As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Technical Articles ID:
KB86704
Last Modified: 2023-09-22 08:41:25 Etc/GMT
Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP)
ENS Firewall 10.x
ENS Threat Prevention 10.x
ENS Web Control 10.x
Summary
This article is a consolidated list of common questions and answers intended for users who are new to the product. But, it can be of use to all users.
Recent updates to this article
Date
Update
September 22, 2023
Added FAQ "Does ENS run as a single-threaded process? " in "General" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
Where can I find known issues with ENS?
For a list of known issues with a high or medium rating and that are outstanding with a given release, see KB82450 - Endpoint Security 10.x Known Issues.
Does ENS run as a single-threaded process?
On-access scanning and on-demand scanning can run multiple scan threads simultaneously. The number of threads will be influenced by the number of CPU cores on the endpoint.
Where can I find an explanation for ENS event messages?
ENS event messaging uses Natural Language Strings. Some events might require further explanation than what's provided in the small text string in an event. For a detailed explanation of event messages, see KB85494 - Complete list of event IDs for Endpoint Security.
How can I check the status of the ENS service and your other services on a system?
Use the executable C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe to check the status of services as follows. This executable can be useful if you're using a third-party monitoring tool to track the status of the ENS service, or get a report on how many systems have ENS running.
NOTE:To check the status of all our services, run the command C:\WINDOWS\system32>"C:\Program Files\Common Files\McAfee\SystemCore\mmsinfo.exe" -enum
What's the mfeensppl service?
The mfeensppl service is a Protected Process Light (PPL) service. This service is used for the registration of mfetp with the Windows Security Center (WSC) service wscsvc. The mfeensppl.exe service stops and starts as is needed. The mfeensppl.exe service is similar to the mfefire service, which also runs only when it's in use. The registration with WSC happens every time policies are enforced on the system and also when the system restarts. The registration with WSC is done through PPL in Windows 10 version 1809 (October 2018 Update) and later. When the mfeensppl.exe service runs, it checks whether the system is compatible with the Windows 10 version 1809 or later technology. The service then reacts accordingly. On systems not running Windows 10 version 1809 (and later), the mfeensppl.exe service is present. After determining that the operating system isn't supported, mfeensppl.exe exits gracefully.
Why does the Help feature in the ePO console open a web browser page to docs.trellix.com, instead of a contextual page of product information?
This behavior is the result of a feature change starting in ENS 10.6.0. When you use the Help feature by clicking the question mark ("?") inside the ePO console, it opens the Documentation Portal (docs.trellix.com), where you can perform a search.
What's the $MfeDeepRem folder, for example, the folder located under root C:\?
This folder is used by the ENS ATP Enhanced Remediation feature. The folder is created per drive. The folder size varies depending on the file size of the drive. This folder is protected. It might need to be excluded by applications that try to access files or folders that aren't their own, such as backup software. Attempts to access the folder are denied access.
How can I determine the Real Protect content version?
Open the ENS console and go to the About window. The About window shows the Real Protect content version. If you want to see the Real Protect content version without opening the console, go to C:\Program Files\Common Files\McAfee\Engine\content\rpstatic. The folder name shows the content version. For example, 1.1.10005.6250. The Real Protect content version isn't stored in the registry.
Can ENS coexist with the legacy products SiteAdvisor Enterprise (SAE) and VirusScan Enterprise (VSE)?
No. The ENS installer removes both SAE and VSE no matter which ENS module is selected to install. For more information, see KB86504 - Legacy products can't coexist with Endpoint Security modules.
What are the supported platforms, environments, and operating systems for ENS?
See KB82761 - Supported platforms for Endpoint Security. This article provides a list of supported client and server operating systems, virtual infrastructure, email clients, hardware requirements, and internet browsers.
Is Microsoft Windows XP or Windows Server 2003 supported?
No. Neither is Windows 2009 Point Of Service Embedded because it's an XP-based operating system.
Why do I have compatibility issues with third-party software applications that "hook" your processes, or attempt to, by loading their own code (a DLL) into the process?
Our products include self-protection mechanisms to prevent tampering with our files, folders, processes, registry entries, and executables. Self-protection mechanisms are needed to provide and maintain a high level of security and trust in the software, especially to secure against malware attacks. For more information, see KB83123 - Compatibility issues can occur when third-party applications inject our processes.
Why is ENS blocking System Information Reporter (SIR) from restoring registry keys?
SIR registry restore fails under ENS-protected registries because an ENS Self-Protection Rule is blocking it. To resolve this issue, perform one of the following:
Connect to AAC and add the exceptional allow rule for regedit.
Don't use regedit and update your application to directly make the registry changes.
Where can I find the list of third-party software that ENS uses?
On a computer where ENS is deployed, the list of third-party software that ENS uses is in the following file:
How are releases for ENS for Windows packaged?
In 2020 and later, ENS only provides.MSI packages for standard major, minor, and update releases.1This decision is made based on customer feedback regarding the need to reduce complexity and deployment effort.
This single package type performs the following:
Install ENS on new systems
Upgrade existing installations of ENS
To deploy these packages for ENS upgrades, customers must use an installation Product Deployment task and no longer need to use an Update task.
1 This decision doesn't apply to the current ENS hotfix delivery and format, which remains unchanged. An Update task can be used to apply them.
Can different modules (for example, Web Control and Threat Prevention), originating from different source packages (for example, February Update and April Update), be installed on a single given system?
All ENS modules installed on a system should originate from the same source package, avoiding a mix and match of installed components or modules.
What are the managed ENS installation options?
There are two management options: ePO and ePO Cloud. The primary differences in managing the two environments are as follows:
ePO - Administrators install product components on the management server; then, they typically configure feature settings (policies) and deploy the client software to multiple managed systems using deployment tasks.
ePO Cloud - We or another service provider sets up each ePO Cloud account on an offsite management server. It then notifies the local administrator when products are ready to install on managed systems. Local administrators then typically create and send an installation URL to users for installation on local systems.
How do you migrate from an evaluation version of ENS to a Licensed version?
You must first uninstall the evaluation package of ENS before installing the licensed version of ENS.
How do I migrate legacy products to ENS?
Use the Endpoint Migration Assistant to migrate the following settings and assignments to ENS. For instructions, see the Endpoint Security Migration Guide:
VSE 8.8
Host Intrusion Prevention (Host IPS) Firewall 8.0
SAE 3.5
After migrating the VSE on-access scan (OAS) policy to ENS using the Migration Assistant, why aren't the OAS exclusions enforced?
This issue occurs when the VSE OAS policy contains invalid exclusion data or exclusion patterns that ENS doesn't support. The Migration Assistant doesn't change the exclusion patterns during the migration. For a list of exclusion patterns that ENS supports, see the Endpoint Security Migration Guide.
For example, the exclusion "%systemroot%system32inetsrv" is invalid because there's no '\' between the environment variable and next file or folder data. The correct exclusion in this case, is "%systemroot%\system32inetsrv".
If you encounter this issue, the ENS Platform error log shows an error similar to the following:
08/14/2017 09:35:31.225 AM mfetp(1924.2840) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5315): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_LOW, Error code: 0xA7F40511
Does the Endpoint Migration Assistant migrate rules that are assigned based on tags?
No. The Endpoint Migration Assistant doesn't merge and replace policies that are assigned using tagging rules.
How do I deploy ENS modules using ePO?
First, check the ENS module packages into the ePO server. From the ePO Software Manager, there's a bundle package. This package checks the module installation packages, Help files, and module extensions into the ePO Master Repository. Module installation packages include the Security Platform, Firewall, Threat Prevention, and Web Protection modules. From the Product Downloads site, download each package separately and check it into the ePO Master Repository.
Next, create a deployment task. Deployment tasks of the Firewall, Threat Prevention, or Web Protection modules check the version of Security Platform. The module installer automatically updates the Security Platform version first before installing Firewall, Threat Prevention, or Web Protection.
The ATP module checks in separate from the other ENS modules. When installing the ATP module, the version of ENS Threat Prevention must be the same. For example, you can't install ATP 10.6.1 on a system running ENS Threat Prevention 10.6.0. Don't include the ATP module when you deploy the other ENS modules. The ePO deployment task might run the ATP module installation before the Threat Prevention module installation. So, we recommend that you have a separate deployment task for the ATP module.
How do I deploy ENS using third-party deployment solutions?
The third-party solution must meet these requirements:
Make sure that all installation files are available or accessible.
Run the executable installer (SetupEP.exe), and not the MSI files.
Run with SYSTEM or Administrator privilege.
Use the ENS standalone package for the installation source files.
NOTE: You can customize this package using the Package Designer.
Will ENS upgrade my older McAfee Agent (MA) version?
It depends on whether MA is managed:
When ePO manages MA, an installation of ENS doesn't modify the agent. It isn't permitted to do so automatically when the agent is in managed mode.
When MA is unmanaged (standalone), the SetupEP.exe installer upgrades the agent to the version included with the ENS package.
How do I install ENS for users who don't have Administrator rights?
Create an installation URL and send it to users to install ENS on their systems. For instructions, see the Endpoint Security Installation Guide.
Can I use Sysprep to include ENS in a base image?
Yes. Sysprep is a supported installation method.
Can I install ENS to a custom drive letter or location?
Yes.
How do I remove the ENS Common extension from ePO?
The Common extension can't be removed if any other ENS module extensions are checked in. Remove all ENS module extensions first, before trying to remove the ENS Common extension.
How do I configure Access Protection rules to block malware?
For a list of suggested Access Protection rules to implement, see KB91934 - Protecting against Ransomware - Rev J - Combating Ransomware.
Can I use variables when creating Access Protection rules?
We don't recommend using variables because it can have unexpected outcomes. The best practice is to use wild cards. For example, C:\Users\%username%\SubFolder can be represented as C:\Users\*\SubFolder.
Why are Access Protection events that are confirmed to occur on the client system and get logged locally not visible in ePO after sending client events?
See KB87149 - Access Protection events aren’t available in ePO. The default configuration for ENS excludes those events from being created. Or, the agent might also be suppressing the events.
How can I access the console or remove ENS if I forget the password?
The default password is mcafee. If you change the password and have forgotten the new password, contact Technical Support for instructions to remove the password. Make sure that you complete the following actions before contacting Technical Support:
Collect Minimum Escalation Requirement (MER) data using the MER tool.
Obtain administrator rights and physical access to the affected system.
How do I remove the default "Quick Scan" and "Full Scan" ODS tasks?
This question is of concern for customers who have created a group and accepted the default settings for ODS tasks. The reason is because the task assignments can't be edited or deleted. The simplest solution is to create a group in the ePO System Tree and move systems into that group. Don't enable the ODS tasks for the new group.
Why are there ePO Server Task entries when editing ENS policies?
When editing ENS policies on an ePO 5.9 (or later) server, an ePO Server Task log entry named "Policy <policy name> is saved. Comment: <policy comment>" is created. This entry describes what policy changes are made, at what date and time the change is made, and by what ePO user name. This feature change is introduced with ePO 5.9.
NOTE:When you duplicate default (uneditable) policies, the first policy change made to the duplicate policy logs several policy detail changes. But, for any subsequent policy change, the Server Task entry logs only the specific policy changes made during each saved policy change.
How can I import settings (for example, firewall settings) at the time of installation?
Use one of the following options:
ENS includes a Package Designer utility that allows customizing policies. These policies can be included with the installation package.
ENS includes a utility named ESConfigTool.exethat allows you to export and import policies. The ESConfigTool.exe utility is in the ENS Platform folder (by default, C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform). Deploy ENS to at least one client system, configure settings as needed, and then export the settings using ESConfigTool.exe.
NOTES: You can import the file generated from ESConfigTool.exe using the command setupEP.exe /import
Don't use the plain text option when exporting if you intend to import the settings.
Don't specify an extension for the file.
You must disable the Access Protection rule protecting ESConfig in the ENS Threat Prevention Access Protection policy.
To display help and options, execute the utility with no parameters.
How do I configure ENS Firewall network traffic logging?
