The error below is displayed on the ePO Agent Handler server desktop:
AHSetup error
Failed to write the Agent Handler Certificate.
Path=C:\Program Files(x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssslcrt\ahCert.crt
NOTE: There are no errors recorded in any of the ePO logs for the above error in the SSL.crt folder.
Results from Process Monitor while performing the regenerate cert command:
- Open the Procmon logs, and click Filter, then select Process Name, Contains, and CMD.exe
- Logs show:
- Process name: cmd.exe
- Operation: CreateFileMapping.
- Path: c:\Windows\Sysrtem32\Rundll32.3xe
- Result: File Locked With Only Reader.
- Results when you check the properties on the Process tab.
It shows the list of DLL's loaded while running the CMD.exe, which are locked via the respective DLL's.
ENSHIPHandlers64.dll
EpMPThe.dll
EpMPApi.dll
fcagpph64.dll
fcagcfh64.dll
NOTE: The list of DLLs belongs to Endpoint Security
The error below is recorded in the
AccessProtection_Activity.log (C:\ProgramData\McAfee\Endpoint Security\Logs):
|mfeesp 2436 7096 AP XModuleEvents.cpp(844) DOMAIN\USER ran C:\Windows\System32\cmd.exe, which attempted to access the process ESConfigTool.exe, violating the rule "Unauthorized execution of EsConfigTool", and was blocked. For information about how to respond to this event, see KB85494.
