McAfee – Agent 5.6 (bug)

April 5, 2019

McAfee Agent 5.6.0 and 5.6.0 Hotfix 1264214 can experience a problem where the same client events are uploaded to the ePolicy Orchestrator server repeatedly. The flood of events results in multiple issues. McAfee Technical Support is investigating the issue and created a temporary workaround.

Option 1 – Use Deploy Agents from the ePO console to reinstall the McAfee Agent:

1. From within the McAfee ePO console, select an impacted endpoint and choose Actions – Agent – Deploy Agents.
2. Within the Deploy McAfee Agent configuration, select “Force installation over existing version” and populate the necessary authentication credentials.

Option 2 – Restart the McAfee Agent service:

1. Disable Self-Protection in the McAfee Agent General policy, if enabled.
2. Restart the McAfee Agent services:
   a. Press the Windows key + R.
   b. Type services.msc into the field and press Enter.
   c. Right-click McAfee Agent Service, and select Restart
3. Close the services window.

Option 3 – Disable event generation of event IDs 2401, 2402, 2422, and 2427 from the ePO server’s Event Filtering page:

1. In the ePO console, navigate to Server Settings, Event Filtering.
2. Edit the Event Filtering and verify that only the following option is selected: The agent forwards: Only selected events to the server.
3. Scroll down through the list of events and deselect event IDs 2401, 2402, 2422, and 2427. This action prevents the events from being generated at the client (MA) side.

IMPORTANT: If you disable these event IDs within the Event Filtering page, it only stops additional events from being generated. It cannot prevent the ePO server or remote Agent Handlers from uploading and parsing existing events.