Skip to main content
Skyhigh Security

Skyhigh CASB Known and Resolved Issues

For Skyhigh Cloud Connector Known Issues, see Skyhigh Cloud Connector Known and Resolved Issues

Date Description and Workaround (if any) Found in Release Fixed in Release
June 9, 2022

When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users’ email addresses via To/From/ Cc/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn’t show the information of the Bcc recipients.

A known issue has been identified when an email contains multiple events, such as Bcc recipients or internal and external recipients, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the Bcc recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the Bcc recipients’ details.

5.5.2 -
May 10, 2022

When running the ODS Scan for OneDrive, the scan is auto paused, and the status of the scan does not proceed from the initializing phase due to a large user base which results in rate-limiting. The scan restarts and fetches the root folders from the beginning if there is an error during the initialization phase. This issue has been fixed by adding a feature flag to change the logic of fetching root folders from the ODS crawler phase instead of the initialization phase. To enable this feature flag, contact Skyhigh CASB Support for assistance.

  6.0.0

March 28, 2022

There is a Known Issue where the CWPP PoP/Agent may fail to communicate with Skyhigh CASB if it is older than one year. This happens because the certificate has expired. To fix the issue, renew your certificates, and then uninstall and reinstall the Agent. For details, see Known Issue - CWPP PoP/Agent May Fail to Communicate if Older than One Year.

5.5.5 5.5.5 Hotfix

March 2, 2022

When DLP is used to process the files, all DLP activities including the reporting of DLP incidents results in rate limiting and it doesn’t allow any CSPs to process their files. This is due to the CSP being flooded with too many files sync events. This issue has been fixed by adding a feature flag to skip DLP for specific events. The file sync events will not be processed if this feature flag is enabled. To enable this feature flag, contact Skyhigh CASB Support for assistance.

- 5.5.5

Feb 17, 2022

In a newly created UCE or Skyhigh CASB tenant, on the Policy Settings > Enterprise DLP > Unified Cloud Edge DLP tab, the Use Classifications defined in McAfee Endpoint DLP option is greyed out and can't be enabled. This way, you can only create UCE-style policies for API-based Skyhigh CASB DLP policies. To also be allowed to create Skyhigh CASB DLP policies, contact Support 5.5.4 -
Feb 15, 2022 There is a known issue where the Quarantine S3 bucket is not accessible to the root user. As a workaround, validation steps are to be performed on AWS Console and AWS CLI. For details on the workaround, see NRT DLP and Malware Scan for AWS S3. 5.4.2 5.5.2

Dec 20, 2021

When running the ODS Scan for Salesforce, Skyhigh CASB API starts sending bulk jobs and does not close automatically once the scan job is completed. This issue has been fixed by adding a feature flag to close the bulk jobs of Salesforce. Contact Skyhigh CASB Support for assistance.

-

5.5.3

Dec 15, 2021 McAfee Enterprise is aware of CVE-2021-44228, commonly referred to as Log4Shell, recently released by Apache. Attackers can leverage log messages or log message parameters to perform remote code execution on LDAP servers and other JNDI-related endpoints. This vulnerability is considered critical, with a CVSS(3.0) score of 10.0. For details, see McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. - -
Oct 21,2021 For policies that use the Quarantine response action, Skyhigh CASB needs access to copy, update, and delete files from the folders. If the retention policy is enabled on the SharePoint site or list, we can’t delete the file or its contents. To fix this issue, remove the Quarantine response action from the policy or remove the retention policy from the SharePoint site. 5.5.2 -
Oct 12, 2021 The Incident Export API had the following limits, which were causing too many calls to the tenants and made them time out: Default: 100, Max: 10000. To fix this issue, the limits were changed to: Default: 50, Max: 500. For details see, Incidents API - 5.5.0
Sept 28, 2021 Deleted EC2 instances were available on the Analytics > Resources page. This issue was fixed by saving only the active instances. The terminated instances are discarded from the DB and no longer available on the Resources page. - 5.5.1
Sept 28, 2021 On the Policy Incidents page, for files in the Item Name column, Incident file downloads failed if they were larger than 60 MB. Also, there was no error message explaining that the file was not found. This issue has been fixed. For details, see Large File Downloads - 5.5.1

Aug 18, 2021

Previously in On-Demand Scans, you couldn't scan external user chats posted in Teams. As a workaround, in the scan configuration, you could select the data scope as internal user email and external user email. Now, the issue is fixed and the ODS scans the messages posted by an external user in Teams.

- 5.5.0

 

Aug 18, 2021

If the federated chats or meetings created by external users doesn’t have user email, then ODS unable to scan the messages posted in Teams because to create the scan, ODS requires user email.

You can only get the username from the federated chats or meetings but without the user email, scans cannot be created and initiated.

