How to troubleshoot Virtual Machines when the Anti-malware protection status is Off or Unknown
Technical Articles ID:
KB84669
Last Modified: 2023-12-01 06:42:45 Etc/GMT
Last Modified: 2023-12-01 06:42:45 Etc/GMT
Environment
Cloud Workload Security (CWS) 5.x
MOVE AntiVirus (AV) Agentless 4.x
MOVE AntiVirus (AV) Agentless 4.x
Summary
Background details
The following protection status events are sent from the following:
The following protection status events are sent from the following:
- A Virtual Machine (VM) to the Security Virtual Appliance (SVA)
- SVA to ePolicy Orchestrator (ePO), where it's placed in an SQL database table
MOVE AV Agentless 4.x Events
EVENT 37086 (VM Unprotected)EVENT 37087
There are several reasons why the protection status isn't reported correctly. Because of the different components involved in this environment, it's important to follow a troubleshooting method that does the following:
- Guide you through the different stages involved to correctly identify where the cause of the problem is
- Provide the solution to overcome the issue
- MOVE AV Agentless is set up correctly
- MOVE Agentless policy has on-access scanner (OAS) enabled
- MOVE AV Agentless extension is installed in ePO
- Event parser service is running
- The Cloud Connector for
vSphere account registration is completed successfully
For assistance, see the respective product guides in the "Registering cloud accounts" section:
For product documents, go to the Product Documentation portal. - SVA and VM are both managed by the same ePO server
VMware vCenter correctly reports the SVA presence for each host- The VM is turned on. When the VM goes to an idle state, the
vsepflt driver is unloaded, which can contribute to reporting theAgentless anti malware protection as Off. - Make sure that the following events are selected in ePO. Navigate to Server Settings, Event filtering, and then click Edit:
EVENT 37086 (VM Protected)EVENT 37087 (VM Unprotected)
Solution 1
Troubleshooting the VM
Start troubleshooting from a VM that reports the incorrect Protection Status in ePO. Make a note of the name of the VM and UUID (unique ID) of the VM where the troubleshooting is performed. You can find this information in ePO andvCenter .
Start troubleshooting from a VM that reports the incorrect Protection Status in ePO. Make a note of the name of the VM and UUID (unique ID) of the VM where the troubleshooting is performed. You can find this information in ePO and
- Verify that the VM reports the correct system information to ePO:
- Log on to the ePO console.
- Click the System Tree and open the
vSphere group, and then locate the VM. - To bring up the System Properties, click the VM.
- Click the Virtualization tab.
- Verify that the VM details are present and correct.
- Verify that the
VMware Tools are installed.
NOTE: The installation ofVMware Tools is a prerequisite when you use MOVE AV Agentless.
- Verify using ePO:
In the ePO System Tree, navigate to thevSphere group, identify the system, and verify whether theVMware Tool is listed in theVMware Tool column.
If theVMware Tools are installed, it reports running.
- Verify using VM:
In Add/Remove Programs, verify that theVMware Tool is listed. If it's not, either deploy theVMware Tools to the client from theVSphere console, or download and install theVMware Tools software package. Download the software package from theVMware Tools link customerconnect.
- Verify using ePO:
- Verify that the
VMCI driver is enabled.
Installation of theVMware Tools doesn't automatically install the Virtual Machine Communication Interface(VMCI driver vsepflt.sys) . So, when you install theVMware Tools, select Custom setup, and under theVMCI driver, select vShield Drivers.
To verify that thevShield driver(vsepflt.sys) is installed, navigate to the following folder:C:\Windows\System32\drivers
- Enable debug logging for ePO.
Before you start to troubleshoot, if further analysis is needed, enable debug logging for ePO in theOrion.log file. For how to enable debug logging for the cloud connector extension, see KB90072 - How to enable debug logging for the Cloud Workload Security connectors.
- Verify that the
VMCI driver (vsepflt ) is loaded correctly:
NOTE: When you reload thevShield driver, it forces the events to be generated. This test can be used to verify the correct communication.
- Log on to the endpoint VM as an Administrator.
- Open a command prompt, click Start, Run, type
cmd , and then click OK. - To unload the driver
vsepflt , type the following command and press Enter:
fltmc unload vsepflt
- To load the
vsepflt driver, type the following command and press Enter:
fltmc load vsepflt
- Resync the SVA with ePO.
For the MA commands to collect and send properties from SVA to the ePO server, see KB52707 - McAfee Agent / Trellix Agent command-line switches.
The system now displays theAnti-Malware Protection status as ON.
- Verify whether the events generated above reach ePO:
- Log on to the ePO console.
- Click Menu, Reporting, Threat Event Log and verify if the above-mentioned events are present.
- Verify that you're also getting the client system IP address in the threat event logs.
- Verify whether the events generated above change the Protection status of the VM:
- Navigate to the node in ePO.
- Select the Virtualization tab and then verify the status of the
Agentless Anti-malware Protection. - Verify that the status shows as ON.
- Verify that EICAR can be detected in the VM:
- Create and test the VM with an EICAR test file. For details, see KB59742 - How to use the EICAR test file with our products.
- Log on to the ePO console.
- Click Menu, Reporting, Threat Event Log and verify that the Threat event is present.
Solution 2
Troubleshooting the SVA
- Verify that the SVA is reported correctly in ePO and that it's turned on:
- Log on to the ePO console.
- From the System Tree, select the
vSphere host and check if the associated SVA is reported. - Confirm that HOST is listed under the column System Type.
- From the System Tree, access the SVA system properties and confirm that the SVA properties are reported correctly.
- In the "Summary" section, verify that the correct IP address is listed.
- In the "Properties" section, verify that all details are listed and are correct.
- Verify that the SVA is reported correctly in the
vCenter :- Log on to
VMware vShield vCenter . - From the Home location, click Host and Clusters.
- In the left pane, select the host.
- In the right pane, click the Virtual Machines tab.
- Locate your SVA and verify that the status in the State column shows as
Powered On .
- Log on to
- Verify the registration of the SVAs with their respective hypervisors (in the
VMware vCenter, the SVAs are listed in thevShield tab):- Log on to the
vSphere Client, then go to Home and select thevShield icon. A logon window is displayed. - Log on with your credentials to access the console.
- In the left pane, expand
Datacenters . - Select the IP address
###.###.###.### of the host. - In the right pane, the Summary tab displays and shows the Service Virtual Machine details.
- Verify that the SVA is registered correctly.
Example of details that the Service Virtual Machines section shows:Name Type MOVE AV vShield Endpoint Active SVM vShield Manager vShield Manager
- Log on to the
- Restart the MOVE AV Agentless SVA services:
- Log on to the SVA with the root or administrator account.
- At a command prompt, type the following:
Sudo service move restart
- Log on to the ePO console.
- Locate the SVA in the System Tree.
- Verify the SVA system properties and confirm that the SVA is communicating correctly.
- Verify if the VM status has changed.
- Verify that the SVA date and time are in sync with ePO.
NOTE: If the SVA and ePO Time Zone aren't synchronized, the events are rejected and the database isn't updated.
For details about how to set the time in SVA, see "Configuring the SVA" in the MOVE AV Agentless Product Guide for your version. See the "Related Information" section below for where to locate product documentation.
- Load and unload the driver and verify that the related event reaches the SVA. Verify at each stage that the events are being transferred:
- Stop the McAfee Agent on the SVA. For how to use command-line switches with MA/TA, see KB52707 - McAfee Agent / Trellix Agent command-line switches.
- On the VM, unload and load the VMCI driver (
vsepflt ), which generates the following events:
34432 or 37087 (VM Unprotected)
34431 or 37086 (VM Protected)
- Log on to the endpoint VM as an Administrator.
- Open a command prompt, click Start, Run, type
cmd , and then click OK. - Type the following commands and press Enter:
Fltmc unload vsepflt
Fltmc load vsepflt
- Verify that the event is generated. At the SVA, navigate to the following location and check that an event related to the stopped driver is present.
MA/TA 5.9 and later:
var/McAfee/Agent/AgentEvent
- If the event isn't present, make sure that MA/TA is stopped.
- Try to load and unload the
vsepflt driver again. If those events don't arrive in the MA/TA event folder, troubleshoot this issue. See KB52707 - McAfee Agent / Trellix Agent command-line switches.
- Enable or disable debug level logging at the SVA. For details, see KB87799 - How to enable debug logging for MOVE Agentless and Multi-Platform via the command line.
- Generate the event again by unloading and reloading the
vsepflt driver at the VM, and then collect an SVA MER. For details, see KB80097 - How to generate the MOVE AntiVirus Agentless MER file. - Disable Debug level logging at the SVA.
- If those events are arriving in the MA/TA event folder, send the event to ePO, and then restart MA/TA and enforce the policy. At the command prompt, type the following:
sudo /opt/McAfee/cma/bin/cmdagent -P
NOTE: The event is no longer present in the SVA event folder.
- Verify that the event is reported in the ePO Threat Event Log. This action confirms that the event is reaching ePO:
- Log on to the ePO console.
- Click Menu, Reporting, Threat Event Log. The following events are shown for the VM:
34432 or 37087 (VM Unprotected)
34431 or 37086 (VM Protected)
- At the ePO console, verify the status of the
Agentless Anti-malware Protection:- Log on to the ePO console.
- Click System Tree,
vSphere group, and then locate the VM. - Select the VM and click it to bring up the System Properties.
- Click the Virtualization tab.
- Verify the
Agentless Anti-malware Protection status.
- Start a manual sync of the Cloud Connector for vSphere to see if it completes successfully:
- Log on to ePO console and access the registered cloud account.
- Select the name of the account and click
Sync . - Verify the Last Sync Status.
- Determine if the appropriate event is generated, but not passed to the ePO database:
- Identify the VM's UUID and check in the SQL instance of the ePO database
MOVEAGNTLSS_PROTECTIONSTATUS table for the status. - Locate the
PROTECTION_STATUS column and identify if it shows ON or OFF for that VM. - Disable debug logging for ePO
Orion.log . For details, see KB52369 - How to enable debug logging and log size for Orion.log in ePolicy Orchestrator.
- Identify the VM's UUID and check in the SQL instance of the ePO database
For issues that remain unresolved:
If after following the above troubleshooting steps, the issue remains unsolved, do the following:
- Note the result of each troubleshooting step mentioned above as a Pass or Fail.
- Provide a copy of the
Orion.log with debug logging enabled. - Contact Technical Support and provide this article number (KB84669 - How to troubleshoot Virtual Machines when the Anti-malware protection status is Off or Unknown).
- Generate the
MOVE AntiVirus Agentless MER file (SVA). For details, see KB80097 - How to generate the MOVE AntiVirus Agentless MER file.
IMPORTANT: The following files are required for Technical Support:
- Minimum Escalation Requirements (MER) files for your specific product. For information about downloading the MERs for each product, see KB59385 - How to use MER tools with supported products.
- Other files and logs, as requested by Technical Support.
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Related Information
AV Agentless 3.x Events (MOVE Agentless 3.x is End of Life)
- EVENT 34431 (VM Protected)
- EVENT 34432 (VM Unprotected)
Affected Products
Languages:
This article is available in the following languages: