Showing results for 
Show  only  | Search instead for 
Did you mean: 

File was quarantined, but we cannot find the respective log file messages.

During integration of the Trellix AntiVirus Standalone solution into the NATSAMAN system we are using an EICAR file to test the behaviour. We could test that the EICAR file was quarantined, but we cannot find the respective log file messages. [root@TP-cwp04 etc]# /opt/McAfee/ens/tp/bin/mfetpcli --version Trellix Endpoint Security for Linux Threat Prevention Version : DAT Version : 5194.0 DAT Date : 22-12-2022 Engine Version : 6600.9927 Exploit Prevention Content Version : On transferring an EICAR file named NATSAMAN837-EICAR into the AMAN System; it is quarantined immediately: ~> scp username@TP-cwp04:/tmp/NATSAMAN837-EICAR ; date 100% 68 0.1KB/s 00:00 Tue Jan 3 09:43:02 UTC 2023 ~> On AMAN host a new file is placed into the /Quarantine/ folder and does not exists on target: [root@TP-cwp04 /]# ll /Quarantine/ total 8 -rw-------. 1 root root 250 Jan 3 09:43 Q0.0.958996.000.meta -rw-------. 1 root root 254 Jan 3 09:43 [root@TP-cwp04 /]# ls -la /tmp/NATSAMAN837-EICAR ls: cannot access '/tmp/NATSAMAN837-EICAR': No such file or directory but there are not log lines like in the Trello log files with Quarantine or the quarantined file name: [root@TP-cwp04 /]# find /var/McAfee/ens/log/ -type f -exec zgrep -i quaran {} \; Jan 02 16:38:31 TP-cwp04 INFO AMQuarantineRestoreManager [248424] Quarantine directory successfully changed to /Quarantine/ [root@TP-cwp04 /]# find /var/McAfee/ens/log/ -type f -exec zgrep -i eicar {} \; Could you please let us know how to configure the system to write and locate log messages for the detection of infected files by the On Access Scanner.
2 Replies
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: File was quarantined, but we cannot find the respective log file messages.

Testing this for me the log shows the detection and delete in the C:\ProgramData\McAfee\Endpoint Security\Logs\ folder in this log. "OnAccessScan_Activity.log"

Shows in ePO as event ID 1278 


Report Inappropriate Content
Message 3 of 3

Re: File was quarantined, but we cannot find the respective log file messages.

Hello @User57965125 


Looks like you are using Linux machine with ENSL 10.7.13 version. 

Detection msg from OAS will show you in MFEOASMGR.log - The real-time log file for on-Access scan (OAS) Manager 

Path for this log: 



By Default mfeoasmgr.log will log only "Critical and Alert" events and this can be changed/configured in ENS COmmon - Option policy. 






Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and give a Kudo, together we can help other members.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community