Generate an event to ePO if a user stops the mfetpd service locally
Last Modified: 2022-03-17 04:16:09 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Generate an event to ePO if a user stops the mfetpd service locally
Technical Articles ID:
KB95370
Last Modified: 2022-03-17 04:16:09 Etc/GMT Environment
Endpoint Security for Linux Threat Prevention (ENSLTP) 10.7.x ePolicy Orchestrator (ePO) 5.x Summary
When a user stops the The ePO administrator doesn't get notified about this action, and no event gets generated. The only way to determine this change is to log on to the system and check the status of the Problem
When the Workaround
There's no separate event ID for the Enable the on-access scan start/stop event IDs in ePO:
INFO AccessProtection [20454] Access protection rules saved successfully DEBUG AccessProtection [20454] Exploit prevention is enabled, so AAC interface wrapper will not be deinitialized DEBUG AccessProtection [20454] Access Protection is disabled DEBUG ENSLMain [20454] MessageBus thread has joined back INFO TaskManager [20454] Task - Default Client Update task is not running DEBUG AMOASBroker [20454] Stop OAS watchdog triggered. Exiting OAS watchdog thread DEBUG AMManageFAEvent [20454] Received event from File Access library with an empty file path. DEBUG AMManageFAEvent [20454] Exiting the Consume Scan Request Queue loop. DEBUG AMManageFAEvent [20454] Stopped monitoring Scan Requests INFO AMOASBroker [20454] Scan Cache is being cleared as OAS is being stopped DEBUG ScanFactoryBroker [20454] Removing the whitelisting of the OAS Manager PID from the file initialization library - 20498 DEBUG AMEventAdaptor [20454] Successfully sent ePO event - 1088 DEBUG ConfigController [20454] DNDGTISelectionCriteria.GTIThrottling.NumHitsToday key is already set to same value. Hence not setting it again to same value DEBUG ConfigController [20454] DNDGTISelectionCriteria.GTIThrottling.NumConsumedQuota key is already set to same value. Hence not setting it again to same value DEBUG ConfigController [20454] DNDGTISelectionCriteria.LastGTIParamsUpdate key is already set to same value. Hence not setting it again to same value DEBUG ConfigController [20454] DNDProductInformation.DaysSinceInstallation key is already set to same value. Hence not setting it again to same value DEBUG GTIQueryManager [20454] Disabling GTI query manager and GTI reachability DEBUG ESPUtils [20454] Failed to open CPU quota configuration file DEBUG AMManageFAEvent [20454] Stopped monitoring Scan Responses and stopped File Access hooking INFO ScanFactoryBroker [20454] Scan Factory child process exited normally INFO ScanFactoryBroker [20454] Scan Factory Process was stopped successfully DEBUG AMODSBroker [20454] Checking if this task needs to be stopped - quick scan DEBUG AMODSBroker [20454] Checking if this task needs to be stopped - full scan INFO ExploitPrevention [20454] Exploit Prevention combined rules saved successfully DEBUG ExploitPrevention [20454] Access Protection is enabled, so AAC interface wrapper will not be deinitialized DEBUG ExploitPrevention [20454] Exploit Prevention is disabled INFO MsgBusPolicyNotificationHandler [20454] Unregistration of Policy Enforcement Notification handler was successful INFO MsgBusPropertyCollectionProv [20454] Unregistration of Property Collection Provider was successful INFO MsgBusPolicyNotificationHandler [20454] Unregistration of Policy Enforcement Notification handler was successful INFO MsgBusTaskEnforcementHandler [20454] Unregistration of Task Enforcement Handler was successful DEBUG MsgBusAgentUpdateServiceHandler [20454] Unregistration of Agent Update Handler was successful INFO MsgBusInfEvHand [20454] Unregistration of Information Event handler was successful INFO ma_client [20454] stopping ma client. INFO msgbus [20454] Unregistered for msgbus connectivity resync INFO msgbus [20454] Removed file watcher on broker config file INFO dispatcher [20454] dispatcher dl_close 0x7fa9300078a0 INFO dispatcher [20454] dispatcher dl_close 0x7fa930007d70 INFO ma_client [20454] stopping ma client notifier thread. INFO ma_client [20454] ma config monitor stop received. INFO ma_client [20454] ma client notifier thread existing... DEBUG RegistrationCallback [20454] Successfully sent a deregistration request to ESP INFO ENSLMain [20454] Product has completed the shutdown sequence If the on-access scan start/stop event IDs aren't selected in ePO, When the
Affected ProductsLanguages:This article is available in the following languages: |
|