As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
This article is a consolidated list of common questions and answers. The article is intended for users who are new to the product, but can be of use to all users.
Recent updates to this article
Date
Update
August 14, 2023
Minor formatting updates; no content changes.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
What are the main functions of MA?
The most common functions of MA include the following:
Manage client systems from the ePolicy Orchestrator (ePO) server.
Install and upgrade the managed products on managed systems.
Enforce policies on managed systems.
Schedule the managed product tasks that run on managed systems.
Gather events from managed systems and sends them to the ePO server.
Send and receive private data bi‐directionally over the Data Channel between ePO, MA, and other products.
What agent modes exist?
There are three agent modes:
Agent — The basic operating mode for MA. It provides a communication channel to ePO and local services for managed products.
SuperAgent — An agent that acts as a source of content updates to other agents in the same network.
Agent Handler — An ePO server component that you can install in several network locations to help manage agent communication, balance the load, and update products.
Why do I see many MA processes for Linux?
The runtime environment uses Linux Native threads through the Light Weight Process implementation. Using Linux Native threads causes each thread to show as a separate process on the client computer.
What versions of MA support five-digit DATs?
All current versions of MA and later support five-digit DAT. For more details, see KB94329 - 5-Digit V2 DAT files.
What components must exist on the ePO server before I can install the agent?
To install the agent on the managed systems, the following must be added to the ePO server:
Extension
Software package
Key updater package
What installation options are available?
Several installation options are available:
Push the agent to client systems using ePO.
Manually install the agent on each client system.
Configure third‐party software to distribute the agent installation package, which is on your ePO server, to client systems.
Examples: Microsoft Systems Management Server, Microsoft Group Policy Objects, or IBM Tivoli.
Configure logon scripts (Windows only) to install when a user logs on to a client system.
Create a customized Smart Installer and distribute it to client systems for manual installation.
What do I need to consider when deciding whether to change the agent‐server communication interval?
The agent-server communication interval (ASCI) determines how often the MA calls into the ePO server. The default setting of 60 minutes means that the agent contacts the ePO server once every hour. When you decide whether to change the interval, consider that the agent performs each of the following actions at each ASCI:
Collects and sends its properties.
Sends non‐priority events that have occurred since the last agent‐server communication.
Enforces policies.
Receives new policies and tasks. This action might trigger other resource-consuming actions.
What options are available for managing MA and other product updates?
Configure one of the following modes:
Managed mode — MA connects and communicates with the ePO server to manage its own and other products' updates.
Unmanaged mode — MA doesn't connect or communicate with the ePO server, but instead pulls updates from HTTP or FTP servers.
What's the function of Message Bus Certificate Updater?
The Message Bus Certificate Updater (msgbus cert) is a content update. Its primary function is to update the latest certificates on the endpoint. This feature is so that the Message Bus integrated products can be authenticated and trusted with MA.
Can the msgbus cert updater version be a later version than the installed MA version?
Yes. The msgbus certs can be a later version than the installed MA. Our certs expire every 2–3 years to have backwards compatibility for already released agent versions. MA releases msgbus certs for every major release, for example, MA 5.6.3, 5.6.4, 5.6.5. We recommend that you have the latest msgbus certs checked in to the Master Repository in ePO.
I never deployed msgbus cert updater or checked it into the ePO Master Repository. Are there going to be any problems?
Integration of MA and the latest released products integrated with msgbus lose the function if either of the following criteria is met:
How are the files and connection between MA and a Distributed Repository secured?
When a MA is inside the internal network, it connects to the Distributed Repository over HTTP. Hash validation secures the files downloaded from the Distributed Repository.
When MA connects to the Distributed Repository to download a product deployment or DAT package, the package contains a signed pkgcatalog.z file. This file contains the hash information of the files to be downloaded. The MA then validates the downloaded file using the contained hash. This method prevents the repository files from being tampered with.
MA only connects to the distributed repositories that are listed in the sitelist, which is contained in the MA database. The database is protected by the MA self-protection mechanism. This protection prevents MA from connecting to any rogue distributed repositories. For information about MA self-protection, see the latest McAfee Agent Product Guide.
When would you want to perform a MA wake‐up call?
A MA wake‐up call triggers an immediate agent-server communication rather than waiting for the current ASCI to elapse. Some reasons for performing an agent wake‐up call are as follows:
You make a policy change that you want to enforce immediately, without waiting for the scheduled ASCI to expire.
You create a task that you want to run immediately. The option Run Task Now creates a task, then assigns it to specified client systems and sends wake‐up calls.
A query generates a report, indicating that a client is out of compliance. You want to test its status as part of a troubleshooting procedure.
How can you view and manage MA features from a managed client system?
The McAfee icon in the Windows notification area provides a collection point for viewing the status of our products. You can also perform actions on a client system.
How does the ePO server sort client systems at the first connection?
When MA is installed on a client system, a unique GUID is created based on the MAC address and computer name of the system. MA connects to the ePO server in a randomized interval of a few seconds. At that connection, the ePO server uses these system properties to see whether MA is populated in the System Tree. A new object is created in the System Tree if the search finds no match. The location for the new object is also based on this sort order.
System properties used
When the Sorting Criteria are Disabled
When the Sorting Criteria are Enabled
Agent GUID
Agent GUID
Domain Name
IP address and Tags evaluated for the computer
Computer Name
Domain Name
IP address
Computer Name
If an entry is found that's listed in the search order, MA lists the client system in the correct group. If it doesn't find any of the above, it would then list the client in the Lost & Found group at theMy Organizationlevel.
Is MA affected by leap second issues?
No. A leap second is a one-second adjustment sometimes applied to Universal Time Coordinated to keep its time of day close to the mean solar time (UT1).