Community Help Hub

fattonymaximus · ‎01-22-2019

Hi All,

Can anyone explain what is mfetp.exe and what this process does?

Is this process involved in on demand scanning or on acccess scanning?

This is part of McAfee Endpoint Protection 10.6.0.542 and McAfee Threat prevention 10.6.0.672.

Regards,

fattonymaximus · ‎01-22-2019

Thanks Chealey,

I have gone through the below steps

1) Uninstalled Threat Prevention

2) Uninstalled Endpoint Security

3) Removed agent using frminst.exe /remove=agent command

4) Rebooted PC

5) Installed McAfee agent 5.5.1.342 - installed succesfully . Device communicating with EPO

6) installed McAfee Endpoint Protection 10.6.0.542 and Endpoint Threat Prevention 10.6.0.672

7) Ran update now and CORE updated from version 0.5 to 3594 (todays current CORE Version as of 15:48)

😎 Checked on access scan policies and policies still arent applying.

I can open a call with McAfee to investigate

Thanks for your help Chealey

View solution in original post

Former Member · ‎01-22-2019

MFETP is the Threat Prevention process. It is therefore involved in any activity performed by the threat prevention module. The actual scanning activities however are performed by mcshield.exe

It for example launches scheduled tasks for ENSTP, and will therefore also be part of ODS tasks, performs quarantine tasks etc.

This Kb gives a rough overview of what each process installed by ENS does: https://kc.mcafee.com/corporate/index?page=content&id=KB87791

fattonymaximus · ‎01-22-2019

Thanks Chealey,

So if CPU usuage was high for example due to this process taking up high memory usage then possibly this was an on demand scan or an on access scan taking place?

Are there logs in C:\programdata\mcafee\endpointsecurity\logs that would tell me when a scan took place?

I checked the log files from the below link and couldnt see any scans taking place at the time when the memory usage started rising.

https://docs.mcafee.com/bundle/endpoint-security-10.6.0-common-product-guide-windows/page/GUID-2E289...
The only issue that I could see in the logs would be in the onAccessScan_activity log but this only gives information about the MFETP.exe process updating the Core version.

Ecxample of line from onAccessScan_activity.log file (line from today only)
22/01/2019 06:02:23 mfetp(6576.10388) <SYSTEM> oasbl.OAS.Activity: AMCore content version = 3594.0

Does this onAccessScan_activity.log file only update when updating Threat prevention core version? or is there a specific file updated when a on access scan or an on demand scan starts?

When checking through the system logs in event viewer on the device in question i can see the mfevtp MMS Service, mfecore MMS Service , mfefire MMS Service , mfeesp MMS Service , mfehcs MMS Service all enter into a running state.

Regards

Former Member · ‎01-22-2019

This isn't one of the typical processes I would expect to be using High CPU or Memory tbh and I'm not aware of any known issues with this process.

How frequently are you enforcing policies/ tasks? If you were doing this to frequently, this service might be impacted or potentially if your policies are quite complex/ large.

If an ODS task was running you'd see it in the ENS console under settings > common > enable advanced > tasks or yes, in the logs C:\programdata\mcafee\endpointsecurity\logs > in the ODS activity log is where you'd see an ODS task - stop, start, etc.

If there was an ODS task running, you would see higher usage of the mcshield process aswell. As this is the one doing the scanning.

The OAS activity log only really reports on AMCORE content updates - not too much else. The UI or logs don't report on what OAS is scanning, as this would be insanely performace impacting. Imagine the thousands of entries per minute? The only way to see what is being scanned is via procmon. And even if you looked at this - you'd be looking at mcshield for scanning activities. I would however run procmon and filter on the mfetp process and look at what it is doing.

wouterr · ‎01-22-2019

In general i always start troubleshooting ENS issue's in the EndpointSecurityPlatform_Errors.log and look for any obvious error's

we have a case with engineering for mfeatp.exe 10.6.0 using high CPU.

the platform error log was showing mfeatp was taking longer then usual to resopond.

fattonymaximus · ‎01-22-2019

Thanks Wouterr,

You advised that Mfeatp.exe 10.6.0 using High CPU usuage is currently with engineering, do you mean McAfee are checking this out?

I have checked the EndpointSecurityplatfrom_errors.log and see the below for example. The on access policies that are applied on other devices for Endpoint Security and Endpoint Threat prevention arent applying to the device where a portion of the EndpointSecurityplatfrom_errors.log are listed below.

I am currently removing the Threat prevention and Endpoint Security software from the device and reinstalling.

From the logs below, would ye have any advice or would these be normal?

01/22/2019 12:06:58.905 PM mfetp(7232.10856) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5333): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error code: 0xA7F40511
01/22/2019 12:06:58.906 PM mfetp(7232.10856) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5127): Failed to set property :
01/22/2019 12:06:58.906 PM mfetp(7232.10856) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:4791): AMCore error code: 0xA7F40511
01/22/2019 12:06:58.908 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1449): SetFileExclusion: Failed to set exclusion task settings. TaskName = EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error Code = xc0350025
01/22/2019 12:06:59.850 PM mfetp(7232.10788) <SYSTEM> TmpLogger.BoBl.Error (BoBl.cpp:1498): Failed to set property: BlockEnabled error: 0x26
01/22/2019 12:07:00.140 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:490): Failed to set Exploit Prevention properties.
01/22/2019 12:07:00.141 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2113): Failed to enforce some of the Exploit Prevention policies.
01/22/2019 12:08:06.144 PM mfeesp(7072.13108) <SYSTEM> LPC.CommonLPC.Error (common_prop_collection.cpp:373): RegQueryValueEx for bGlobExclConfigured failed with error: 2

01/22/2019 12:08:09.678 PM mfetp(7232.10788) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5333): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error code: 0xA7F40511
01/22/2019 12:08:09.681 PM mfetp(7232.10788) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5127): Failed to set property :
01/22/2019 12:08:09.682 PM mfetp(7232.10788) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:4791): AMCore error code: 0xA7F40511
01/22/2019 12:08:09.685 PM mfetp(7232.12068) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1449): SetFileExclusion: Failed to set exclusion task settings. TaskName = EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error Code = xc0350025
01/22/2019 12:08:11.127 PM mfetp(7232.11028) <SYSTEM> TmpLogger.BoBl.Error (BoBl.cpp:1498): Failed to set property: BlockEnabled error: 0x26
01/22/2019 12:08:11.794 PM mfetp(7232.12068) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:490): Failed to set Exploit Prevention properties.
01/22/2019 12:08:11.796 PM mfetp(7232.12068) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2113): Failed to enforce some of the Exploit Prevention policies.
01/22/2019 12:08:12.273 PM mfeesp(7072.13108) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1783): ENSGlobalExclusion: Error: Delete policy failed with error 87

01/22/2019 12:08:12.310 PM mfeesp(7072.13108) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1398): Failed to set policies for telemetry, -2147483391
01/22/2019 12:08:12.311 PM mfeesp(7072.13108) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1734): Setproperties failed for property PW_OBJECT_CONFIG_PASSWORD_MODE,retval = -1072168897
01/22/2019 12:08:12.312 PM mfeesp(7072.13108) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:441): Failed to enforce policies on UninstallPassword
01/22/2019 12:36:58.757 PM mfeesp(7072.10720) <SYSTEM> PackageSupplier.PackageSupplier.Error (MaPkgIUpdater.cpp:176): MAPKGSUPPLIER ERROR: CMaPkgSupplier::MA runUpdateNow failed. rc=31
01/22/2019 12:38:37.025 PM mfeesp(7072.2816) <SYSTEM> LPC.CommonLPC.Error (common_prop_collection.cpp:373): RegQueryValueEx for bGlobExclConfigured failed with error: 2

01/22/2019 12:38:39.525 PM mfetp(7232.11028) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5333): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error code: 0xA7F40511
01/22/2019 12:38:39.526 PM mfetp(7232.11028) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5127): Failed to set property :
01/22/2019 12:38:39.527 PM mfetp(7232.11028) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:4791): AMCore error code: 0xA7F40511
01/22/2019 12:38:39.528 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1449): SetFileExclusion: Failed to set exclusion task settings. TaskName = EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error Code = xc0350025
01/22/2019 12:38:40.458 PM mfetp(7232.11028) <SYSTEM> TmpLogger.BoBl.Error (BoBl.cpp:1498): Failed to set property: BlockEnabled error: 0x26
01/22/2019 12:38:40.770 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:490): Failed to set Exploit Prevention properties.
01/22/2019 12:38:40.771 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2113): Failed to enforce some of the Exploit Prevention policies.
01/22/2019 12:39:53.583 PM mfetp(7232.11028) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5333): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error code: 0xA7F40511
01/22/2019 12:39:53.584 PM mfetp(7232.11028) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5127): Failed to set property :
01/22/2019 12:39:53.585 PM mfetp(7232.11028) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:4791): AMCore error code: 0xA7F40511
01/22/2019 12:39:53.587 PM mfetp(7232.12068) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1449): SetFileExclusion: Failed to set exclusion task settings. TaskName = EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error Code = xc0350025
01/22/2019 12:39:55.081 PM mfetp(7232.772) <SYSTEM> TmpLogger.BoBl.Error (BoBl.cpp:1498): Failed to set property: BlockEnabled error: 0x26
01/22/2019 12:39:55.460 PM mfetp(7232.12068) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:490): Failed to set Exploit Prevention properties.
01/22/2019 12:39:55.461 PM mfetp(7232.12068) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2113): Failed to enforce some of the Exploit Prevention policies.
01/22/2019 12:39:56.033 PM mfeesp(7072.2816) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1783): ENSGlobalExclusion: Error: Delete policy failed with error 87

