Gen EDGE

  • 1.  Gen 8.5 GUI clients cannot be tested getting false positive alert

    Posted Oct 04, 2018 12:04 PM

    I just started getting false positive detection testing Gen 8.5 GUI clients. It does not impact Web clients.

    I am on Windows 10 with Microsoft Visual Studio 2012 with Update 4. I started getting problem testing early last week.

    I am getting this error when I try to test:

    and the exe file will be permanently deleted. 

    Gen 7.6 generated client is not impacted.

    I worked with my Endpoint Security folk who uninstall and reinstall endpoint security and they said is not McAfee and I looked at Windows Update and there is none during the time frame it started to stop working. CA can't recreate the problem so they can't help. Any suggestion?



  • 2.  Re: Gen 8.5 GUI clients cannot be tested getting false positive alert

    Broadcom Employee
    Posted Oct 04, 2018 12:37 PM

    I did a search and found the following embedded in a McAfee troubleshooting document. Hopefully it will be useful.

     

    Full document link: How to troubleshoot when Endpoint Security blocks third-party applications 

     

     

    Best Regards,

     

    Rob Thompson

     

     

     

    Adaptive Threat Protection -> Real Protect

     

    Real Protect provides post execution analysis of a process, using client-based scanning, cloud-based scanning, or both. Based on its findings it can lead to a conviction as malware and subsequent cleaning.

     

    How to determine whether Real Protect is blocking the application
    • The issue no longer occurs after disabling the option "Enable client-based scanning" or "Enable cloud-based scanning" at Endpoint Security Adaptive Threat Protection policy, Options Category, Real Protect Scanning section.
    • The AdaptiveThreatPrevention_Activity.log records a detection of the application (for example, Orchestrator.Action.Activity: Action Details::  File: <file> , Mode: Enforce , Scanner: Real Protect Client , Reputation: <reputation> , ActionTaken: Clean).
    • The AdaptiveThreatPrevention_Debug.log records a static detection of the application (for example, Orchestrator.RealProtectStatic.Debug:  File: <file> : RP Static reputation <repuation 1> classification 1 silent 0 detection name <name> JCM reputation <repuation 2> (the important entry is the classification value of 1)).
    • The AdaptiveThreatPrevention_Debug.log records a cloud detection of the application (for example, Orchestrator.RepChangeListener.Debug:  real protect cloud found <detection name> in process id <PID> , file <file>).
    How to prevent Real Protect from blocking an application
    • Use On-Access Scanner exclusions to exclude the files being detected. 
      NOTE: On-Access Scanner exclusions also prevent Adaptive Threat Protection from requesting Dynamic Application Containment to contain a process.
    • Use Threat Intelligence Exchange Server to change the enterprise reputation for the files as appropriate.
    • Use Threat Intelligence Exchange Server to add the certificate for the wanted files.

    Related Information

    To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
    • If you are a registered user, type your User Id and Password, and then click Log In.
    • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.