To remediate such situations, you can use the
ESConfigTool. This tool is included with any ENS installation as part of the platform module. It can insert a policy into an ENS installation. It's usually at
C:\Program Files\McAfee\Endpoint Security\Endpoint Security Platform.
The Access Protection rule
Unauthorized execution of EsConfigTool blocks the execution of the
ESConfigTool. Administrators can disable the rule and run
ESConfigTool when needed, and re-enable the rule when complete.
To access the help for the executable, issue the command
ESConfigTool /?. The help text is included below for reference.
Description: Endpoint security configuration tool for exporting and importing policy configuration. User needs administrator rights to run this utility. Utility needs password if the client interface is password protected. File supplied for import must be an encrypted file.
USAGE:
ESConfigTool.exe /export <filename> [/module <TP|FW|WC|ESP> ] [/unlock <password> ] [/plaintext ]
ESConfigTool.exe /import <filename> [/module <TP|FW|WC|ESP> ] [/unlock <password> ] [/policyname <name> ]
ESConfigTool.exe /help
"encrypted file" in the Description means a file that has been created using the
ESConfigTool with the "
/export" parameter.
Minimal information is logged in
%deflogdir%\EndpointSecurityPlatform_Errors.log. This information can help when you investigate a policy export or import failure.
We recommend that the administrator locks the client interface with a strong password to avoid unauthorized access and configuration of policies. The
/export and
/import then require the client interface password to be successful.
To replace the problematic ENS policy with a known good policy:
- Export a known good policy from a working system with ENS installed. You can use your test system if you don't have a working system.
NOTES:
- Access Protection settings are part of the ENS Platform module, not the ENS Threat Prevention module, when using the ESConfigTool.
- ESConfigTool doesn't overwrite any files that exist in the target directory with the same name; choose a different file name.
- Encapsulate the path statement with " " if the path contains spaces, for example, "Program Files\<filename>".
Example commands:
- Export the ENS Platform settings of the current installation and place them in the c:\temp directory as policy.xml in an encrypted format:
ESConfigTool.exe /export "c:\temp\policy.xml" /module ESP
- Export the ENS Threat Prevention settings of the current installation and place them in the c:\temp directory as policy.xml in an encrypted format. As you export, unlock the console with the console password provided in plain text:
ESConfigTool.exe /export "c:\temp\policy.xml" /module TP /unlock <password in plain text>
- Export the ENS Platform settings of the current installation and place them in the c:\temp directory as policy.xml in plain text format. As you export, unlock the console with the console password provided in plain text. The file created is in XML format. You can view the file with a browser or Notepad to see what settings have been exported.
ESConfigTool.exe /export "c:\temp\policy.xml" /module ESP /plaintext /unlock <password in plain text>
- Transfer the exported file to the affected system.
- Import the policy on the affected system.
Example commands:
- Import a previously exported and encrypted ENS Platform policy file in c:\temp named policy.xml to the current ENS installation:
ESConfigTool.exe /import "C:\temp\policy.xml /module ESP
- Import a previously exported and encrypted ENS Threat Prevention policy file in c:\temp named policy.xml to the current ENS installation. As you import, unlock the console with the console password provided in plain text:
ESConfigTool.exe /import "C:\temp\policy.xml /module TP /unlock <password in plain text>
- When the system is working again, use any means to automate the import of the policy using the ESConfigTool to the other affected systems.