Within the ENS Firewall Options policy, enable the Log all allowed or Log all blocked options. ENS Firewall logs block and allow network traffic to the \ProgramData\McAfee\Endpoint Security\Logs\FirewallEventMonitor.log file. If you want to generate ePO events for allowed or blocked network traffic, enable the Log matching traffic option in a specific firewall rule. Generic, high event-generation rules can cause performance issues. For more information, see KB90177 - Enabling the 'Treat match as intrusion' or 'Log matching traffic' logging options might cause high CPU use.
NOTE: ENS Firewall log functionality doesn't allow for only specific firewall rules to be logged to the FirewallEventMonitor.log file.
Click Sign In and enter your ServicePortal User ID and password. If you do not yet have a ServicePortal or Community account, click Register to register for a new account on either website.
What's "Presentation mode" when running ODS tasks?
Presentation mode is any window in full-screen mode. This mode can apply to video playback software, Microsoft PowerPoint presentations, or Remote Desktop Protocol windows.
How do I best handle v3 DAT content updates in an environment where systems are non-persistent?
In virtualized environments (XEN/VMware/Citrix) where systems are spawned from a "gold image" or "templates," it's useful to update those "gold images" or "templates" with the latest content every so often. This practice circumvents the need for an end node to download a full content update (usually, hundreds of magabytes of files) when they start. You can make these updates as follows. Start the "gold image," start the update task and connect to a valid repository (for example, ePO), and take a "gold image." For an automated update process through ePO or the public update site (update.nai.com) in general, we publish incremental updates (usually, 100–500 KB). Any system spawned from such a "template" or "gold image" can consume the updates instead of a full update, if it isn't more than 35 versions behind the current content release.
How do content files work?
When the scan engine scans files for threats, it compares the contents of the scanned files to known threat information stored in the AMCore content files. Exploit Prevention uses its own content files to protect against exploits.
Why is EICAR not being detected? Why is my content version 0.5?
This issue occurs when AMCore content hasn't yet been updated after installing the product. To resolve this issue, update the content.
How often do yourelease new Threat Prevention content files?
We release new Exploit Prevention content files as needed. The Endpoint Security Product Guide incorrectly states that Exploit Prevention content files are released once a month.
Which content does ENS need?
ENS Threat Prevention uses "Endpoint Security Exploit Prevention Content" and "AMCore Content Package."
Where can I get AMCore DAT files? How do I update AMCore content manually?
Can I update the AMCore content from the command line on a client system?
Yes. To update the AMCore content, run the following command on the client system: "C:\Program Files\McAfee\Endpoint Security\Threat Prevention\amcfg.exe" /update
Why does ENS update the engine version automatically? I'm unable to electively download the engine.
The concept of engine updates has changed with AMCore technology; they're no longer separate packages from content. When AMCore content requires an update to any one of its engines that's used during scanning, the engine update is included in the V3 content update releases. Downgrading AMCore content also downgrades an engine if not part of that older content.
How can I determine the Exploit Prevention content version and date from the registry or file system?
The Exploit Prevention content date isn't stored in the registry. The date is the last modified date of the content.bin file found in the directory C:\Program Files\McAfee\Endpoint Security\Threat Prevention\IPS.
To determine the Exploit Prevention content version from the registry:
To get the Exploit Prevention content version, take the ContentVersion value and replace the value before the first period with the ContentMajorVersion, and the value after the first period with the ContentMinorVersion. For example, if the ContentVersion is 8.0.0.8137, ContentMajorVersion is 10, and ContentMinorVersion is 7, the Exploit Prevention content version is 10.7.0.8137.
Is there a way to determine the AMCore content version from the registry or file system?
Yes. Perform the following steps:
Convert the major and minor versions from hexadecimal to decimal. In the following example, the version is 2556.0.
"dwContentMajorVersion"=dword:000009fc (000009fc is 2556 in decimal) "dwContentMinorVersion"=dword:00000000 (00000000 is 0 in decimal)
The following date and time registry keys are also present. In the following example, the AMCore content was built on March 22, 2017 at 08:44:00 GMT.
"szContentCreationDate"=reg_sz:"2017-03-22" (formatted date yyyy-mm-dd) "szContentCreationTime"=reg_sz:"08:44:00" (formatted time hh:mm:ss)
From the file system (if managed by ePO):
Locate the value of AvManifestVersion in the file C:\Program Files\McAfee\Endpoint Security\Threat Prevention\AvContentMgr.xml.
In the following example, the version is 2591.0: 2591.0
What does the trailing number in a DAT version mean?
The trailing number indicates whether it's a Production, Pre-production, or Beta V3 DAT package.
xxxx.0 (Example: 3158.0) - Indicates a Production V3 DAT package
xxxx.1 (Example: 3158.1) - Indicates a Pre-production V3 DAT package
xxxx.3 (Example: 3158.3) - Indicates a Beta V3 DAT package
How do I downgrade or roll back DAT content?
Use one of the following options to install the wanted version:
Use ePO and run a DAT update task on the client.
Run the V3 DAT content file manually on the client.
How is AMCore content compliance determined?
The criteria for "compliant" can't be changed. The AMCore content compliance is based on the age of the AMCore DAT.
If the DAT is less than seven days old, it's considered compliant.
If the DAT is greater than or equal to seven days old, it's noncompliant.
NOTE:The DAT age isn't related to when the system is updated, but when the DAT is released.
Does the option "DAT Version compliance for VirusScan Enterprise was within X versions of Repository DAT" exist in ENS?
No. ENS determines compliance based on the age of the DAT, and not the DAT version.
How can I determine the size of AMCore content update files?
You can view the AMCore content update files here: HTTPS CommonUpdater or HTTP CommonUpdater. The date or time stamp of the files is always the current date. But, a *.gem incremental update file is released each day and 30 days worth of incremental updates are stored there.
Why is the V3 DAT still a 100 MB+ file when I was told that the new DATs are much smaller?
The smaller size of DAT is the comparison of the AVV versus the MED (medium) DATs. These DATs offer equivalent functionality between VSE and ENS.
For ENS:
The MED DATs are found in the following location (note that the versioned folder changes):
The combined size of medscan.dat, mednames.dat, and medclean.dat is 62.7 MB.
For VSE:
The AVV DATs are found in the following location:
C:\Program Files (x86)\Common Files\McAfee\Engine
The combined size of avvscan.dat, avvnames.dat, and avvclean.dat is 143 MB, which is a reduction in size of 56%.
What's the "DAT Built-in test" task?
The DAT Built-in test performs some basic checks on the health of the system. It's tied to the DAT update as the trigger for when it starts. It runs seven times at random intervals between AMCore updates. The task isn't configurable. It runs only if the following options are enabled in the Endpoint Security Threat Prevention, Options policy, Proactive Data Analysis section:
Safety pulse
Global Threat Intelligence (GTI) feedback
AMCore Content Reputation
If the task doesn't succeed, verify that the system has network connectivity and run the task manually. The task runs mcdatrep.exe, a component that uses TrustedSource. So, HTTPS must be allowed and the system proxy must be properly configured for the task to succeed.
What do each of the ENS modules do?
There are three ENS modules:
Firewall - Monitors and intercepts suspicious communication between the computer and resources on the network and internet.
Threat Prevention - Checks for viruses, spyware, unwanted programs, and other threats by scanning items both automatically when users access them (on-access) or on-demand at any time.
Web Control - Displays safety ratings and reports for websites during online browsing and searching. Web Control enables the site administrator to block access to websites based on safety rating or content.
What difference in IPS coverage is there between ENS and Host IPS?
For a list of all ENS Exploit Prevention and Host IPS signatures and their current supported directives, see KB51504 - REGISTERED - Signature Directive support.
NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted. What does "Let McAfee Decide" mean when scanning files?
You can specify when the on-access scanner scans files, such as when writing to disk or reading from disk. Or, you can let us decide when to scan. When you select Let McAfee Decide, the on-access scanner uses trust logic to optimize scanning. Trust logic improves security and boosts performance by avoiding unnecessary scans. For more information, see Understanding the Endpoint Security 10 Threat Prevention Module white paper.
Can ENS detect a virus that's encrypted by an encrypted file system (EFS)?
Yes, if the user who owns the EFS folder accesses the file when the scan runs, ENS can use their access token. Otherwise, ENS can't scan inside encrypted files or packages, and neither can any antivirus scanner. The ENS logs show the following when an EFS is encountered: Not scanned (The file is encrypted). Detection takes place only when the file is decrypted or opened.
How does the ENS on-access scanner handle Client-side Caching interactions? Is the file local or remote?
Microsoft Offline Files/folders technology, or Client-side Caching, allows for files that are hosted on a remote resource to be locally accessible by a device when that device isn't connected to the network. This function is called client-side caching because Windows creates a local copy of the file in a protected folder. It is from this local copy that the device reads and modifies the file's content as needed. When the device is again connected to the network, and the remote file is accessible, changes are synchronized to update both copies.
The file being cached in this manner is always considered a remote file. Even when the device is disconnected from the network, the user or programs accessing the file use the same remote location. It's Windows that handles the needed redirection that provides access to the cached, local copy.
Because the file is always considered remote, for the OAS to scan these files, the Network Drive Scanning feature must be enabled. Similarly, for the on-demand scanner to scan the offline files, it must be provided the original (remote) location.
Why does the ENS Help file open in a browser that isn’t my default browser?
ENS starts the application associated with the .html extension. If the default browser isn't associated with the .html extension, a different browser opens. For more information, see KB86558 - Help file displays in a non-default browser.
Why does McShield.exe have a high CPU usage? McShield.exe is the user mode scanner that analyzes files to determine whether they're clean or malware. It must use CPU cycles to accomplish its work.
Why does McShield.exe show high CPU usage continually? McShield.exe is also the hosting scanner to perform the needed work for ODS tasks. If you have a scheduled ODS task running, you see McShield.exe use CPU cycles to carry out the requested scans. In ENS 10.7, there's an option to limit the CPU usage during an ODS task.
Where is EmailScan? Why doesn't ENS include an email scanner like VSE?
Currently there's no plug-in for either Outlook or Lotus mail clients. This feature isn't included because the functionality of EmailScan is largely redundant or overlapping with the real-time scanning. If there's a specific use case wanted for this feature, contact your Support Account Manager and relay your user story to Product Management.
ENS reports the error "Clean error as no cleaner was available, and delete pending" for a detected threat file. What does this error mean?
This error typically means that the file isn't cleanable and should be deleted. Deleting files can return inconsistent results because of the transient nature of files. The product might indicate that a delete action is pending when the file is already deleted (by the operating system) before the product can perform the delete action.
What does the value "Duration Before Detection" shown in the "Endpoint Security: Threat Behavior" ePO dashboard mean?
This value is the time between the file creation date (when it's written to the disk) and the detection time.
How does the integration with Windows Antimalware Scan Interface (AMSI) work?
AMSI is a generic interface standard that Microsoft provides. AMSI is supported on Windows 10, Windows Server 2016, and Windows Server 2019 systems. AMSI allows applications and services to integrate with ENS Threat Prevention, providing better protection against malware. Integrating with AMSI provides enhanced scanning for threats in non-browser-based scripts, such as PowerShell, JavaScript, and VBScript.
How do I enable debug logging in ENS?
Enable debug logging for each ENS module through the ENS Common policy. Make sure that you enforce the policy on the client before trying to reproduce the issue. To enforce the policy, either perform an agent wake-up call to the system from the ePO console or click Collect and Send Props from the client MA Status Monitor. Debug log files are stored at %ProgramData%\McAfee\Endpoint Security\Log or C:\Documents and Settings\All Users\Application Data\McAfee\Endpoint Security\Logs depending on the operating system. For instructions, see KB91797 - Enable debug logging to troubleshoot Endpoint Security issues.
How do I enable detailed logging for MA?
Detailed logging in MA helps troubleshoot issues with updating, installing, and upgrading. Enable detailed logging for MA through the MA General policy. Click the Logging tab, and select Enable detail logging. Increase the Log file size limit (MB) to 20 and Roll over count to 2. For instructions, see KB82170 - How to enable debug logging for McAfee Agent to troubleshoot Windows.
Why are events not reporting in the ePO dashboards?
Managed product events have a severity level. By default, ENS modules log only Critical and Major events. If an event has a severity of Informational, it isn't logged. To log all events, edit the ENS Common policy and change the Event Logging Severity Level to All.
How do I prevent users from disabling the Web Control extension from a browser?
The self-protection policy in the ENS Common Policy prevents end users from disabling the Web Control toolbar and Web Control Browser Helper Object (BHO) in Internet Explorer. Self-protection doesn't prevent users from disabling the Web Control extension in Chrome or Firefox.
If a user disables the Web Control extension in Firefox, Web Control is enabled in future browse sessions after a Firefox restart. You can't prevent a user from disabling Web Control in Firefox.
If a user deletes the Web Control extension in Chrome, Web Control no longer appears in Chrome even after a reinstall of ENS. You must either delete the Chrome user profile or reinstall Chrome. To prevent users from deleting the Web Control extension in Chrome, see KB87568 - Web Control browser extension must be enabled by the user. This article contains information about force-enabling the Web Control extension through Active Directory group policy.
Can I have the SAE and Web Control extensions force enabled in Chrome at the same time?
No. You need to remove the SAE APPID from the Chrome Group Policy template. Having the SAE extension force installed with the Web Control extension causes issues with the navigation from the enforcement messages. Don't force install both the SAE and Web Control extensions into Chrome.
How does Web Control determine whether a site has a private or internal IP address?
Web Control doesn't act on private or internal IP addresses. Private and internal sites on a prohibit list aren't blocked. Web Control determines that a site has a private or internal IP address if it's part of the following IP address ranges:
Default IPv4 private IP address ranges: 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
localhost or 127.0.0.1
Default IPv6 private IP address range:
Site-local and Link-local addresses that start with FEC, FED, FEE, FEF or FE8, FE9, FEA, FEB
Why does the version of Web Control in Chrome report differently than the version of Web Control in the ENS console?
The ENS console reports the current version of Web Control installed. Chrome reports the version of the Web Control extension hosted in the Google Play Store. As new versions of Web Control are released, the Web Control extension in the Google Play Store might not get updated. Chrome can report a different version for the Web Control extension than the version shown in the ENS About field or in ePO product properties. Chrome uses the locally installed Web Control extension.
What causes no annotations to show in search results when I perform the search witha supported search engine?
Web Control uses scripts to annotate search results with ratings. If a search engine changes the webpage it uses to present the search engine results, Web Control might not annotate the page. For more information, see KB87640 - Web Control search annotation ratings aren’t displayed in the search engine results.
Why is a site on the Web Control allow list still appearing in email annotations as a red-rated URL?
Web Control email annotations are based only on the GTI rating. The local allow policy doesn't override the GTI rating for the email annotation.
Why is the Web Control browser balloon orange and why does it display "Error retrieving Web Control information"?
If the Web Control service can't communicate with the GTI servers, the browser balloon is orange. For troubleshooting steps, see KB87930 - Endpoint Security Web Control status balloon is orange.
Why don't the ePO reports list a URL for green-rated sites?
Web Control doesn't track green-rated URLs in reports sent to ePO for user privacy. Web Control sends a total green-rated site count for unique categories in events sent to ePO. See the "How Web Control works with Web Reporter" section of the Endpoint Security Web Control Product Guide for information about configuring Web Control to work with Web Reporter to see green-rated URLs.
Why does a system need access to the Google Chrome store to have the Web Control extension work in Chrome or Edge?
When the browser opens, it checks the local Web Control extension against the Web Control extension hosted on the Chrome store. If there's no access to chrome.google.com, the Web Control extension doesn't load in Chrome or Edge Chromium. For instructions to have Edge Chromium use group policies allow the Web Control extension to load from the Microsoft Edge Add-on store, see KB94784 - How to install the Web Control extension in regions where the Chrome Web Store is inaccessible.