As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
FAQs for Endpoint Security for Linux Threat Prevention
Technical Articles ID:
KB96340
Last Modified: 2023-10-10 05:22:00 Etc/GMT
Environment
Endpoint Security for Linux (ENSL)
Endpoint Security for Linux Threat Prevention (ENSLTP)
Summary
This article is a consolidated list of common questions and answers intended for users who are new to the product. But, it can be of use to all users.
Recent updates to this article
Date
Update
October 10, 2023
Corrected the FAQ statement related to a running ODS task in the "Operation and Configuration - Performing tasks in ENSL" section.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Contents
Click to expand the section you want to view:
How do the FANotify mode and Kernel mode for ENS work?
The kernel module and FANotify are two ways through which ENSL can get file access events (open, read, write, etc.) from the system. With the kernel module, ENSL hooks on to the system calls to get the events. Later, the Linux kernel itself provides a facility named FANotify. With FANotify, any userspace application can register to get all the file system events for processing. This avoids any userspace application to write the kernel modules for the same purpose. So, the kernel module and FANotify serve the same purpose of providing all the events to the userspace ENSLTP to scan. All ENSL customers on Ubuntu/Debian or SUSE use only FANotify as we don't provide the kernel module for them. You can safely use either FANotify or the kernel module as there's no difference in functionality.
Can I use ENSLTP to block or manage USB drives on Linux?
No, ENSLTP can't be used to block USB drives.
What's the impact of disabling the rule "Modify or remove the "passwd" or "shadow" files by a process other than passwd" in the ENSLTP Access protection policy?
Do I need to make any further modifications?
The /etc/passwdfile stores essential information required during login. In other words, it stores user account information. The shadow system file in Linux stores encrypted user passwords.
If this rule is disabled, a process other than passwd can modify the files. We strongly recommend that you don't disable this rule.
Can ENSL scan inside a container?
No, ENSL doesn't support scanning inside containers; it only supports scanning on the host where the container is initiated.
Do I need root permission to launch an on-demand scan (ODS) task from the command line?
Yes, administrator rights are needed to perform ODS tasks.
On the Linux server, there are files encrypted with the common key encryption method (AES-256) in the application, but is it possible to scan the encrypted files with ENSL?
ENSL doesn't scan encrypted files; only decrypted files can be scanned. You might see scan errors when encrypted files get scanned by ENSL.
Does ENSL SELinux work on CentOs-based systems?
Currently, ENSL SELinux RPM packages only work on Redhat-based systems. You might see the error distribution is not supported on other Linux platforms when you install the ENSL SELinux RPM package.
What are the DAT and MEDDAT package types?
DAT files are the standard V2 Virus Definition files. These files are only used by ENSL 10.6.x. MED DAT is a subset of V2 DAT, which occupies less space and memory. This DAT is faster and lighter than V2 DAT.
These are only used by ENSL version 10.7.0 and later.
How do I manually download the latest DAT/MEDDAT files?
DAT/MEDDAT is generally automatically downloaded on a daily basis on ePolicy Orchestrator (ePO) servers. But, you can get the latest DAT files from the Security Updates page.
Can I manually check the downloaded DAT/MEDDAT files into the Master Repository?
Yes.
Open the Master Repository, and click Checkin, Package Type, Product or Update(.zip).
Add the newly downloaded .zip DAT file and click Next.
Keep the default branch to Current and click Save.
Is there Adaptive Threat Protection (ATP) available with ENSLTP?
No, ATP isn't supported with ENSL. It's only supported with the Windows platform.
Can I check if a device's on-access scan (OAS) is disabled or enabled from ePO?
AP, EP is showing as false in ePO. How do I check if these are enabled on the host?
To check the AP status:
Type /opt/McAfee/ens/tp/bin/mfetpcli --getapstatus and press Enter.
To check the EP status:
Type /opt/McAfee/ens/tp/bin/mfetpcli --getepstatus and press Enter.
Why is my current running ODS task stopped when the update task runs?
The Update task (DAT/MEDDAT) is the highest priority task in ENSL. This task gets the latest security updates needed for scanning and protecting your system. The ODS tasks are paused during the Update and resume once the update is completed.
Where can we find the scan/detection logs?
To view the scanned files, open /var/McAfee/ens/log/tp/mfeoasmgr.log.
To view the infection detections, navigate to /var/log/messages or /var/log/syslog and look for the keyword msg=Infection caught.
What are the commands to view the EP signatures and EP exclusions?
To view all EP signatures, open /opt/McAfee/ens/tp/bin/mfetpcli --getallepsignaturesand look for the keyword violated the rule.
To view all EP exclusions, open /opt/McAfee/ens/tp/bin/mfetpcli --getepexclusionsand look for the keyword violated the rule.
How can I view the list of Exclusions configured via the command-line?
To check for AP exclusions: /opt/McAfee/ens/tp/bin/mfetpcli --getapexclusions
To check for EP exclusions: /opt/McAfee/ens/tp/bin/mfetpcli --getepexclusions
To check for OAS exclusions: /opt/McAfee/ens/tp/bin/mfetpcli --getoasconfig --exclusionlist
What's the command to initiate the Trellix default DAT update from the Linux system?
Check the list of tasks:
Type /opt/McAfee/ens/tp/bin/mfetpcli --listtask and press Enter.
Look for the task name "Default Client Update task"
Run the default DAT update task:
Type /opt/McAfee/ens/tp/bin/mfetpcli --runtask --name "<Default Client Update task as listed above>" and press Enter.
Where can we find ODS reports on a Linux machine?
ODS scan reports can be found at /var/McAfee/ens/log/tp/odsreport/archive
Can I pause or cancel a running ODS task from ePO?
No, you can't pause or cancel a running ODS task from ePO. But, you can only stop a running ODS task from the command-line:
Get the ODS task index id:
Type /opt/McAfee/ens/tp/bin/mfetpcli --listtasksand press Enter.
Stop the ODS task with the respective index id:
Type /opt/McAfee/ens/tp/bin/mfetpcli --stoptask --index <index id> and press Enter.
Can I manually delete all the ODS tasks on the server?
No, you can't manually delete all ODS tasks at once. But, you can delete them one at a time, by running the command below:
How do I change the GTI sensitivity level on a Linux server?
Open ePO, select the OAS policy, and click Trellix GTI.
Set the sensitivity level and click Save. Apply the changes by performing a wakeup agent call.
How do I enable the FANotify mode?
Type /opt/McAfee/ens/tp/bin/mfetpcli --usefanotify and press Enter.
Restart the ENSLTP service for the changes to take effect:
Type /opt/McAfee/ens/tp/init/mfetpd-control.sh restart and press Enter.
How do I disable the FANotify mode and change back to the Kernel mode?
Type /opt/McAfee/ens/tp/bin/mfetpcli --usekernel and press Enter.
Restart the ENSLTP service for the changes to take effect:
Type /opt/McAfee/ens/tp/init/mfetpd-control.sh restart and press Enter.
How can I add OAS exclusions for specific processes from ePO?
Open ePO, and click OAS Policy, Process Settings.
Under Configure different settings for High Risk and Low Risk processes, set the When to scan option for Low Risk as Do not scan.
ClickAdd and enter your list of trusted excluded processes.
Apply this policy to your host and perform the Wakeupagentcall.
How can I add read or write exclusions for files and folders localy?
Open a command-line session.
Type /opt/McAfee/ens/tp/bin/mfetpcli --setoasprofileconfig --profile standard --addexclusionrw --excludepath "< file/directory path to be excluded>"and press Enter.
How can we enable/disable Exploit Prevention signatures from ePO?
Open ePO, click Exploit Prevention Policy, Advanced. Open Signatures and in the Filter, select Linux.
Choose the Signature ID to enable or disable. Click Save.
Apply this policy to your Host and perform a Wakeupagentcall.
How can I set the maximum scan time for each file scan?
Open ePO, and navigate to OAS Policy.
Open On-Access Scan, and in Specify maximum number of seconds for each file scan, set the update time.
Click Save.
How can we change the Threat detection actions? Can I deny access to infected files rather than deleting them?
Open ePO, and navigate to OAS Policy.
Open Process Settings, and click Process Types.
Chose your profiles (standard, highrisk, lowrisk) and open Actions.
View Threat detection first response, and select Deny access to files. Click Save.
Apply this policy to your Host and perform a Wakeupagentcall.
How can I block the renaming of files? Can I do this for the Access Protection rules on ePO?
Example AP rule to block file rename operation:
Open ePO, and navigate to Access Protection policy.
Under Rules, select Linux and click Add.
Enter a new rule name. Enable the Block and Report action options.
Under Subrules, enter a subrule name. Under Subrule type, choose Files.
Under Operations, choose Rename and navigate to the Targets section.
Click Add and under Inclusion status, select Include.
From the drop-down, select File path, provide a complete file path to the file that you want to prevent being renamed, and click Save.
Apply this policy to your Host and perform a Wakeupagentcall.
What ENSL issues will I see if I uninstall TA?
Installing TA alongside ENSL is mandatory even when ENSL is installed in standalone mode.
TA updates ENSL, performing daily DAT and Content security updates. You must keep TA installed.
Does ENSL require restarts of the hosts after either a fresh installation or an upgrade?
No, restarting or rebooting your Linux hosts after ENSL installation or upgrade isn't required.
Can I install ENSL with OAS or Access Protection in disabled mode?
Yes, you can.
For a standalone installation:
Download the ENSL standalone package, untar the tar.gz file and run the install script using the parameter oasoff apoff.
For example, ./install-mfetp.sh oasoff apoff
For an ePO (On-prem) installation:
Open the System Tree, and select the target host. Click Action, Run Task now, Trellix Agent, Product Deployment.
Click Create new task and for Target platforms, select Linux.
In Products and Components, select the ENSL Threat Prevention package.
In Command line, add the oasoff apoff parameter.
Click Run Task now.
Where can I find the ENSL installation logs?
All installation logs can be found under the /tmp directory and the file name is ensltp-epo-setup.log
How do I change the default install location directories of /opt/McAfee/ and /var/McAfee/ to other mount points, while installing ENSL?
You can't change the default install location of ENSL.
Why can't I view installed ENSL product details under System Information in ePO?
To view the ENSL product details in ePO, you must install the ENSL ePO extensions.
Make sure that your ENS extensions have been installed and make sure that they're the latest versions.
Will the current ENSL policies be changed or updated once I upgrade to the latest ENSL version?
No. There will be no change on existing ENSL policies; all configurations will remain the same as before.
When I run the ENSL installation script, using the command "sudo ./install-mfetp.sh," I see the error "Permission denied." Why?
To execute the ENSL install script, make sure that the user running the script has read/write/execute rights and the install script has execution permissions.
To list the rights currently applied to the script, run the commandls –lrt install-mfetp.sh
To add execution rights to the script, run the command chmod +x install-mfetp.sh
Now, rerun the installation script sudo ./install-mfetp.sh
Can I upgrade only the ENSL kernel module, without upgrading the ENSL product?
Yes. The kernel module update package provides support for new kernel updates without requiring you to upgrade the ENSL product.
Can I upgrade to the latest version of ENSLTP, without checking-in the latest ENS Kernel Module package?
No. You can't just upgrade ENSLTP to the latest version, without having the latest ENS Kernel Module package in the ePO Master Repository.
Why do I see the error "McAfee Agent is not running in confined mode. McAfee Endpoint Security for Linux products will also not run in confined mode,"
when I install the ENSL Selinux RPM package?
To make ENSL products Selinux confined, first Install the MFEma-selinux RPMpackage and then the ENSL Selinux RPM package.
Can I install the ENSL Selinux RPM package on Ubuntu, Centos, or SeLinux platforms?
No. The ENSL Selinux RPM package is currently supported only on Redhat-based systems.
Why do I see "Event ID: 1048" when an ENSL client scans PDFs or any other file types?
"Event ID: 1048" means that the scan reports a general system error. You usually see it generated whenever a file is denied for access or is password-protected.
Why do I see the notification "Event ID: 1024 Action taken: Access denied" when ENS detects a file that's being read from an external medium (DVD) notification?
The ENS client determines that a specific file is malicious but read-only and blocks access to that file, so that malicious processes can't be launched and file access can't be attempted.
Why do I see the error "checking for dependent products Dependencies found! uninstall failed," when I uninstall TA?
You can't remove TA unless all dependant ENS products are removed first; for example, ENSLTP, Firewall, etc.
I see errors such as "No such file or directory" in the OAS logs when the file for which the scan request is made has already been deleted, such as temporary files. Why?
This error is expected, as the file doesn't exist. The error indicates that the file has been scanned and deleted as per OAS action settings, so there's no impact in this case.
To avoid seeing this error (if you trust the files that causes the error), consider adding them to the OAS exclusion lists.