App Control: Console logins timing and disconnected agents due to McAfee interop issue
Article ID: 290809
Updated On:
Products
Carbon Black App Control (formerly Cb Protection)
Issue/Introduction
- Both McAfee Endpoint Security and the App Control agents are installed on the server system
- Console logins are timing out with error message "Something Went Wrong"
- App Control Server Tamper Protection Rapid Config has been enabled
- AD logins and/or AD Policy mappings are enabled
- All or multiple agents show disconnected in the console
- PHP_Errors:
PHP Fatal error: Maximum execution time of 240 seconds exceeded in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\SOAPUtil.php on line 71 User "admin" requested URL "/login.php" and encountered error "Maximum execution time of 240 seconds exceeded" in C:\Program Files (x86)\Bit9\Parity Console\WebUI\include\SOAPUtil.php on line 71
Environment
- App Control Server: All Supported Versions
- App Control Agent: All Supported Versions
- McAfee Endpoint Security Agent
Cause
The McAfee endpoint agent is injecting into the Parityserver.exe process which triggers the App Control agent's Tamper Protection rules which then cause the server service to hang or crash
Resolution
The following solutions exist:
- Use local user login (e.g. admin) when connecting to the console
- Add exclusions in McAfee for the App Control Server per this KB
- Please verify no injection happens using Procmon > Start the capture > collect some data > double click "Parityserver.exe" > Process tab > verify no McAfee DLLs are listed
- If McAfee still injects into the "Parityserver.exe" process > please create a support case with McAfee support to have it resolved
- Disable or uninstall McAfee
- Disable the App Control Agent's Tamper Protection permanently:
- Login to the console with a local user > Go to Assets > Computers > open the Computer Details for the agent installed on the server > Disable Tamper Protection on right
Feedback
Yes
No
Powered by