01/22/2019 12:39:56.063 PM mfeesp(7072.2816) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1398): Failed to set policies for telemetry, -2147483391
01/22/2019 12:39:56.064 PM mfeesp(7072.2816) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:1734): Setproperties failed for property PW_OBJECT_CONFIG_PASSWORD_MODE,retval = -1072168897
01/22/2019 12:39:56.065 PM mfeesp(7072.2816) <SYSTEM> LPC.CommonLPC.Error (common_policy_enforcement.cpp:441): Failed to enforce policies on UninstallPassword
01/22/2019 12:39:57.487 PM mfetp(7232.10788) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5333): Sending exclusion policy to AMCore failed. Task name: EXCLUSION_EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error code: 0xA7F40511
01/22/2019 12:39:57.488 PM mfetp(7232.10788) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:5127): Failed to set property :
01/22/2019 12:39:57.489 PM mfetp(7232.10788) <SYSTEM> exclusion.EXCLUSION.Error (exclusionbl.cpp:4791): AMCore error code: 0xA7F40511
01/22/2019 12:39:57.491 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:1449): SetFileExclusion: Failed to set exclusion task settings. TaskName = EXCLUDE_OAS_PROCESS_GROUP_DEFAULT, Error Code = xc0350025
01/22/2019 12:39:58.452 PM mfetp(7232.772) <SYSTEM> TmpLogger.BoBl.Error (BoBl.cpp:1498): Failed to set property: BlockEnabled error: 0x26
01/22/2019 12:39:58.760 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforceBOPolicies.cpp:490): Failed to set Exploit Prevention properties.
01/22/2019 12:39:58.761 PM mfetp(7232.12960) <SYSTEM> MaSpb.MaSpb.Error (lpc_EnforcePolicies.cpp:2113): Failed to enforce some of the Exploit Prevention policies.

Regards

Former Member · ‎01-22-2019

MFEATP process has a current (long on-going) issue with memory leaks. We had hoped to address these in the January update for 10.6.1 but this release was pulled due to issues identified during testing.

@wouterr made a good suggestion to look at the ENS Platform Errors log, however this log is not easy to read for the un-trained eye as it contains a lot of errors which aren't too meaningful - side note: this is something that I believe we are addressing in ENS 10.7.

Most of the ones you've just posted can be ignored - I'd maybe look into these but don't believe them to be causing your issue: Failed to enforce some of the Exploit Prevention policies.

fattonymaximus · ‎01-22-2019

Thanks Chealey,

Unfortunately when I check Endpoint Security and go to settings, then click on threat prevention and click on show advanced and check on access scans I cant see any exclusions on the device even with the EPO server communicating to device succesfully.

I have also removed version 10.6.x and installed Endpoint Security platform 10.5.3.3178 and Threat Prevention 10.5.3.3264. Would 10.5.3.x versions be better to use together? The policies still arent being picked up from EPO server with this version aswell.

Regards

Former Member · ‎01-22-2019

Oh that doesn't sound very healthy at all. You may want to call in and get a remote session started with support so we can check the overall health and look at what the process is doing.

Personally - I would not go back to using 10.5.3 - we've made so many improvements since then. But if you are saying the policies are still not being enforced there may be something wrong with the agent. Check that the communication works, and if you press enforce policies no errors come up.

If it's just the OAS policy that isn't being enforced, you may have a corrupt policy. To test this theory you can put all ENS TP policies back to McAfee Default - are the changes reflected? If yes, leave all as McAfee Default except your OAS policy. Does your OAS policy get reflected?

fattonymaximus · ‎01-22-2019

Thanks Chealey,

I have gone through the below steps

1) Uninstalled Threat Prevention

2) Uninstalled Endpoint Security

3) Removed agent using frminst.exe /remove=agent command

4) Rebooted PC

5) Installed McAfee agent 5.5.1.342 - installed succesfully . Device communicating with EPO

6) installed McAfee Endpoint Protection 10.6.0.542 and Endpoint Threat Prevention 10.6.0.672

7) Ran update now and CORE updated from version 0.5 to 3594 (todays current CORE Version as of 15:48)

😎 Checked on access scan policies and policies still arent applying.

I can open a call with McAfee to investigate

Thanks for your help Chealey

Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Re: Query on mfetp.exe

Community Help Hub

Join the Community