (crash) when connecting or rendering web content within the application. This can happen during the activation, authentication, content insertion from the web, etc.
Workaround: Deselect the Enable deep inspection of Windows API calls EDR policy for affected hosts.
Issue: Upgrading Trellix Endpoint or EDR 4.1 requires a reboot as part of the Install or Upgrade process.
SEC-110563
4.0.0
4.1.0 HF1
Issue: Installation of Microsoft SQL Server 2019 Express and Microsoft SQL Server 2014 Express fails when the trace plug-in is enabled.
Workaround: Add ScenarioEngine.exe to Trace Exclusion in the policy.
Solution: Fixed in EDR 4.1.0 HF1.
UCFL-1472
4.1.0
Issue: On Linux installations, the md5 parameter for File Event traces is blank except for /dev/shm filepath.
UCFL-1868
4.1.0
Issue: On Linux installations, there's no user login trace during scp operation run as root user on Ubuntu 20/22.
SEC-109160
4.1.0
Issue: ScheduledTasks Collector returns no user scheduled tasks on SUSE and Ubuntu.
SEC-108260
4.1.0
4.1.1
Issue: Python Custom collectors fail for Python 3.9 and Python 3.10.
Solution: Fixed in 4.1.1.
SEC-110216
4.1.0
Issue: On Linux installations, User ID and Domain aren't being returned with the LoggedInUsers collector.
SEC-110462
4.1.0
4.1.1
Issue: On Linux and Mac installations, the SHA value for files created with "touch" isn't returned.
Solution: Fixed in 4.1.1.
SEC-110639
4.1.0
Issue: On Linux installations, the Processes Collector brings back threads for the mfemvedr process.
SEC-18283
3.0.0.355
4.1.0
Issue: Installation of some applications that perform intensive file moves, removals, or changes, display errors and fail to complete.
Cause: The EDR client locks these files during the installation.
Workaround 1: Disable the Trace plug-in during the installation
Workaround 2: Add the installer or process that runs it to the ignored files in the Trace Policy.
SEC-106523
4.00 and earlier
TA 5.7.7
Issue: With Agent 5.7.6 installed, and an EDR client version 4.00 or earlier, you see the product version listed as 0.0.0 in ePO.
Workaround: Perform a Full Wake Up Agent Call.
Click Client task, McAfee Agent, McAfee Agent Wakeup.
Solution: Fixed in Agent 5.7.7.
Issue: The MVISION EDR Manager doesn't show custom reactions, or the list is stale.
Workaround: To show the EDR Custom Reactions, clear the browser cache and cookies. Perform your action again.
SEC-86489
Issue: RTS result API displays 404 (Not found category) error with the following message:
Error AR-912: ""message": "AR-912:No records found. There may be no endpoints attached or the endpoints are taking too long to respond.""
Error Description:
No records found or endpoints are taking too long to respond.
NOTE: This error is valid only if the attached endpoints have data to return, but no records are found.
This error is invalid if the attached endpoints have no data to render.
Resolution: Increased load is handled internally by scaling up resources.
Workaround: Retry the API call after 1–2 minutes.
SEC-50492
-
Issue: SIEM Action options aren't available in the EDR dropdown for Device Actions in the EDR UI.
SEC-49207
-
Issue: Historical search fails with AR-1104 intermittently through the UI during a programmatic or script performance test.
SEC-46277
-
Issue: Auto Suggestion operator doesn't work for a compound query with CommandLine.
SEC-48803
-
Issue: The user performs one of the following actions:
Go to the EDR monitoring page and select PE threat.
Click the Excludefrom threat option from the dropdown in Summary page before the activity screen loads.
In the above scenarios, the Filepath and CommandLine fields in the Monitoring Exclude threat sections aren't populated and are empty.
SEC-46777
-
Issue: Granular Exclusion: Exclusions with escape or special characters should be cleaned up before matching.
SEC-41123
-
2.4.0.723
-
Issue: Scheduled Reboot Reaction might not work on some Linux platforms (RHEL and SUSE) even though success is returned in Action History.
