Frequently asked questions

Here are answers to some of the most frequently asked questions relating to the security implications of running McAfee MOVE AntiVirus and using its deployment modes.

How can I convert the SVM Manager format to Microsoft Hyper-V format?

Convert the .vmdk file format to .vhd file to deploy the SVM Manager to Microsoft Hyper-V. Attach the converted file as a hard disk to create a new virtual machine.

  1. Download and install Microsoft Virtual Machine Converter 3.0 (MVMC 3.0).
    Note: The SVM Manager can only be converted using the Microsoft Virtual Machine Converter 3.0 command-line Windows PowerShell scripts.
  2. Click StartAll ProgramsAccessories, right-click Windows PowerShell, then click Run as administrator.
  3. In the PowerShell console, run this command: Import-Module “C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1”
  4. For .vhdx format image, run this command: ConvertTo-VirtualHardDisk -SourceLiteralPath "C:\VMDKs\SVM_Manager_3.x-disk1.vmdk"
  5. For .vhd format image, run this command: ConvertTo-VirtualHardDisk -SourceLiteralPath "C:\VMDKs\SVM_Manager_3.x-disk1.vmdk"-DestinationLiteralPath "C:\VHDs" -VhdType FixedHardDisk -VhdFormat Vhd
  6. After you convert the file format to .vhd or .vhdx, mount the disk image to the Microsoft Server 2012 R2 Hyper-V system:
    1. On the Server 2012 R2 Hyper-V Manager, click NewVirtual Machine, then click Next.

      Specify these VM details in the wizard, then click Next.

      Option Definition
      VM Name Specify the VM name of the instance.
      Memory Size Set the memory size of the VM.
      Network Interface Specify the details about the network interface associated to the instance.
    2. Select Use and existing virtual hard disk, specify the path to the .vhdx or .vhd file, then click Next.
    3. Click Finish, then turn on the SVM manager.

The McAfee MOVE AntiVirus detection pop-up message does not appear on the Windows desktop. How do I fix this?

Method 1:

Enable the McAfee Agent policy option, Show the McAfee system tray icon (Windows only), to display McAfee MOVE AntiVirus detection pop-up message on the Windows desktop.

  1. Log on to McAfee ePO as an administrator.
  2. Select MenuPolicyPolicy Catalog.
  3. From the Product drop-down list, select McAfee Agent.
  4. From the Category drop-down list, select General.
  5. Click New Policy.
  6. On the New Policy page, configure the policy settings, then click OK.
  7. Open the newly created policy.
  8. Enable Show the McAfee system tray icon (Windows only) from General Options on the General tab.
  9. Click Save, then apply the policy to the clients.

Method 2 (Multi-Platform only):

If you need the Multi-Platform Threat Event pop-up alerts through the Remote Desktop Protocol (RDP) session, run UPDATERUI.EXE manually.

Perform these steps inside your remote session.

  1. Click StartRun.
  2. Run this command: "C:\Program Files\McAfee\Common Framework\CmdAgent.exe" /s
    Note: The McAfee Agent icon now appears in the toolbar, and the on-access scan Statistics can be viewed in the remote session.

How can I create an on-demand scan task for a vSphere VM with Agentless?

  1. Check in the McAfee MOVE AntiVirus Meta Package extension to McAfee ePO and create a Registered Cloud Account for vSphere.
  2. Click System Tree. You see the vSphere group that was previously added and all client computers under that vSphere group entry.
  3. Select an unmanaged computer where you want to trigger the on-demand scan:
    1. Click ActionsAgentModify Policies on a Single System.
    2. From the Product drop-down list, select MOVE AntiVirus 4.8.0.
    3. From the Category drop-down list, select On Demand Scan.
    4. Click New Policy.
    5. On the New Policy page, configure the policy settings, then click OK.
    6. Open the newly created policy, select Enable on-demand scan, then click Save.
  4. Select the SVM that is managing that client VM and issue wake-up agent call.

    The on-demand scan starts at the next available slot.

The Policy Collector task collects the unmanaged system policies and adds them to the SVM policy for the next policy enforcement.

What can I do if I see the warning message "Failed to get process info of (system)", which is recorded in the Multi-Platform client mvagent.log?

This is expected behavior. This informational message can be ignored.

In some environments, you might see these warning messages in the mvagent.log, which is the scan log generated by the McAfee MOVE AntiVirus (Multi-Platform) client on protected systems:

  • WARNING: utl_rt.c: 109: Process info is NULL for proc handle 0x4
  • WARNING: fsh_winnt.c: 216: Failed to get for process info of (System)

Note: The message does not upload as an event to McAfee ePO.

How can I manually check the DAT version installed on the McAfee MOVE AntiVirus SVM in an Agentless environment?

Check which DAT version is installed on the McAfee MOVE AntiVirus SVM using the Linux command line interface (CLI).

Method 1:

  1. Log on to the McAfee MOVE AntiVirus SVM.
  2. At the command prompt, run this command: sudo
  3. When prompted, provide valid credentials.
  4. Run this command to display the SVM details: /opt/isec/ens/threatprevention/bin/isecav --version

    For example:

    McAfee® Endpoint Security for LinuxThreat Prevention Version: 10.2.0.717

    HF Version: 1177340

    License: Full

    DAT Version: 8479.0

    Engine Version: 5900.7806

Method 2:

  1. Log on to the McAfee MOVE AntiVirus SVM.
  2. At the command prompt, run this command: sudo /opt/McAfee/move/bin/sva-config -v
  3. When prompted, provide valid credentials.
    Note: The required details appear in the command window.

Why is the DNS suffix missing on the SVM after successful deployment using a Static IP Pool configured with a DNS suffix?

If you are using Static IP Pool address, make sure that the NSX Manager has the ePO IP or FDQN details.

  1. Log on to vCenter as an administrator.
  2. Click Networking and securityService definition.
  3. Double-click McAfee MOVE AV.
  4. On the Manage tab, click Deployment.
    Note: Under OVF URL, make sure that the ePO IP or FQDN have been provided and not just the McAfee ePO server host name.

What do I do if an upgrade to McAfee MOVE AntiVirus (Agentless) 4.8.0 fails?

Perform these steps to successfully upgrade from McAfee MOVE AntiVirus (Agentless) 4.7.0 to McAfee MOVE AntiVirus 4.8.0.

  1. Install the McAfee MOVE AntiVirus 4.8.0 Meta Package extension on the McAfee ePO server.
  2. Check in the SVM 4.8.0.
  3. Upgrade the McAfee MOVE AntiVirus Service.

How can I fix any filesystem error that appears after deploying Agentless?

  1. Download a new copy of the Agentless OVF template from the product download site: http://www.mcafee.com/us/downloads/.
  2. Deploy the Agentless OVF template. For details, see Agentless installation and configuration in the McAfee MOVE AntiVirus 4.8.0 Installation Guide.

What do I do if Agentless SVM shows as unmanaged when registering with the McAfee ePO server?

Make sure that the copy of the Agentless OVF package is from a known good source, preferably the McAfee download site, then do a fresh deployment.

Perform these steps only if the SVM shows as Unmanaged in the McAfee ePO System Tree.

  1. Delete the system from McAfee ePO.

    When prompted, do not choose to remove the McAfee Agent.

  2. For the existing SVM, from the local command line interface, run the registration script with this command: sudo /opt/McAfee/move/bin/svm-config
  3. When prompted, click Yes to unregister with the vShield Manager.
  4. Complete the procedure to unregister the product.
  5. Turn off the SVM and delete it from the disk.
  6. Continue with the new deployment.

Agentless configuration fails and displays failed status on the McAfee ePO for the vCenter account. How do I fix this?

There are two causes for the status to show Configuration Failed:

  • If the vShield Manager is not registered with vCenter under Registered Cloud Accounts, then the vCenter appears as Not Configured on the McAfee ePO console under McAfee MOVE AntiVirus (Agentless).
  • If the vShield Manager was first successfully registered with vCenter, but later removed from the Registered Cloud Accounts, it might not.3 synchronize the vCenter account successfully, resulting in Not Configured being displayed on the McAfee ePO console under McAfee MOVE AntiVirus (Agentless).

Register or re-register the vCenter account under Registered Cloud Accounts.

  1. Log on to McAfee ePO as an administrator.
  2. Select MenuconfigurationRegistered Cloud Accounts to open the Registered Cloud Account page.
  3. Select the vCenter Account and click Delete.
  4. Restart the ePolicy Orchestrator Event Parser Service.
  5. Select MenuRegistered Cloud Accounts, and confirm that the specific vCenter account is now deleted.
  6. On the Registered Cloud Account page, click Actions, then select Add Cloud Account.
  7. Type the vCenter Account Details on the Registered Cloud Accounts page, then click Test Connection.
  8. If Test Connection is successful, click Next, then accept the certificate.
  9. Click Finish, then click OK.
  10. Check the configuration status of the vCenter Account, and now it shows as Configured.

The McAfee ePO server now creates a task that synchronizes the vCenter according to the above configuration.

How do I keep disabled Windows Defender on Windows 10 system after installing Multi-Platform?

  1. Log on to the system as an administrator.
  2. Click StartRun.
  3. Run these commands one after the other:
    • sc stop mvagtsvc
    • sc start mvagtsvc
  4. Close the command prompt window.

How do I avoid loss of network connectivity on virtual machines that use VMXNet3 NICs when deploying Agentless through McAfee ePO?

Method 1:

Make sure that the version of VMware Tools installed on the virtual machine is the exact same build as the VMware Tools version supplied by the host. When the script is invoked and the builds match, only the needed Guest Introspect (vShield components) are installed.

Method 2:

Make sure that the virtual machines also have their e1000 NICs installed, to maintain network functionality when the script is invoked remotely.

How do I delete the IP pool when an IP address is already in use?

Run this SQL query to remove the IP Pool details from the McAfee ePO database:

DELETE FROM [DC_AL_CONFIG_IPPOOL] WHERE IPPOOL_NAME='<POOL_NAME>'

What do I do when the error "Critical error. Downloading ePO init files failed" appears when deploying SVM through McAfee ePO using an IP Pool?

When you deploy the SVM through McAfee ePO using an IP Pool on the VMware ESX host, you might see these errors in the SVM console session:

  • ERROR [MOVEAL:pool-1-thread-1] svm.SvmEpoRegistrationTaskImpl - ePO Registration failed for SVM with vm name and for the Hypervisor: HyperVisor_Name
  • ERROR [MOVEAL:pool-1-thread-1] svm.SvmEpoRegistrationTaskImpl - Reason being: Critical error. Downloading ePO init files failed.

When you see these errors, make sure that the prefix length is correct for the IP Pool according to the characteristics of the destination network.

What is the error return code description for McAfee MOVE AntiVirus (Agentless) SVM registration with the vShield Manager?

When McAfee MOVE AntiVirus (Agentless) SVM registration fails, vShield Manager provides a Return Code error.

Return Code Definition
200 OK operation successful.
201 Created: Entity successfully altered.
400 Bad Request: Internal error codes. See the Error Schema for more details.
401 Unauthorized: Incorrect user name or password.
600 Unrecognized vendor ID.
601 Vendor is already registered.
602 Unrecognized altitude.
603 Solution is already registered.
604 Invalid IPv4 address.
605 Invalid port.
606 Port out of range.
607 Unrecognized moid (Managed Object Reference ID).
608 Location information is already set.
609 Location not set.
610 Insufficient rights.
612 Solutions still registered.
613 Solution location information still set.
614 Solution still activated.
615 Solution not activated.
616 Solution is already activated.
617 IP: Port already in use.
618 Bad solution ID.
619 vShield Endpoint is not licensed.
620 Internal error.

I am using McAfee MOVE AntiVirus (Agentless) in an NSX environment. Where do I find the original name of the host name where the infection occurred instead of IP of McAfee MOVE AntiVirus SVM?

The Threat Event Log displays the host name of the system where the infection occurred.

Note: Make sure that you configured SVM Configuration details and tested connection settings in the SVM Settings policy on the McAfee ePO server.

  1. Log on to McAfee ePO as an administrator.
  2. Select Menu ReportingThreat Event Log.

I am using McAfee MOVE AntiVirus (Agentless) in an NSX environment. For some reason, McAfee MOVE AntiVirus SVM is doing nothing. How do I redeploy the McAfee MOVE AntiVirus SVM?

  1. Turn off the McAfee MOVE AntiVirus SVM.
  2. Delete the McAfee MOVE AntiVirus SVM.

    The NSX Manager now redeploys the McAfee MOVE AntiVirus SVM.

What do I do when error "Internal error on the server" appears when trying to delete a Registered Cloud Account?

This error occurs if you select Delete Tags, and one or more systems that do not belong to that cloud account erroneously have the same tag assigned.

Method 1:

  1. From the Delete Account dialog box, deselect Delete Tags, and then click OK to delete the registered cloud account.

Method 2:

  1. Identify one or more systems that do not belong to the registered cloud account but have the same tag assigned.
  2. Remove the tag from the systems you identified.
  3. Delete the registered cloud account.

I exported SVM Settings policy from one McAfee ePO (source) to another McAfee ePO (destination). The imported policy still has old McAfee ePO (source) credentials. How do I fix this?

To update McAfee ePO password in the imported SVM Settings policy, you must again configure the McAfee ePO details about the McAfee ePO server.

  1. Log on to McAfee ePO (destination) as an administrator.
  2. Select MenuAutomationMOVE AntiVirus Deployment.
  3. On the Configuration tab, click General and enter and confirm the password of the McAfee ePO.