Skip to main content
McAfee MVISION Cloud

MVISION Cloud Known Issues and Bug Fixes

For MVISION Cloud Connector Known Issues, see MVISION Cloud Connector Known Issues

Date Description and Workaround (if any) Found in Release Fixed in Release
March 25, 2021

For CSPM, existing incidents are updated based on the policy evaluation and duplicate incidents are not created. For tenants enabled for CE, it is possible that the incident was created > 1 year back and no events were received since. In which case, the incident is actually valid, but not shown.

Fixed to display older and valid incidents by updating the created and updated timestamp based on data retention. Also, reuse existing incidents and keep their states, history, etc. Please contact support to enable this in your tenant.

5.3 5.3.2
March 24, 2021

When an Incident reoccurs, MVISION Cloud changed Incidents that use a Custom status configured by the SOC team to Open, and the Custom status was lost. MVISION Cloud no longer changes a Custom status when an issue reoccurs. This also results in not updating Incidents to Resolved or Archived later.

5.3.1 5.3.2
Dec. 17, 2020

When configuring your Microsoft Azure instance to use with Security Configuration Audit, Azure will ask for approval to connect multiple times. MVISION Cloud asks for consent and forces the user to go through the approval process due to the consent parameter in the OAuth URL. This is caused by configuring the security setting "App Approval Authorization Process" in your Azure tenant. For a workaround, see Workaround - Enable Security Configuration Audit for Microsoft Azure.

5.2.2 -
Dec. 7, 2020

Container Vulnerability Scans (CVS) are based on the Common Vulnerability Scoring System (CVSS), which assigns industry-standard scores to vulnerabilities. MVISION Cloud uses CVSSv2 and CVSSv3, defaulting to CVSSv3 when there are differences. You may notices changes in the reported Vulnerability Severity as MVISION Cloud upgrades from CVSSv2 to CVSSv3.

5.2.2 -
Oct. 1, 2020

If you have changed the weight of a Risk Attribute, there may be a mismatch in the value of the metrics displayed in the Cloud Service Advisor and the Services Overview. MVISION Cloud does not consider tenant-specific overrides in risk scoring while computing services in the Cloud Service Advisor.

5.1.1 -
Sept. 21, 2020

As IaaS Config Audit policy names were updated. Note the following issues:

  • Saved Views that use the previous names won’t show the correct incidents. If Dashboard cards or Reports are created using these Saved Views, those are affected too. As a workaround, you can update the Saved Views to refer to the updated names or search using the corresponding new name. This issue will be fixed in an upcoming hotfix. 
  • Some policies and incidents still refer to the previous names.
5.2.0 -
Aug 25, 2020 Some Cloud Security Advisor metrics have been split into product-specific groups for Shadow IT, SaaS, and IaaS. For this reason, you may see a drop in your Visibility and Control scores. For details, see Cloud Security Report 5.1.2 -
Aug 18, 2020

Known Issue for Intune Mobile Device Management (MDM) for New User Enrollment or iOS 13.x. Users on iPhones or iPad devices on iOS cannot enroll through the Intune application and are getting a blank page. For complete details and workaround, see Create a Cloud Access Policy

5.1.2 -
June 26, 2020 When you create a vertical bar chart and update the dimensions, sometimes the chart will not load. If you select another chart type, such as line, donut, or horizontal bar, then switch back, the vertical bar chart is displayed. This issue will be fixed in a future release.  5.1.0 -
May 27, 2020 On the Policy Templates page, filters for CSPs are not working. If you select any CSP, you will see all of the available Policy Templates.  5.0.2 5.1.0
April 28, 2020

The MVISION Cloud default data retention period has changed from 90 days to 100 days. Beginning with MVISION Cloud 5.0.2, the data retention policy (100 days or 12 months, if you purchased the 12-month data retention plan) is applied for the incidents displayed on the Policy Incidents summary and page. As a result, you may see fewer incidents displayed on the Policy Incidents pages compared to previous versions. Policy Incident retention policy is applied using the incident modified date.

5.0.1 5.0.2
Jan 20, 2020 On the Incidents > Threats and Anomalies > Shadow Anomalies page, there is a known issue when you try to mark an anomaly as invalid, the button behaves irregularly. Sometimes the anomaly is marked invalid and sometimes it is not. Also, on the same page, when you use the button to add or remove a user from the Watchlist, the change is made in the backend, but the icon in the user interface does not reflect this. This will be fixed in a future release.  4.2.2 -
Dec 23, 2019 Limitation of Salesforce: When Demand Scans are running on Salesforce the User Email Notification and Send Email Notification to responses are not supported. 4.3.0 -
Dec. 3, 2019

Do not use white space when you create a service group name. You can use "_" or  "-" instead of a space. If there is white space in the service group name, and if the service group is used in Panorama integration, there can be problems accessing the published URL list.

4.3.2 -
Sep 24, 2019

Issue: If AWS account was having users without managed or inline policies with admin privileges, then "Single IAM Administrator Detected" policy was generating false positives even though admin users were present.
Fix: Consider group policies for the users with admin privileges. Also need following specific permissions which are added to AWS JSON Minimum Privileges

4.2.2 4.3.1
Sep 11, 2019

Issue: Adding AWS accounts with ARN permission issues via APIs was incorrectly updating the database, which led to scan failure for existing accounts as well.

Fix: Use the existing access and secret keys for accounts being added via APIs as well. 

4.2.2 4.3.2
June 20, 2019

The following policies now create an incident for SG along with an EC2 instance (Linked Resource):

  • Unrestricted Inbound Access on Uncommon Ports
  • Unrestricted Outbound Access
  • Unrestricted Access to non HTTP/HTTPS ports
  • Unrestricted Access to RDS Instances
  • Unrestricted CIFS Access
  • Unrestricted DNS Access
  • Unrestricted FTP Access
  • Unrestricted ICMP Access
  • Unrestricted MongoDB Access
  • Unrestricted MSSQL Access
  • Unrestricted MSSQL Database Access (UDP)
  • Unrestricted MySQL Access
  • Unrestricted NetBIOS Access
  • Unrestricted Oracle Database Access
  • Unrestricted PostgreSQL Access
  • Unrestricted Remote Desktop Access
  • Unrestricted RPC Access
  • Unrestricted SMTP Access
  • Unrestricted SSH Access
  • Unrestricted Telnet Access
  • Unrestricted VNC Listener Access
  • Unrestricted VNC Server Access
  • Unencrypted AMI
  • Default VPCs are used
  • Unrestricted Access to CloudTrail Bucket
- 4.2.1
June 20, 2019 The "EC2 Security Group Port Configuration" policy was updated with false positive bug fix.
4.1.2 4.2.1
June 20, 2019 "Inactive IAM Access Keys" policy generates incidents when "last used" time stamp is N/A and the key status is active. 4.2.0 4.2.1
June 20, 2019

Office 365 anti-malware software does not allow MVISION Cloud to download or quarantine files if Microsoft has detected that the file is infected by malware. This includes SharePoint and OneDrive. The following error is shown:

errorCode=MALWARE_ERROR - Malware error, errorMessage=-1 {"odata.error":{"code":"-2147217327, Microsoft.SharePoint.SPException","message":{"lang":"en-US","value":"The virus scanner discovered an issue while scanning the file. Please try opening the file directly from the browser, or contact your administrator. Additional information: 'DOS/EICAR_Test_File'"}}} 

MVISION Cloud creates an incident based on the error message, but it will fail to quarantine or delete the file. 

4.2.1 -
Aug. 28, 2018 There is a known issue that if a space exists before or after the name of a Box Classification, the Classification will not work to tag files. This issue will be fixed in an upcoming release.  4.0 -
July 18, 2018 On the Incidents > User Activity > Available Activities page, if you have multiple instances of a service configured, in the All Services menu, you will see those instances listed separately, depending on how you have named the instances. This list will differ from what is shown in the Available Activites from <Service> menu above.  3.9.2 -
July 10, 2018 On the Incidents > User Activity > Activity Monitoring page, on the Anomalies tab, there is a known issue where for customer blacklist Anomalous Activity Anomalies, the number of activities link is not displayed, so you cannot click the link to download activities. The workaround for this issue is to go to the Activity Monitoring User tab and search for the user for the specific locations and IP addresses to get the activities. This issue will be fixed in MVISION Cloud 4.0.  3.9.1 4.0
July 10, 2018 On the Threats & Anomalies (Sanctioned) page, there is a known issue where Superhuman or Anomalous Access Anomaly details in a compromised account threat are not displayed in the Threat Detail box.  Instead, a message is displayed that says, "Some of the data for this item is still being processed. We will update the data as soon as processing completes." This issue will be fixed in MVISION Cloud 3.9.2. For details, see Threats and Anomalies (Sanctioned) 3.9.1 3.9.2
April 9, 2018 On the Policy Incidents page, when you click the Select All box and try to select a response, but there are less than 100 incidents, it does not work. To workaround the issue, after you click the Select All box, deselect and select one item in the table. This issue will be fixed in 3.8.2.  3.8.1 3.8.2
March 21, 2018 While creating a DLP policy or exceptions, if you add certain reserved SQL keywords, such as "Select", "Update", or "Delete", they appear with the first letter masked, as "#elect", "#pdate", or "#elete." This is a security feature of the GWT framework in Java to prevent SQL injection. The workaround is to add the file name to a dictionary and add the dictionary as a exception rule.  3.8 N/A
Feb 7, 2018 When you add Active Directory attributes to a table, the column is added to the table in the user interface, but this column is not generated in a report. This issue will be fixed in MVISION Cloud 3.8.  3.7.2 3.8
Nov 15, 2017 The Services (Beta) page (and other redesigned pages) now uses the data volume unit of Gigabytes (GB), where the previous Classic user interface used Gibibytes (GiB). So for example, the Upload Data counts will be different on the new Services page from the Classic Services Overview page.   3.6.2 Beta pages N/A
Sept. 28, 2017 When using Chrome, the screen position in the Create New DLP Policy page may shift unexpectedly. Please use Firefox or Safari while our engineering team works on a fix. 3.6.1  
Sept. 28, 2017 On the Policy Incidents page, when you select a Saved View, expand it in the Omnibar, and then remove it, the Saved View still appears to be selected in the Views tab. Also, if you select a Saved View and expand it in the Omnibar, if you change to the Filters tab, the appropriate filters are not selected in the list. This issue will be fixed in a future release.  3.6.1  
Sept. 28, 2017 In MVISION Cloud 3.6, when you use a Saved View, the Saved View tab was displayed. But in 3.6.1, when you use a Saved View, the Filter tab is displayed instead. This is a change in behavior.  3.6.1  
Sept. 28, 2017 In the Filters sidebar, under Data, if you click the Apply button without entering any values, there is no result. This button should be inactive until values are entered. This will be fixed in a future release.  3.6.1  
Sept. 28, 2017 In the Filters sidebar, under Service Category, the Security category shows a + button when there is only one item in the list. The + should not be displayed for subcategories with only one item. This will be fixed in a future release.  3.6.1  
Sept. 28, 2017 Currently, in Report Manager, there is no alert for failed reports or emails. There is also no mechanism to retry sending an email. This will be fixed in a future release.  3.6.1  
Sept 11, 2017

Manual remediation for Email DLP is currently not available. This will be fixed in a future release. 

Aug 16, 2017

Detokenizing reports for PDF files is currently not working in Enterprise Connector and MVISION Cloud dashboard. 

Aug 16, 2017

There is a known issue on the new Services (Beta) and Users (Beta) pages, where when you select an Anomaly filter, counts for Services and Users may not match. This is because only Services and Users responsible for the filtered Anomaly are shown. You can’t filter for other column information such as Upload Count/Data, Access Count, or Inbound/Outbound Data, because the minimum aggregation is 24 hours. 

Aug 8, 2017 Anomalous Access Location Anomalies. It is important to note that until a tenant is baselined, trust activity cannot be updated. Sometimes activities do come in delayed, meaning the processed time of the activity is later than the original time of the activity. For complete details, see Anomalous Access Location Baselining. 3.5  
Aug 2, 2017

If user names are tokenized for the Sanctioned IT workflow, the MVISION Cloud dashboard displays tokenized values during investigation. To detokenize user names, export the data from the Policy Violations page. Currently, this CSV file is tab-delimited, when it needs to be comma-delimited. This is a known issue. 

To detokenize all users in the Enterprise Connector user interface, use this workaround: open the CSV file in Excel and save it as a comma-delimited file. For complete details, see Detokenization for Sanctioned IT. This issue will be fixed in a future release. 

July 14, 2017 On the Incident Management > Policy Incidents Summary page, the total number of incidents is shown, including archived incidents. But on the Policy Violations page, any archived incidents are filtered out. So the number of incidents shown on these pages may differ without applying additional filters. This will be fixed in a future release.   3.5  
July 14, 2017 On the Incident Management > Policy Incidents Summary page, the Policy Type and Policy Status for CAP violations are displayed as "N/A".  3.5 3.6
April 20, 2017 The DLP Integrator for 3.4 is not compatible with previous versions. See DLP Integrator 3.4 Known Issue for details.  3.4  
April 14, 2017 To search for city names on the Incident Management > User Activity > Activity Monitoring page, you must select both the upper case and lower case listing for the city name in the filter list or Omnibar to see all data. For example, to see all data from Mumbai for the last 100 days, from the Filter list, you would need to select "Mumbai" and "mumbai". This issue is also caused by the change from MaxMind to Digital Element geographical data provider. After 100 days, all tenants will change to Digital Element, so this issue will be resolved automatically. Though if you want to do historical searches after this change, you may still see this issue.  3.4 After 100 days
April 14, 2017 In the 3.4 release, MVISION Cloud changed geographical data providers from MaxMind to Digital Element. These data providers display org names differently. Due to this change, for any existing tenant, when an anomaly is generated based on the orgName, if it is displayed differently by Maxmind and Digital Element, you may not be able search by the org name. After 100 days, all tenants will change to Digital Element, so this issue will be resolved automatically. 3.4 After 100 days

DLP Integrator 3.4 Known Issue

DLP Integrator 3.4 is required for the Structured Fingerprint feature, but it is not backwards compatible with previous versions. For this reason, previously created Fingerprints will continue to work as long as they are not re-indexed. 

If you have clicked Generate Index with DLP Integrator 3.3 or earlier, you will see an “update in progress” message with no progress. If you see this problem, please open a ticket with MVISION Cloud Support to request that they delete these indices from your tenant. (Even if you haven’t clicked Generate Index, and you want to delete any old indices, open a ticket with MVISION Cloud Support to delete them.) 

Before you Install DLP Integrator 3.4

  1. Run the command ps – aef | grep java
  2. Search for any existing DLP Integrator versions that may be running on your machine.
  3. Delete any DLP Integrator 3.3 instances by running the command sudo kill -9 <process id>

Once you have confirmed that there are no instances of DLP Integrator 3.3 or earlier running on your machine, install DLP Integrator 3.4.

  • Was this article helpful?