cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
RaymondP
Level 8
Report Inappropriate Content
Message 1 of 9
‎07-17-2019 01:39 AM

ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled error

Hi,

Every 5 minutes the EndpointSecurityPlatform_Errors.log shows me:

07/17/2019 10:21:53.592 AM mfeesp(4600.3484) LPC.CommonLPC.Error (common_policy_enforcement.cpp:1865): ENSGlobalExclusion: Error: Delete policy failed with error 87

07/17/2019 10:21:53.670 AM mfeesp(4600.3484) LPC.CommonLPC.Error (common_policy_enforcement.cpp:1479): Failed to set policies for telemetry, -2147483391
07/17/2019 10:21:59.701 AM mfetp(5172.5708) TmpLogger.BoBl.Error (BoBl.cpp:1493): Failed to set property: BlockEnabled error: 0x26
07/17/2019 10:22:00.154 AM mfetp(5172.2420) MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:490): Failed to set Exploit Prevention properties.
07/17/2019 10:22:00.154 AM mfetp(5172.2420) MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2255): Failed to enforce some of the Exploit Prevention policies.

 

In the ExploitPrevention_Activity.log:

 

7/17/2019 10:16:59 AM mfetp(5172.5556) TmpLogger.BoBl.Activity: Failed to set property: BlockEnabled error: 0x26
7/17/2019 10:21:59 AM mfetp(5172.5708) TmpLogger.BoBl.Activity: Failed to set property: BlockEnabled error: 0x26
7/17/2019 10:26:59 AM mfetp(5172.5556) TmpLogger.BoBl.Activity: Failed to set property: BlockEnabled error: 0x26

 

OS is Windows Server 2012R2

Installed McAfee products:

ProductVersion
McAfee DXL Client4.1.0.184
Agent5.5.0.447
Endpoint Security Firewall10.6.1.1278
Endpoint Security Platform10.6.1.1449
Endpoint Security Threat Prevention10.6.1.1550
Endpoint Security Adaptive Threat Protection10.6.1.1311

 

Someone recognized this?

Regards,

Ray

0 Kudos
Reply
8 Replies
patrakshar
Employee
Employee
Report Inappropriate Content
Message 2 of 9
‎10-20-2019 05:13 PM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

@RaymondP  EndpointSecurityPlatform_Errors.log is specifically needed to check if there is any issue functional issue you are seeing. This log contains various API's errors details which helps engineering in debugging some specific issue. Unless you have any functional problem you not really needed to look at the platform error logs. Let me know if there is any specific problem you are seeing from ENS functionality point.

0 Kudos
Reply
finkemch
Level 10
Report Inappropriate Content
Message 3 of 9
‎11-18-2019 06:35 AM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

we do have the same problem on ENS 10.6.1 May Release

Platform Log:
***********
11/18/2019 02:36:21.595 PM McTray(12388.11632) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): Exploit Prevention is not responding.
11/18/2019 02:36:21.630 PM McTray(12388.11632) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): On-Access Scan is not responding.
11/18/2019 02:36:21.643 PM McTray(12388.11632) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): Self Protection is not responding.
11/18/2019 02:36:21.661 PM McTray(12388.11632) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): ScriptScan is not responding.
11/18/2019 02:36:31.711 PM McTray(12388.12800) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): AMSI is not responding.
11/18/2019 02:36:32.218 PM McTray(12388.12800) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): Exploit Prevention is not responding.
11/18/2019 02:36:32.278 PM McTray(12388.12800) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): On-Access Scan is not responding.
11/18/2019 02:36:32.401 PM McTray(12388.12800) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): ScriptScan is not responding.
11/18/2019 02:36:41.246 PM McTray(12388.12576) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): ScriptScan is not responding.
11/18/2019 02:39:21.534 PM McTray(12388.2500) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): AMSI is not responding.
11/18/2019 02:39:21.557 PM McTray(12388.2500) <xxxx> McTray.McTrayUPC.Error (TechnologyTopicHandler.cpp:213): Adaptive Threat Protection is not responding.

Exploit Prevetion Log:
*****************
11/18/2019 02:14:03.846 PM mfetp(9084.12936) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2255): Failed to enforce some of the Exploit Prevention policies.
11/18/2019 02:14:43.719 PM mfetp(9084.13036) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2255): Failed to enforce some of the Exploit Prevention policies.
11/18/2019 02:15:01.655 PM mfetp(9084.12936) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2255): Failed to enforce some of the Exploit Prevention policies.

0 Kudos
Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 4 of 9
‎11-19-2019 07:32 PM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

@finkemch 

Thank you for your post here. May I know the exact functionality wise issue you are facing? As I stated before, the error logs will never be empty. We have various internal components that will write some failure information within that log but that does not mean there will be a functionality issue. We look at this log when we need to correlate some functionality issue with one of the component of ENS. 

0 Kudos
Reply
finkemch
Level 10
Report Inappropriate Content
Message 5 of 9
‎11-20-2019 01:57 AM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

the System has had massive performance problems - to open an Explorer takes a very long time - with uninstalling it was OK again - something has been wrong here - if no Policies could be enforced - it could be the reason for the slowness but why it has Problems ?

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 6 of 9
‎11-20-2019 03:10 AM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

Hi @finkemch,

Thank you for your response. I would like to clarify few things before we investigate further.

By performance Issues, Are you referring to the time consumed by your machine to launch Explorer windows or was it accompanied by High CPU or memory usage as well?

Your issue seems to be very close to a recent issue that I came across and hence wanted to ensure this detail. Any specific change you recall happening for this machine? How many endpoints are affected?

When you said after Uninstallation it was Okay again, May I know if the exact issue repeats itself after reinstalling McAfee ENS?

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
patrakshar
Employee
Employee
Report Inappropriate Content
Message 7 of 9
‎11-20-2019 07:03 AM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

It is possible. If a policy getting enforce or not can be validated on the local machine. If you are sure that policies are not coming then we would need to definitely look at the complete policy enforcement flow and see where the problem is. 

As @AdithyanT  mentioned, what is the exact performance issue we are looking at? Are you seeing high CPU/Memory/Disk utilization by McAfee process or overall machine performance has been degraded?

If you verify the local console of the ENS and make sure that exclusions are present which you enforced from EPO, then we can just look at the performance point of view. 

Reply
finkemch
Level 10
Report Inappropriate Content
Message 8 of 9
‎11-21-2019 12:29 AM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

 The user has had Problems when he opens the Explorer - It takes very long to get the Content displayed

not really high cpu - but a strong delay of the usage of explorer

0 Kudos
Reply
AdithyanT
Employee
Employee
Report Inappropriate Content
Message 9 of 9
‎11-21-2019 12:59 AM

Re: ExploitPrevention_activity.log and EndpointSecurityPlatform_Erros.log | Failed | BlockEnabled er

Hi @finkemch,

Thank you for the update. Weird one, I am sure you see a much faster access to Explorer.exe when you disable on-Access Scanner? Can you kindly confirm that please? Also What happens when you stop the Cryptographic Services and launch explorer.exe immediately with On Access Scanner enabled? This should be done as quick as possible as Cryptographic Services start backup instantaneously once killed.

I think I know what may be the issue.

*Note: This is only for troubleshooting purpose, kindly perform with precaution. ENS has dependency on Cryptographic Service.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Adithyan T
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC