As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Troubleshoot common Endpoint Security for Linux issues
Technical Articles ID:
KB95924
Last Modified: 2022-08-30 05:19:02 Etc/GMT
Environment
Endpoint Security for Linux Firewall (ENSLFW) 10.x
Endpoint Security for Linux Threat Prevention (ENSLTP) 10.x
Summary
Below are the recommended troubleshooting steps for common ENSL issues.
Contents
Click to expand the section you want to view:
To help Technical Support troubleshoot an issue with ENSLTP or ENSLFW, collect the following data.
Collect an ENSLTP or ENSLFW Minimum Escalation Requirements (MER) file. MER is the minimum data needed to triage an issue and provide the next steps of action.
To generate an ENSLTP MER, run the following command:
/opt/McAfee/ens/tp/scripts/mfetp-mer.sh
This command creates the MER file mfetp-mer_.*.tar.
To generate an ENSLFW MER, run the following command:
/opt/McAfee/ens/fw/scripts/mfefw-mer.sh
This command creates the MER file mfw-mer_.*.tar.
In addition, collect the following data if applicable.
For a functional-related issue, enable the debug logs, reproduce the issue, and then capture the MER file. Detailed logs help narrow down and identify the root cause. To enable debug logs, run the following command:
/opt/McAfee/ens/tp/bin/mfetpcli --debuglog enable
For a performance-related issue, we need to know the OAS (OAS) scan activities happening on the system to advise on proper configuration settings. To enable the OAS Activity log, run the following command:
For a DAT update or policy update-related issue, enable Trellix Agent (TA) debug logging, reproduce the issue, and then capture the MER file. Enable TA debug logging in the ePolicy Orchestrator (ePO) console at Trellix Agent, General, My Default, Logging tab, Enable detailed logging.
Container Vulnerability Scanner (MFECVS) is a command-line tool. You can use the tool to perform the following actions:
List images in a Docker private registry or Docker hub.
Scan for vulnerabilities in Docker images in a Docker private registry or Docker hub.
Steps to troubleshoot MFECVS-related issues:
Confirm that the configuration of the mfecvs.yaml file is correct. For example, check the username convention and the syntax of the YAML file.
mfecvs.yaml sample file:
#Copyright (C) 2020 McAfee, LLC. All Rights Reserved.
# Sample User config file
# Array of registries
# Registry is an object of name, url and username of string type
# Add the details of only private registries.
# For listing/scanning docker hub images, do not pass registry(-r) flag to the cli.
registries:
- name: DockerHub
#url is the url for the registry
url: https://registry.hub.docker.com
#username is the user of the registry
username: YourDockerHubUsername
#name is the name of the registry which is referred to by the -r flag in cli
- name: Docker Private Registry
#url is the url for the registry
url: https://your.registry.domain.com
#username is the user of the registry
username: YourUsername
Check whether the MFECVS tool supports the registry. The tool only supports Docker private registries (the registry that uses the Docker Hub API).
Check the mfecvs.log log file for errors and debug the issue. For example, the system might be restricted from outside connections. This configuration causes the scanner to fail, as it generates a vulnerability report by sending image data to the Trellix cloud.
Use the instructions below for each Linux platform.
By default on Secure Boot-enabled systems, all ENSL kernel modules aren't loaded because they aren't signed. Only signed kernel modules can be loaded on such systems.
Hence, all kernel modules must be signed with a private key and authenticated with the corresponding public key. This topic applies to the following platforms: RHEL (kernel module based) and SLES/Ubuntu (Fanotify based).
The DAT gets updated on systems daily. If your system isn't getting the latest DAT updates, check the following:
Log on to the ePO console. Make sure that the Assigned Client Tasks tab has an update task to update the DAT, Engine, and Exploit Prevention content every day.
Make sure that the Schedule status of the update task is "enabled" and the Schedule type is "Daily."
Make sure that the Repositories are enabled in the Trellix Agent Repository policy.
Make sure that your system can reach the DAT webpage (https://update.nai.com/products). If not, you might need to check the network settings. ENSLTP requires stable internet to complete the update process. A poor internet connection can halt the process and cause an update failed error.
Check whether any Firewall rule is blocking the communication between your system and ePO.
Check for any download failures or connection errors in /var/McAfee/agent/logs/McScript.log.
Check whether your system has enough drive space. ENSLTP needs free space of at least 4 GB on the drive that contains /var.
When ENSL is installed, two ODS tasks are created by default, namely quick scan and full scan. If the Linux system is ePO-managed, you can modify the properties/attributes of these tasks by changing the ODS policy assigned to the system. On a standalone installation, changes aren't possible. Creation and deletion of custom ODS scans is possible on both managed and unmanaged installations. Common issues seen with ODS tasks are: ODS isn't starting, and ODS remains in a running state. See below for troubleshooting steps for each of these scenarios.
How to troubleshoot when ODS isn't starting:
Check whether all ENSL services are running. Use the command ps -eaf | grep -i mfetp:
Check whether there's any other ODS/update task running. List the tasks using the following command:
#/opt/McAfee/ens/tp/bin/mfetpcli --listtasks
Check the status of the tasks. If any task is in the state Initiated, Running, or Stopping, another ODS task won't start.
Check whether the ODS task has the CPU Limit set and the system is failing to enable cgroups. Check the ODS task information with the following command:
If the value set for "Maximum CPU Limit" is less than 100, the ODS task CPU consumption is limited. Check /var/log/messages and /var/McAfee/ens/log/tp/mfetpd.log for failure errors related to cgroups.
To debug ODS start issues, look for failures or errors in the following log files:
How to troubleshoot when ODS remains in a running state:
Check for the ODS manager and ODS collector of the processes. Use the top or ps command to see the ODS processes.
If the ODS manager exits and the collector remains, it's the issue.
If only the ODS manager is running but there's no scan activity, check the ODS report log. Check whether ENSL is taking time to generate the final report. ODS report logs are written at /var/McAfee/ens/log/tp/odsreport/.
Check whether the ODS task has a maximum scan time set to a high value. List the ODS task information using the following command:
Check the value for the parameter "Maximum scan time" set in seconds. By default, the value is 45 seconds, and you can set the value between 10–9999 seconds. A higher value on the scan timeout indicates larger files; ODS keeps scanning until the time elapses. The completion time for ODS increases.
To debug when ODS remains in a running state, look for errors in the following log files:
When you apply a policy from ePO to a Linux system, TA keeps checking whether there are any changes in the parameters specified in the policy compared to the settings on the system. If the settings don't match, TA enforces the policy. If you change something in the existing policy, the changes take affect after a policy update wake-up agent communication. Sometimes, the policy on the ENSL client isn't updated with the values set in ePO. Follow the troubleshooting steps below.
Check whether a network connection is available between ePO and the ENSL client. Use the "Ping" option after selecting the system in the ePO System Tree. Perform a wake-up agent from ePO and a reverse wake-up agent from the ENSL client. Check whether the "Last communicated" field is updated in the ePO System Tree for the ENSL client. To perform a reverse wake-up agent, run the following command:
# /opt/McAfee/agent/bin/cmdagent -p
TA gets the ePO policy and sends it to the managed product, in this case, ENSL. Check the following files for any errors or failures messages in downloading the policy or applying it on the ENSL client.
Check whether any Firewall rule is blocking the ePO to TA communication on port 8081. Use the following command:
iptables -L
Check whether the policy is corrupted. Corruption might occur due to a policy overlap between different ENSL features. To check for an overlap, in the ePO console, go to Policy Catalog, and export the policy into an XML file. Open the XML file in any browser. Check whether there are any OAS-related settings in the Exploit Prevention/Access Protection policies or vice versa.
ePO deployment of ENSL and TA SELinux packages isn't supported. Hence, you have to install the packages manually. If you encounter any issues, follow the below steps:
Check whether the following supported ENSL SELinux packages are installed:
Unsupported kernel module:
To enable Access Protection, Exploit Prevention, or OAS, ENSL kernel modules are loaded on the system. If the kernel modules aren't loaded, these components can fail.
View the following log files and check whether the kernel module is supported.
Kernel modules aren't signed in a Secure Boot environment
ENSL kernel modules aren't signed by default. Secure Boot enabled systems load only signed kernel modules. So, unsigned ENSL kernel modules fail to load on these systems.
Check for the signing issue in the /var/McAfee/ens/log/tp/mfetpd.log file.
Nov 09 15:26:28 test.os.com ERROR FileAccessEventKernelImpl [1182] Module insertion Failed with errorRequired key not available
Presence of multiple versions of the same kernel module
If a previous uninstallation of ENSL wasn't done properly, there could be multiple versions of the same kernel module that are loaded.
If OAS isn't enabled:
Check whether the mfe_fileaccess module is loaded or not using the following command. There shouldn't be multiple instances of the mfe_fileaccess module loaded as shown below. There should be only one instance of the mfe_fileaccess module loaded.
If Access Protection/Exploit Prevention aren't enabled:
Check whether the mfe_aac module is loaded or not using the following command. There shouldn't be multiple instances of the mfe_aac module loaded as shown below. There should be only one instance of the mfe_aac module loaded.
Check whether there's sufficient disk space (minimum 4 GB) on the system. To check the disk space, run the command df -h.
Make sure that the latest ENSL version packages including kernel modules are checked-in to the ePO Master Repository.
Make sure that the ENSL Threat Prevention service is active and running. To check the status, run the command /opt/McAfee/ens/tp/init/mfetpd-control.sh status.
If you're upgrading ENSL from ePO, make sure communication between the system and ePO is working.
If you're upgrading ENSL manually (standalone), make sure that the latest ENSL packages are unzipped and placed in the same folder.
Check the installation log at /tmp/ensltp-epo-setup.log for any installation errors.
Refrain from using the system during an ENSL upgrade task.