Cause: The Scheduled Reboot Reaction uses the Linux "at" scheduling service to schedule the reboot. This service might not run by default on all Linux platforms.
Workaround: Install the "at" service and make sure that the atd daemon is running on the client before asking for a scheduled reboot.
SEC-37830
-
3.3.0
Issue: Action History shows as 'Completed' with an error message after action "Scheduled Reboot."
SEC-42307
-
3.4.0
Issue: BigSur operating system isn't listed in the EDR UI.
SEC-35377
SEC-35378
EDR Client 3.3.0.625
Issue: The CurrentFlow collector that's executed during some searches fails to return any results.
Cause: On SUSE Linux Enterprise 15, netstat from the net-tools package is deprecated.
This deprecation might also apply to other Linux distributions that no longer include the net-tools package by default.
Solution: Because netstat is still available in the net-tools package (although deprecated), you can get it from the net-tools-deprecated package; SUSEConnect --product sle-module-legacy/15/x86-64
STLS- 916
Issue: MVISION EDR can't connect to the configured DXL broker. If you look in the DXL broker IPE log, you see the error below:
Below minimum threshold.
Cause: There are two possible causes:
You've incorrectly configured your EDR NTP settings.
Your DXL broker and ePO aren't in sync in terms of time. For example, they might not be in the same time zone or are more than a minute apart in time.
Solution:
If the EDR NTP settings are incorrect, correct the server configuration.
If the DXL broker and ePO aren't in sync, determine the reason and fix it. Make sure that network traffic isn't causing a significant lag in communications between them.
SEC-33805
Issue: Duplicate listings of ePO servers are seen in the Configuration Page, under Configure data sources.
Cause: Connection issues.
Solution: Refresh the UI.
You can ignore the issue. This issue is cosmetic and doesn't affect product function.
SEC-28325
3.0.0.404
3.2.0.567
Issue: Can't end Quarantine in an endpoint that's using a VPN
Solution:
Upgrade to 3.2.0.567 or later as available.
Once upgraded, add the VPN agent full path under EDR Policy, Network Flow, Ignore Application Paths from Quarantine.
SEC-28224
3.1.0.478
3.2.0.567
Issue: You see high CPU usage and slowdown on 32-bit Windows clients.
Workaround: Disable the Trace for affected endpoints. Or, if experiencing issues with specific processes, exclude them.
See the Product Guide for further information about making these changes.
Solution: This issue is resolved in 3.2.0.567.
SEC-26610
3.1.0.478
Issue: During the upgrade of EDR Client on Windows 7, a pop-up message displays for a few seconds with the title:
A program running on this computer is trying to display a message.
This message doesn't affect the installation. The product successfully installs.
Cause: The Windows service Interactive Services Detections is enabled. This service is disabled by default and is available only on Windows 7.
Workaround: Temporarily disable the Windows service Interactive Services Detections during the upgrade of EDR Client.
Issue: The EDR Real-Time Search feature is prevented from running scripts when ACC is enabled.
Cause: Execution Control in ACC 8.x added default Execution Control Rules and rule groups. These rule groups need to be updated to allow the newer version to run.
Workaround: See the related article.
Solution: This issue is fixed with the release of ACC extensions 8.2.6 and 8.3.
SEC-16939
Issue: In MVISION ePO, Mac and Linux EDR clients aren't yet supported.
Issue: The MVISION EDR client service stops working if you install or upgrade the MVISION Endpoint client after it's installed on a Windows system.
Solution: Restart the service by restarting the operating system.
SEC-14475
3.0.0.404
Issue: During EDR Client installation, Visual C++ Redistributable Package removes binaries for non-target architectures. Specifically, MSVCR120.dll is deleted.
This issue is a Microsoft runtime issue in Visual C++ Redistributable Package.
Solution: Apply the updated distributable available on the Microsoft site.
SEC-12291
Issue: The Include and Exclude filters in the Historical Search Dashboard don't filter the Alerts and Detections & Alerts buckets.
SEC-12553
Issue: Hierarchy in the process tree from the Process Activity widget breaks.
Cause: The parent process isn't present. As a result, the sequential and timeline view in Process Activity doesn't show the process tree correctly.
Workaround: Select another detection instance for the same threat from the Device section in the Monitoring dashboard.
SEC-10757
Issue: When you disable telemetry feedback options, the feedback option requires that you accept the sharing of telemetry data. If you don't accept it, the send button in the feedback section isn't enabled.
Solution: Enable telemetry settings:
Open the Investigation Dashboard, and from the settings wheel, navigate to the Configuration settings.
Enable Choose telemetry and regional settings.
Read the agreement and click Save.
SEC-9932
Issue: Duplicated alerts are seen.When a Process Injection is detected as a threat in the Monitoring dashboard, the Injector process and Injected process are shown as potential threats. So, they can be perceived as duplicated threats.
SEC-9706
Issue: After installation, the EDR extension server settings display a Host Timeout Error.
The SIEM connection on the MVISION EDR settings available in Server settings on ePO shows the connection as follows: The indicated Host responded TIMEOUT.This information is displayedeven though no configuration is performed.
Solution: When the SIEM is configured correctly, this setting changes to Connection Successful as expected.
But, you see the error status code below returned:
remediation Queue jobs status: error and errorHostResponses is non-zero
Although the action is successfully executed, Endpoint fails to respond with a Completed status.
API: Search Remediation.
Solution: Make sure that the endpoint responds correctly to the action. Do one of the following:
Retry the remediation call.
Check the DXL/AR logs on the endpoint and confirm that the traces are being sent properly.
SEC-174081
Issue: The sort parameter places some of the Unquarantine action records in the E list.
Cause: There's a mapping issue with the product backend.
Solution: This issue will be fixed in a forthcoming release.
Workaround: Regard this outcome as, as designed.
Treat Unquarantine records placed in the E list as end_Quarantine.
Both end_quarantine and unquarantinestop the quarantine on the endpoint.
SEC-178178
Issue: The Search remediation scheduleRebootaction fails to perform date check validation.
You request a past date for the schedule reboot. You expect an error, but the call is actioned. You receive a successful response.
Cause: The API call for the remediation action of scheduleReboot accepts the following wrong information for reboot dates without returning an error:
A past date
A time too far ahead in the future (for example, 3 years)
Incorrect date-time format
API: Search Remediation.
Resolution: EDR development is investigating this issue and will update this entry when further information is available.
SEC-178180
Issue: The search remediation scheduleRebootaction fails, but the API returns the message that the system was rebooted.
API: Search Remediation.
Solution: EDR Engineering are investigating this issue.
Workaround: Retry the API call until the system reboots.
View that the reboot is successful; remain logged in to the endpoint and wait until the system displays a notification of the reboot.
SEC-176743
SEC-146265
Issue: Offline remediation actions fail to action for up to 30 days.
When you send a quarantined host an unquarantined remediation action, it takes up to 30 days for the host to be unquarantined.
The Offline remediation action status shows as in progress for up to 30 days and then fails.
API: Multiple Remediations.
Solution: Reduce the time-out period for offline actions. The API then returns a status error within a reasonable period.
Workaround: Wait for 30 days as off-line actions take up to 30 days to complete. See the Product Guide to view the list of offline and online remediation reactions.
NOTE: If there's no response from the endpoint during that period or the endpoint responds with an error, the reaction status is returned as follows:
"COMPLETED WITH ERRORS"
SEC-178057
Issue: If you provide incorrect file details in the request body, the remediation status returns a status of Finished.
You expect to see an error, but the status returned is of a successful completion.
Solution: EDR Engineering is investigating this issue.
Workaround: Enter the correct file name.
SEC-179648
Issue: Sorting on the API Arguments, Tags, and ScheduledTask Commands columns doesn't return data in a sorted order.
SEC-179694
Issue: Filtering on the API Arguments, Tags, and ScheduledTask Commands columns with multiple values doesn't return filtered results.
Workaround: Filter these columns using a single value.
SEC-179860
Issue: Sorting on the API Result column doesn't return data in a sorted order.
