cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
vtgt
Level 10
Report Inappropriate Content
Message 1 of 3
‎04-06-2022 05:00 AM

Real-time Search requirements

MVISION EDR Real-time Search does not work in our Windows environment and concludes with error code: 257 - "Collector or reaction couldn't execute content on the endpoint." According to https://kc.mcafee.com/corporate/index?page=content&id=KB92810 the Windows Script Host has do be enabled, but for security reasons this registry key is set to 0 in our environment. Is the Windows Script Host a must criteria for Real-time Search or are there other options available to use this feature? We tried to create an own collector with a signed PowerShell script but this does not seem to work either. The search result here is error code: 262 - "Can't parse collector output." Any recommendations or hints to make MVISION EDR Real-time Search work for us is much appreciated.
0 Kudos
Reply
2 Replies
AjaySundar
Employee
Employee
Report Inappropriate Content
Message 2 of 3
‎04-10-2022 08:03 PM

Re: Real-time Search requirements

Hi @vtgt,

Good day to you!

Could you please confirm if this collector that you are executing is McAfee in-built ones or a customer collector?

>> Is the Windows Script Host a must criteria for Real-time Search or are there other options available to use this feature?

Yes, any script execution done through EDR and MAR requires the "Windows Script Host" to be enabled.

I hope this helps.

Regards,

Ajay

0 Kudos
Reply
vtgt
Level 10
Report Inappropriate Content
Message 3 of 3
‎05-05-2022 01:11 AM

Re: Real-time Search requirements

Hi @AjaySundar 

Thanks a lot for your confirmation!

We are a little bit stuck between a rock and a hard place: for security reasons our Windows Script Host is disabled by GPO. But we want and need to use the real-time search for IOCs.

Do you have an idea for temporarily enabling the Windows Script Host by an ePO action for the usage of real-time search?

The other topic "error code: 262" is related to a custom collector that we created for testing. Here it would be great to see some configuration examples with syntax description in the documentation.

Are there any plans to publish examples for creating custom collectors for specific needs?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC