Installing McAfee Endpoint Security 10.2.1 issues

jwojda
Valued Contributor II

I'm running into an issue with McAfee 10.2.1 (Agent 5.0.4) running through Casper. It appears that the package completes (tailing jamf.log and install.log) but the Casper Remote.app continues to think it's still installing. Presumably because the Endpoint Security Bundle installs a firewall app which interrupts the network connection. I guess my concern would be during image time or upgrading the components, what would that do to the installs?

The web filter seems to want access to a the Security settings in Control Panel, which we restrict. Is there an easy way to script out what it needs to change?

What's the best practices that people are doing? Are they just installing Threat Prevention and leaving off Web and Firewall?

28 REPLIES 28

bvrooman
Valued Contributor

We just install the firewall and antimalware components (no web filter), but aside from the behavior you described in Casper Remote, we haven't had an issue. EPM also did the same thing with Casper Remote; as soon as the firewall component started, it dropped the SSH connection back to the admin's computer.

Are you able to install via a policy?

dpertschi
Valued Contributor

@bvrooman how are you omitting the web filter component from the install package? ChoiceChangeXML?

bvrooman
Valued Contributor

No, I'm not excluding anything. Our McAfee engineer gave us a package for Threat Prevention and a package for Firewall; I just install those two.

gachowski
Valued Contributor II

If you have a McAfee web account linked to your corp "Grant Letter" then the installers are available straight from their web site.

As of today we are not deploying the web filter either, it is obvious that it needs some improvements.

C

ndelgrande
New Contributor

I recommend staying as far away from McAfee products for macOS as possible. It got so bad on 10.9 most Macs were unuseable. (Wouldn't boot, random pinwheels, freezing, etc) Unless they changed it's default behavior, it's need to look at every read & write on the disk before they happen severely hurts performance and productivity of user.

Key1
New Contributor III

@ndelgrande2 the latest clients are actually a lot better on 10.11 worth checking out again if you have time

bvrooman
Valued Contributor

@ndelgrande2 I'll let you convince our InfoSec of that :)

beingageek
New Contributor

@jwojda we're currently looking to move to ENS 10.2.1 for Sierra. Were you able to grab a separate package for Threat prevention, firewall, and web control or are you controlling the installation through some other means to exclude firewall and web control from your installs?

Kaltsas
Contributor III

You can grab the 3 modules from the download site with a valid grant number. Just remember the Threat Prevention module needs to be installed before the Firewall or Web Protection Modules. You are actually grabbing the ePO files for checkin but you can unpack them and the module .pkgs are located inside.

You are correct that pushing through casper remote the install "hangs" because the firewall module drops the network. However the install does complete correctly, this also works fine via policy or during casper imaging.

We are not using the web protection module, it's only good for safari/chrome and is kind of heavy handed. We also have an edge proxy that performs much of the same functions for all http/https traffic.

We do lean heavily on the firewall.

jconte
Contributor II

Accroding to our rep there is only one package now and it is to be controlled via script. Unfortunately, I am struggling with creating the package as well. If I get it figured out i will share here for all. I am struggling with the /tmp/PruductDeploy.xml

Here is what was provided, if anyone has insight it would be appreciated.

#!/bin/sh

if test $# -eq 1 
then
    if test "$1" == "help"
    then
        echo "Parameters can be"
        echo "TP: Threat Prevention"
        echo "FW: FireWall"
        echo "WC: Web Control"
        echo "help : To see this help"
        exit 0
    fi
    if test "$1" == "TP"
    then 
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_5</string>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_6</string>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "Only TP will be installed."
    elif test "$1" == "FW"
    then
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_4</string>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_6</string>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "Only FW will be installed."
    elif test "$1" == "WC"
    then
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_4</string>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_5</string>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "Only WC will be installed."
     else
        echo "Parameters can be"
        echo "TP: Threat Prevention"
        echo "FW: FireWall"
        echo "WC: Web Control"
        echo "help : To see this help"
        exit 1
     fi
elif test $# -eq 2
then
    if  [[ ( "$1" == "TP" &&  "$2" == "FW" ) || ( "$1" == "FW" && "$2" == "TP" ) ]]
    then
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_6</string>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "Only TP and FW  will be installed."

    elif [[ ( "$1" == "FW" &&  "$2" == "WC" ) || ( "$1" == "WC" && "$2" == "FW" ) ]]
    then
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_4</string>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "Only FW and WC  will be installed."

    elif [[ ( "$1" == "TP" &&  "$2" == "WC" ) || ( "$1" == "WC" &&  "$2" == "TP" ) ]]
    then
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "<string>installer_choice_5</string>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "Only TP and WC will be installed."
    else
        echo "Parameters can be"
        echo "TP: Threat Prevention"
        echo "FW: FireWall"
        echo "WC: Web Control"
        echo "help : To see this help"
        exit 1
    fi
elif test $# -eq 3
then
    if  [[ ( "$1" == "TP" &&  "$2" == "FW" && "$3" == "WC" ) || ( "$1" == "FW" &&  "$2" == "TP" && "$3" == "WC" )  || ( "$1" == "TP" &&  "$2" == "WC" && "$3" == "FW" ) || ( "$1" == "FW" &&  "$2" == "WC" && "$3" == "TP" ) || ( "$1" == "WC" &&  "$2" == "TP" && "$3" == "FW" ) || ( "$1" == "WC" &&  "$2" == "FW" && "$3" == "TP" ) ]]
    then
        echo "<array>" >> /tmp/ProductDeploy.xml
        echo "</array>" >> /tmp/ProductDeploy.xml
        echo "All FM's will be installed."
    else
       echo "Parameters can be"
       echo "TP: Threat Prevention"
       echo "FW: FireWall"
       echo "WC: Web Control"
       echo "help : To see this help"
       exit 1
    fi
else
    echo "Invalid parameters:"
    echo "Parameters can be"
    echo "TP: Threat Prevention"
    echo "FW: FireWall"
    echo "WC: Web Control"
    exit 1
fi

hdiutil attach McAfee-*

installer -pkg /Volumes/McAfee-*/McAfee-*.pkg -target / -applyChoiceChangesXML /tmp/ProductDeploy.xml

hdiutil detach /Volumes/McAfee-*

rm /tmp/ProductDeploy.xml

jconte
Contributor II
 

Kaltsas
Contributor III

Your rep is wrong. I am able to deploy 3 packages in this order via casper. No muddling with .xml files required.

Install McAfee Agent 5.0.4 (this is a package I make to deploy install.sh)
McAfee-Firewall-for-Mac-10.2.1-ePO-client-package-RTW-2632.pkg
McAfee-Threat-Prevention-for-Mac-10.2.1-ePO-client-package-RTW-2632.pkg

Feel free to poke me (macdude22) over on slack. If you have a valid grant number and access to the McAfee download site I can walk you through getting the correct files.

It is possible the method I am using is "unsupported" by mcafee but it's a good deal simpler than that script you were provided.

Thanks,

-alex-

gachowski
Valued Contributor II

@Kaltsas

McAfee professional services recommend installing individual .pkg like you are doing and or you can also download the full installer .pkg that has all three apps too. ( I picked the the full installer but next time it will just be Firewall and Threat Prevention)

I should also add that when the agent was updated last that fixed an issue and now you can push the three apps from the McAfee server. ( if you want)

C

jconte
Contributor II

Thank you both for the responses. I reached out to our ISO who controls the McAfee portal for us and they were able to download the standalone installers. I am going to try both and see if I get the same results.

https://kc.mcafee.com/corporate/index?page=content&id=KB84772

Thanks again. Jeff

jwojda
Valued Contributor II

how does one handle the mcafee upgrades? I didn't see any EA's that report on threat prevention/firewall/etc to do a smart group off of, though I have one for the Agent.

dpertschi
Valued Contributor
if [ -d /Applications/McAfee Endpoint Security for Mac.app ] ; then
    EPS=`/usr/bin/defaults read /Applications/McAfee Endpoint Security for Mac.app/Contents/Info CFBundleShortVersionString`
    echo "<result>$EPS</result>"
else
    echo "<result>Not Installed</result>"
fi

Not sure if the individual components can be mixed and or reported on separately. I'd think not though.

jwojda
Valued Contributor II

@dpertschi thanks! worked beautifully.

jwojda
Valued Contributor II

how does one handle the mcafee upgrades? I didn't see any EA's that report on threat prevention/firewall/etc to do a smart group off of, though I have one for the Agent.

rl2k05
New Contributor

I have tried also to add the McAfee package to a build in a thin image process. Never works. You have to install the Agent first, then you can group the reset together...works fine for me after the agent install.

ocla__09
Contributor

@Kaltsas I am attempting to troubleshoot an issue with a client that is automatically toggling threat prevention on and off apparently, and thus is showing the "Your Mac is at risk" warning to the user.

I am trying to uninstall McAfee Endpoint Security Software 10.2.1 as a troubleshooting step but am running in to issues even if I try to uninstall as root. Do you have any insight as to what the issue may be, or have you seen this before?

root# /usr/local/McAfee/uninstall EPM
Uninstallation Failed..

root# /usr/local/McAfee/uninstall ThreatPrevention
Uninstallation Failed...

Thanks

AVmcclint
Honored Contributor

you may need to upgrade the agent to 5.0.4.449 and let it sync up with your ePO server. Then see if it will let you uninstall or that may even fix your initial problem you're troubleshooting.

Key1
New Contributor III

Could be lazy and let ePO handle the installs, then just run the install.sh provided by McAfee to register the clients.

rl2k05
New Contributor

We have seen this issues and its the order your install the packages. we have it setup like this to install:

Agent First, then:

85a01acc287f4667b97cc9cfcca539f5

There is an order to install or it will fail.

tusharpsharma
New Contributor

@Kaltsas

Installation of McAfee Agent 5.0.4 (this is a package I make to deploy install.sh) was success

But

McAfee-Firewall-for-Mac-10.2.1-ePO-client-package-RTW-2632.pkg
McAfee-Threat-Prevention-for-Mac-10.2.1-ePO-client-package-RTW-2632.pkg
McAfee-Management of Native Encryption FileVault 4.1.0.361 (MNE.pkg)

failed for JSS, So I tried to install them manually and now I cannot uninstall them, using command

To uninstall MNE: sudo /usr/local/McAfee/uninstall MNE
To uninstall Threat Prevention: sudo /usr/local/McAfee/uninstall ThreatPrevention To uninstall Firewall: sudo /usr/local/McAfee/uninstall Firewall

only McAfee Agent was uninstalled: /Library/McAfee/agent/scripts/uninstall.sh

How do I uninstall them first? than in which order should I install them? Does while installation network get Blocked or network settings changes?

frankwickham
New Contributor

I am have a similar issue installing McAfee-Threat-Prevention-for-Mac-10.2.2-RTW-standalone-3003.dmg, it locks up about mid way through. Has any one found a solution to fix this?
Thx

gachowski
Valued Contributor II

We are installing it without any issues, so it should work.

Sorry I can't help!!

C

mm2270
Legendary Contributor III

I'm installing McAfee 10.2.2 using a similar approach to @Kaltsas's from his post above.
I install the ePo Agent 5.0.5 (from a custom installer using their crappy install.sh script) and then the Threat Protection package. Thankfully we aren't being forced to use Firewall or other components. McAfee with Threat Protection is intrusive enough thank you very much.

However, I've found that using this process in an imaging workflow simply isn't working well for me. It installs the agent successully, and says it has installed the Threat Protection product, but upon reboot, it's not running. I have to then install it again. I had to come up with a silly process of caching the installers to a location on the drive, then calling them to install with a LaunchDaemon that waits to run until someone is logged in. That's really the only way I've been able to get it to work, which is annoying. I seriously hate McAfee's product and their dumb installers. So much time and energy wasted in getting something installed that just drags the performance of the machines down. It should not be so complicated, and yet every release, McAfee manages to mangle this into something you need to jump through hoops to use.

Not applicable

Hi All,

I have install McAfee Agent and ENS successfully in out environment, and as per above comments I find you guys are facing issue installing McAFee ENS. So here is what I did to resolve the issue.

Step1 --> Added the package to install ENS
Note: This will install all three module TP, WC and FW

Step2 --> Add a script to run after the installation for removing the unwanted ENS Module
For Removing Firewall Module, Add this command in script --> sudo /usr/local/McAfee/uninstall Firewall
For Removing WebControl Module, Add this command in script --> sudo /usr/local/McAfee/uninstall WebControl

This works 100%, Please test and let me know if you face any challenges.

Regards,
Sam