Frequently asked questions

Here are answers to some of the most frequently asked questions relating to the security implications of running McAfee MOVE AntiVirus and using its deployment modes.

How can I convert the SVM Manager format to Microsoft Hyper-V format?

You must convert the .vmdk file format to .vhd file to deploy the SVM Manager to Microsoft Hyper-V. You must attach the converted file as a hard disk to create a new virtual machine.

  1. Download and install Microsoft Virtual Machine Converter 3.0 (MVMC 3.0).
    Note: The SVM Manager can only be converted using the Microsoft Virtual Machine Converter 3.0 command line Windows PowerShell scripts.
  2. Click StartAll ProgramsAccessories, right-click Windows PowerShell, then click Run as administrator.
  3. In the PowerShell console, run this command: Import-Module “C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1”
  4. For .vhdx format image, run this command: ConvertTo-VirtualHardDisk -SourceLiteralPath "C:\VMDKs\SVM_Manager_3.x-disk1.vmdk"
  5. For .vhd format image, run this command: ConvertTo-VirtualHardDisk -SourceLiteralPath "C:\VMDKs\SVM_Manager_3.x-disk1.vmdk"-DestinationLiteralPath "C:\VHDs" -VhdType FixedHardDisk -VhdFormat Vhd
  6. After you have converted the file format to .vhd or .vhdx, mount the disk image to the Microsoft Server 2012 R2 Hyper-V system:
    1. On the Server 2012 R2 Hyper-V Manager, click NewVirtual Machine, then click Next.

      Specify these VM details one by one on the wizard, then click Next.

      Option Definition
      VM Name Specify the VM name of the instance.
      Memory Size Set the memory size of the VM.
      Network Interface Specify the details about the network interface associated to the instance.
    2. Select Use and existing virtual hard disk, specify the path to the .vhdx or .vhd file, then click Next.
    3. Click Finish, then turn on the SVM manager.

The McAfee MOVE AntiVirus detection pop-up message does not appear on the Windows desktop. How do I fix this?

Method 1

You need to enable the McAfee Agent policy option Show the McAfee system tray icon (Windows only) to display McAfee MOVE AntiVirus detection pop-up message on the Windows desktop.

  1. Log on to McAfee ePO as an administrator.
  2. Select MenuPolicyPolicy Catalog.
  3. From the Product drop-down list, select McAfee Agent.
  4. From the Category drop-down list, select General.
  5. Click New Policy.
  6. On the New Policy page, configure the policy settings, then click OK.
  7. Open the newly created policy.
  8. Enable Show the McAfee system tray icon (Windows only) from General Options under General tab.
  9. Click Save to save the changes, then click apply the policy to the clients.

Method 2 (Multi-Platform only)

If you require the Multi-Platform Threat Event pop-up alerts through the Remote Desktop Protocol (RDP) session, you can run UPDATERUI.EXE manually.

Perform these steps inside your remote session.

  1. Click StartRun.
  2. Run this command: "C:\Program Files\McAfee\Common Framework\CmdAgent.exe" /s
    Note: The McAfee Agent icon now appears in the toolbar, and the OAS Statistics can be viewed in the remote session.

How can I create an on-demand scan task for a Cloud Workload Discovery VM with Agentless?

Perform these steps to create an on-demand scan task for the Cloud Workload Discovery VM with Agentless systems.

  1. Check in the Cloud Workload Discovery extension to McAfee ePO and create a Registered Cloud Account for vSphere.
  2. Click System Tree. You see the vSphere group that was previously added and all the client computers under that vSphere group entry.
  3. Select an unmanaged computer where you want to trigger the on-demand scan:
    1. Click ActionsAgentModify Policies on a Single System.
    2. From the Product drop-down list, select MOVE AntiVirus 4.5.0.
    3. From the Category drop-down list, select On Demand Scan.
    4. Click New Policy.
    5. On the New Policy page, configure the policy settings, then click OK.
    6. Open the newly created policy, select Enable on-demand scan, then click Save.
  4. Select the SVM that is managing that client VM and do an agent wake-up call.

    The on-demand scan starts at the next available slot.

The Policy Collector task collects the unmanaged system policies and adds them to the SVM policy for the next policy enforcement.

What can I do if I see the warning message "Failed to get process info of (system)", which is recorded in the Multi-Platform client mvagent.log?

This is an expected behavior. This informational message can be ignored.

In some environments, you might see these warning messages in mvagent.log, which is the scan log generated by the McAfee MOVE AntiVirus (Multi-Platform) client on protected systems:

  • WARNING: utl_rt.c : 109: Process info is NULL for proc handle 0x4
  • WARNING: fsh_winnt.c : 216: Failed to get for process info of (System)

Note: The message does not upload as an event to McAfee ePO.

How can I manually check the DAT version installed on the McAfee MOVE AntiVirus SVM in an Agentless environment?

You can check what DAT version is installed on the McAfee MOVE AntiVirus SVM using the Linux Command Line Interface (CLI).

Method 1

  1. Log on to the McAfee MOVE AntiVirus SVM.
  2. At the command prompt, run this command: sudo
  3. When prompted, provide the valid credentials.
  4. Run this command to change the directory: cd /opt/McAfee/move/bin
  5. Run this command to display the SVM details: ./svm-config -v

    For example:

    McAfee MOVE AntiVirus Agentless 4.5.0.317

    McAfeeVSEForLinux 2.0.3.29216-29216-x86_64

    Virus definition files 8212.0000

    Virus scanning engine 5800.7501

    Virus scanning engine API 5800.7501

    Apache 1.3.42 (Unix)

    OpenSSL 1.0.1t 3 May 2016

    sqlite 2.8.17

Method 2

  1. Log on to the McAfee MOVE AntiVirus SVM.
  2. At the command prompt, run this command: sudo /opt/McAfee/move/bin/svm-config -v
  3. When prompted, provide the valid credentials.
    Note: The required details appear in the command window.

Why is DNS suffix missing on the SVM after successful deployment using a Static IP Pool configured with a DNS suffix?

If you are using Static IP Pool address, make sure that the NSX Manager has the ePO IP or FDQN details.

  1. Log on to vCenter as an administrator.
  2. Click Networking and securityService definition.
  3. Double-click McAfee MOVE AV.
  4. On the Manage tab, click Deployment.
    Note: Under OVF URL, make sure that the ePO IP or FQDN have been provided and not just the McAfee ePO server hostname.

An error occurred while communicating with NSX after trying to upgrade to McAfee MOVE AntiVirus. How do I fix this?

Edit the SQL database to edit the McAfee ePO server table entries and run the Data Migration task before trying to upgrade to McAfee MOVE AntiVirus.

  1. Open the SQL database and delete the row from the DC_AL_NSX_MANAGER_DETAILS table corresponding to the vCenter account.
  2. Select MenuAutomationMOVE AntiVirus DeploymentConfigurationServer Settings.
  3. Click Run next to Run NSX Data Migration.
  4. Navigate to the MOVE AntiVirus Deployment page and complete the upgrade process.

What do I do if an upgrade attempt to McAfee MOVE AntiVirus 4.5.0 fails?

Perform these steps to successfully upgrade from McAfee MOVE AntiVirus (Agentless) 4.0.0 to McAfee MOVE AntiVirus 4.5.0.

  1. Install the McAfee MOVE AntiVirus 4.5.0 extension on the McAfee ePO server.
  2. Check in the SVM 4.5.0.
  3. Use the Migration Assistant utility and run the data migration. For information, see McAfee MOVE AntiVirus Migration Guide.
  4. Upgrade the McAfee MOVE AntiVirus Service.

How can I fix any filesystem error that appears after deploying Agentless?

Download a new copy of the Agentless OVF template from the product download : http://www.mcafee.com/us/downloads/downloads.aspx.

What do I do if Agentless SVM shows as unmanaged when registering with the McAfee ePO server?

Make sure that the copy of the Agentless OVF package is from a known good source, preferably the Intel Security download site, then do a fresh deployment.

Perform these steps only if the SVM shows as Unmanaged in McAfee ePO System Tree:

  1. Delete the system.

    When prompted, do not choose to remove the McAfee Agent.

  2. For the existing SVM, from the local command line interface, run the registration script with this command: sudo /opt/McAfee/move/bin/svm-config
  3. When prompted, click Yes to unregister with the vShield Manager.
  4. Complete the procedure to unregister the product.
  5. Turn off the SVM and delete it from the disk.
  6. Proceed with the new deployment.

Agentless configuration fails and displays failed status on the McAfee ePO for the vCenter account. How do I fix this?

There are two causes for the status to show Configuration Failed:

  • If the vShield Manager is not registered with vCenter under the Registered Cloud Accounts, then the vCenter will appear as Not Configured on the McAfee ePO console under McAfee MOVE AntiVirus (Agentless).
  • If the vShield Manager was first successfully registered with vCenter, but later removed from the Registered Cloud Accounts, it may not synchronize the vCenter account successfully, resulting in Not Configured being displayed on the McAfee ePO console under McAfee MOVE AntiVirus (Agentless).

Register or reregister the vCenter account under the Registered Cloud Accounts.

  1. Log on to McAfee ePO as an administrator.
  2. Select MenuconfigurationRegistered Cloud Accounts to open Registered Cloud Account page.
  3. Select the vCenter Account and click Delete.
  4. Restart the ePO Event Parser Service.
  5. Select MenuRegistered Cloud Accounts, and confirm that the specific vCenter account is now deleted.
  6. On the Registered Cloud Account page, click Actions, then select Add Cloud Account.
  7. Type the vCenter Account Details on the Registered Cloud Accounts page, then click Test Connection.
  8. If Test Connection is successful, click Next, then accept the certificate.
  9. Click Finish, then click OK.
  10. Check the configuration status of the vCenter Account, and now it shows as Configured.

The McAfee ePO server will now create a task that will synchronize the vCenter according to the above configuration.

How do I keep disabled Windows Defender after installing Multi-Platform?

Method 1

Perform these steps to disable and re-enable the MOVE driver.

  1. Log on to the system as an administrator.
  2. Click StartRun.
  3. Run these commands one by one:
    • mvadm disable
    • mvadm enable
  4. Close the command prompt window.

Method 2

Perform these steps to restart Multi-Platform client service.

  1. Log on to the system as an administrator.
  2. Click StartRun.
  3. Run these commands one by one:
    • sc stop mvagtdrv
    • sc start mvagtdrv
  4. Close the command prompt window.

What do I do if there is loss of network connectivity on virtual machines that use VMXNet3 NICs when deploying Agentless through McAfee ePO?

Method 1

Make sure that the version of VMware Tools installed on the virtual machine is the exact same build as the VMware Tools version supplied by the host. When the script is invoked and the builds match, only the needed Guest Introspect (vShield components) are installed.

Method 2

Make sure that the virtual machines also have their e1000 NICs installed, to maintain network functionality when the script is invoked remotely.

How do I delete the IP pool when an IP address is already in use?

Run this SQL query to remove the IP Pool details from the McAfee ePO database:

DELETE FROM [DC_AL_CONFIG_IPPOOL] WHERE IPPOOL_NAME='<POOL_NAME>'

What do I do when error "Critical error. Downloading ePO init files failed" appears when deploying SVM through McAfee ePO using an IP Pool?

When you deploy the SVM through McAfee ePO using an IP Pool on the VMWare ESX host, you may see these errors in the SVM console session:

  • ERROR [MOVEAL:pool-1-thread-1] svm.SvmEpoRegistrationTaskImpl - ePO Registration failed for SVM with vm name: and for the Hypervisor: HyperVisor_Name
  • ERROR [MOVEAL:pool-1-thread-1] svm.SvmEpoRegistrationTaskImpl - Reason being: Critical error. Downloading ePO init files failed.

When you see these errors make sure that the prefix length is correct for the IP Pool according to the characteristics of the destination network.

What is the error return code description for McAfee MOVE AntiVirus (Agentless) SVM registration with the vShield Manager?

When McAfee MOVE AntiVirus (Agentless) SVM registration fails, vShield Manager provides a Return Code error.

Return Code Definition
200 OK operation successful.
201 Created: Entity successfully altered.
400 Bad Request: Internal error codes. Please refer to the Error Schema for more details.
401 Unauthorized: Incorrect user name or password.
600 Unrecognized vendor ID.
601 Vendor is already registered.
602 Unrecognized altitude.
603 Solution is already registered.
604 Invalid IPv4 address.
605 Invalid port.
606 Port out of range.
607 Unrecognized moid.
608 Location information is already set.
609 Location not set.
610 Insufficient rights.
612 Solutions still registered.
613 Solution location information still set.
614 Solution still activated.
615 Solution not activated.
616 Solution is already activated.
617 IP:Port already in use.
618 Bad solution ID.
619 vShield Endpoint is not licensed.
620 Internal error.

I am using McAfee MOVE AntiVirus (Agentless) in NSX environment. Where do I find the original name of the hostname where the infection occurred instead on IP of McAfee MOVE AntiVirus SVM?

The Threat Event Log displays the hostname of the system where infection has occurred.

Note: Make sure that you configured SVM Configuration details and tested connection settings under SVM Settings policy on the McAfee ePO server.

  1. Log on to McAfee ePO as an administrator.
  2. Select Menu ReportingThreat Event Log.