Skip to main content
McAfee Enterprise MVISION Cloud

MVISION Cloud Known Issues and Bug Fixes

For MVISION Cloud Connector Known Issues, see MVISION Cloud Connector Known Issues

Date Description and Workaround (if any) Found in Release Fixed in Release
July 22, 2021

When you upload a malware file in Microsoft Dynamics 365, then the NRT DLP policy for Microsoft Dynamics 365 cannot be triggered. This is due to MVISION Cloud doesn't receive any events from Microsoft for malware-infected files. If the events are not received from Microsoft Dynamics 365 for the malware-infected files, then the NRT DLP Malware policy cannot be supported in Microsoft Dynamics 365.

5.4.2 -
July 20, 2021

Configuration Audit changes in Continuous Evaluation mode are sometimes causing inconsistent results in Resources and Policy Incidents. We have made a change to aggregate events before processing them to prevent the issue. 

- 5.4.2
July 20, 2021 Previously, when you scanned a container image, items identified by different tags were counted as separate resources, even when they were referenced by the same container image. Now, when you do a scan (and don't filter out certain items), the number of Items Scanned in the scan results should match the number of Resources listed. For details, see Resources for Container Security - 5.4.2
July 8, 2021

Incidents for Security Groups with Security Configuration Audit Policies are now generated even for Security Groups that are not attached to EC2 instances. This will cause an increase in incident counts.

- 5.4.1
July 8, 2021 Previously, the Policy Incidents Cloud Card did not capture the transition of an incident to Open under Incident History, while other states are shown. This issue is fixed, and the incident history now reflects the correct workflow.  5.4.1 5.4.2

 

July 8, 2021

  • When you upload a file with an AIP label for Salesforce, it is applied to the following object types: Attachment and Document. 
  • When you upload a file with an AIP label for Salesforce, it is not applied to the following object types: ContentVersion and Chatter File Upload. It is due to Salesforce API limitations and unable to Quarantine these object types.
5.4.2  
June 14, 2021

The upgrade from 5.4.0 HF to 5.4.1 in EU and Canada environments causes the PoP status to say that the PoP Manager is not in running state, or to set a PoP status to Unhealthy.

To resolve this issue:

  1. Update popm configmap file with correct MVISION Cloud base URLs
  2. Do one of the following:
  • Follow this steps only for EU Production Tenants:
  1. sudo microk8s kubectl edit configmap popm-config -n cwpp
  2. update mvc_base_urls with below mentioned URLs & save the file:
    mvc_base_urls={"cwpp":"https://www.myshn.eu/","logcollector":"https://eupoccollector.myshn.net/","cspm":"https://cspm.myshn.eu/"}
  • Follow this steps only for CA Production Tenants:
  1. sudo microk8s kubectl edit configmap popm-config -n cwpp
  2. update below mvc_base_urls as mentioned below and save the file:
    mvc_base_urls={"cwpp":"https://www.myshn.ca/","logcollector":"https://pstat.myshn.ca/","cspm":"https://cspm.myshn.ca/"}
  1. Do one of the following:
  • For Azure PoPs:
  1. SSH to PoP Primary Instance and run below commands
  2. Run the cmd- sudo microk8s kubectl delete daemonset.apps/cwpp-connector -n cwpp
  3. Go to /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/azure/upgrade/azure
  4. run cmd
    • sudo kubectl apply -f dxl-deployment.yaml -n cwpp
  5. run sudo microk8s kubectl get pods -n cwpp
    • check all the cwpp-connector pods are recreated (Monitor Pod Age)
    • check all the pods are in running/completed state
    • wait for 5min and check the pop-manager pod is in completed state
  6. Log into dashboard page, navigate to PoP management Page & select the respective PoP in Azure
  7. Check the PoP RHS card for build versions
    • CWPP CICD ver- 1.0.0.137
    • CWPP Connector ver- 1.0.0.210
    • CWPP Logger ver- 1.5.1
  • For GCP PoPs:
  1. SSH to PoP Primary Instance and run below commands
  2. Run the cmd- sudo microk8s kubectl delete daemonset.apps/cwpp-connector -n cwpp
  3. Go to /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/gcp/upgrade/gcp
  4. run cmd
    • sudo kubectl apply -f dxl-deployment.yaml -n cwpp
  5. run sudo microk8s kubectl get pods -n cwpp
    • check all the cwpp-connector pods are recreated (Monitor Pod Age)
    • check all the pods are in running/completed state
    • wait for 5min and check the pop-manager pod is in completed state
  6. Log into dashboard page, navigate to PoP management Page & select the respective PoP in GCP
  7. Check the PoP RHS card for build versions
    • CWPP CICD ver- 1.0.0.137
    • CWPP Connector ver- 1.0.0.210
    • CWPP Logger ver- 1.5.1
5.4.1  
June 9, 2021 In the Analytics > Users page, the user with detokenized permissions cannot search for plain text user names and source IP addresses from Omnibar.  5.4.1  
June 7, 2021

MVISION Cloud generates incidents for the misconfigured AWS security groups that are attached to EC2 instances but does not generate the incidents for the misconfigured security groups that are not attached to any EC2 instances.

This issue was fixed by updating the policies related to security groups so that they now evaluate the non-attached security groups too for any misconfigurations and generate incidents. 

After the fix, you may see an increase in the number of incidents being reported that is directly proportional to the number of misconfigured, non-attached security groups in your environment. As part of the fix , following policies were modified :

  • Security Groups should not have unrestricted CIFS access
  • Security Groups should not have unrestricted MSSQL access
  • Security Groups should not have unrestricted FTP access
  • Security Groups should not have unrestricted ICMP access
  • Security Groups should not have unrestricted MongoDB access
  • Security Groups should not have unrestricted DNS access
  • Security Groups should not have unrestricted MySQL access
  • Security Groups should not have unrestricted NetBIOS access
  • Security Groups should not have unrestricted Oracle Database access
  • Security Groups should not have unrestricted PostgreSQL access
  • Security Groups should not have unrestricted Remote Desktop access
  • Security Groups should not have unrestricted RPC access
  • Security Groups should not have unrestricted SMTP access
  • Security Groups should not have unrestricted SSH access
  • Security Groups should not have unrestricted Telnet access
  • Security Groups should not have unrestricted MSSQL Database (UDP) access
  • Security Groups should not have unrestricted VNC listener access
  • Security Groups should not have unrestricted VNC Server access
  • Non HTTP/HTTPS ports should not have unrestricted access
  • Security Groups should not have unrestricted inbound access on uncommon ports
  • Security Groups should not have unrestricted outbound access
- 5.4.1
April 22, 2021 When using MVISION Cloud - Cloud Access Policy for contextual access control and when a  policy is configured that unmanaged devices are allowed to access Office 365 UI through web browsers, navigating to "Power Automate" (also known as "Flow") will cause the user to be logged out of the Office 365 session on the unmanaged device. Access to Office 365 from managed devices is not affected. As a workaround, McAfee suggests to implement a request classifier to block access to "Power Automate" from unmanaged devices. The functionality implemented with "Power Automate" is still fully functional, only the ability to create or edit these flows is then blocked when accessing Office 365 from an unmanaged / high risk device
ref: AM-21967
5.3  
Dec. 17, 2020

When configuring your Microsoft Azure instance to use with Security Configuration Audit, Azure will ask for approval to connect multiple times. MVISION Cloud asks for consent and forces the user to go through the approval process due to the consent parameter in the OAuth URL. This is caused by configuring the security setting "App Approval Authorization Process" in your Azure tenant. For a workaround, see Workaround - Enable Security Configuration Audit for Microsoft Azure.

5.2.2 -
Dec. 7, 2020

Container Vulnerability Scans (CVS) are based on the Common Vulnerability Scoring System (CVSS), which assigns industry-standard scores to vulnerabilities. MVISION Cloud uses CVSSv2 and CVSSv3, defaulting to CVSSv3 when there are differences. You may notices changes in the reported Vulnerability Severity as MVISION Cloud upgrades from CVSSv2 to CVSSv3.

5.2.2 -
Oct. 1, 2020

If you have changed the weight of a Risk Attribute, there may be a mismatch in the value of the metrics displayed in the Cloud Service Advisor and the Services Overview. MVISION Cloud does not consider tenant-specific overrides in risk scoring while computing services in the Cloud Service Advisor.

5.1.1 -
Sept. 21, 2020

As IaaS Config Audit policy names were updated. Note the following issues:

  • Saved Views that use the previous names won’t show the correct incidents. If Dashboard cards or Reports are created using these Saved Views, those are affected too. As a workaround, you can update the Saved Views to refer to the updated names or search using the corresponding new name. This issue will be fixed in an upcoming hotfix. 
  • Some policies and incidents still refer to the previous names.
5.2.0 -
Aug 25, 2020 Some Cloud Security Advisor metrics have been split into product-specific groups for Shadow IT, SaaS, and IaaS. For this reason, you may see a drop in your Visibility and Control scores. For details, see Cloud Security Report 5.1.2 -
Aug 18, 2020

Known Issue for Intune Mobile Device Management (MDM) for New User Enrollment or iOS 13.x. Users on iPhones or iPad devices on iOS cannot enroll through the Intune application and are getting a blank page. For complete details and workaround, see Create a Cloud Access Policy

5.1.2 -
June 26, 2020 When you create a vertical bar chart and update the dimensions, sometimes the chart will not load. If you select another chart type, such as line, donut, or horizontal bar, then switch back, the vertical bar chart is displayed. This issue will be fixed in a future release.  5.1.0 -
Jan 20, 2020 On the Incidents > Threats and Anomalies > Shadow Anomalies page, there is a known issue when you try to mark an anomaly as invalid, the button behaves irregularly. Sometimes the anomaly is marked invalid and sometimes it is not. Also, on the same page, when you use the button to add or remove a user from the Watchlist, the change is made in the backend, but the icon in the user interface does not reflect this. This will be fixed in a future release.  4.2.2 -

 

  • Was this article helpful?