5.5.0 -
Aug 12, 2021 When a DLP policy deletes files as a response action, there was a loophole where users could restore that file from the recycle bin or trash folder. That event was not recognized. This issue is now fixed. The event is recognized, and DLP policies are triggered again on restored files.  5.3.2 5.5.0

Aug 12, 2021

Microsoft Azure updated some of the Azure Security Center Recommendations, as a result in Skyhigh CASB, incidents were failed to generate. This issue is fixed and we have aligned Skyhigh CASB policies with the latest Azure Security Center Recommendation policies.

 

-

 

5.5.0

July 22, 2021

When you upload a malware file in Microsoft Dynamics 365, then the NRT DLP policy for Microsoft Dynamics 365 cannot be triggered. This is due to Skyhigh CASB doesn't receive any events from Microsoft for malware-infected files. If the events are not received from Microsoft Dynamics 365 for the malware-infected files, then the NRT DLP Malware policy cannot be supported in Microsoft Dynamics 365.

5.4.2 -
July 20, 2021

Configuration Audit changes in Continuous Evaluation mode are sometimes causing inconsistent results in Resources and Policy Incidents. We have made a change to aggregate events before processing them to prevent the issue. 

- 5.4.2
July 20, 2021 Previously, when you scanned a container image, items identified by different tags were counted as separate resources, even when they were referenced by the same container image. Now, when you do a scan (and don't filter out certain items), the number of Items Scanned in the scan results should match the number of Resources listed. For details, see Resources for Container Security - 5.4.2
July 8, 2021

Incidents for Security Groups with Security Configuration Audit Policies are now generated even for Security Groups that are not attached to EC2 instances. This will cause an increase in incident counts.

- 5.4.1
July 8, 2021 Previously, the Policy Incidents Cloud Card did not capture the transition of an incident to Open under Incident History, while other states are shown. This issue is fixed, and the incident history now reflects the correct workflow.  5.4.1 5.4.2

 

July 8, 2021

  • When you upload a file with an AIP label for Salesforce, it is applied to the following object types: Attachment and Document. 
  • When you upload a file with an AIP label for Salesforce, it is not applied to the following object types: ContentVersion and Chatter File Upload. It is due to Salesforce API limitations and unable to Quarantine these object types.
5.4.2  
June 14, 2021

The upgrade from 5.4.0 HF to 5.4.1 in EU and Canada environments causes the PoP status to say that the PoP Manager is not in running state, or to set a PoP status to Unhealthy.

To resolve this issue:

  1. Update popm configmap file with correct Skyhigh CASB base URLs
  2. Do one of the following:
  • Follow this steps only for EU Production Tenants:
  1. sudo microk8s kubectl edit configmap popm-config -n cwpp
  2. update mvc_base_urls with below mentioned URLs & save the file:
    mvc_base_urls={"cwpp":"https://www.myshn.eu/","logcollector":"https://eupoccollector.myshn.net/","cspm":"https://cspm.myshn.eu/"}
  • Follow this steps only for CA Production Tenants:
  1. sudo microk8s kubectl edit configmap popm-config -n cwpp
  2. update below mvc_base_urls as mentioned below and save the file:
    mvc_base_urls={"cwpp":"https://www.myshn.ca/","logcollector":"https://pstat.myshn.ca/","cspm":"https://cspm.myshn.ca/"}
  1. Do one of the following:
  • For Azure PoPs:
  1. SSH to PoP Primary Instance and run below commands
  2. Run the cmd- sudo microk8s kubectl delete daemonset.apps/cwpp-connector -n cwpp
  3. Go to /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/azure/upgrade/azure
  4. run cmd
    • sudo kubectl apply -f dxl-deployment.yaml -n cwpp
  5. run sudo microk8s kubectl get pods -n cwpp
    • check all the cwpp-connector pods are recreated (Monitor Pod Age)
    • check all the pods are in running/completed state
    • wait for 5min and check the pop-manager pod is in completed state
  6. Log into dashboard page, navigate to PoP management Page & select the respective PoP in Azure
  7. Check the PoP RHS card for build versions
    • CWPP CICD ver- 1.0.0.137
    • CWPP Connector ver- 1.0.0.210
    • CWPP Logger ver- 1.5.1
  • For GCP PoPs:
  1. SSH to PoP Primary Instance and run below commands
  2. Run the cmd- sudo microk8s kubectl delete daemonset.apps/cwpp-connector -n cwpp
  3. Go to /opt/McAfee/cwpp/pop/PoPDeployment/PoPCreation/gcp/upgrade/gcp
  4. run cmd
    • sudo kubectl apply -f dxl-deployment.yaml -n cwpp
  5. run sudo microk8s kubectl get pods -n cwpp
    • check all the cwpp-connector pods are recreated (Monitor Pod Age)
    • check all the pods are in running/completed state
    • wait for 5min and check the pop-manager pod is in completed state
  6. Log into dashboard page, navigate to PoP management Page & select the respective PoP in GCP
  7. Check the PoP RHS card for build versions
    • CWPP CICD ver- 1.0.0.137
    • CWPP Connector ver- 1.0.0.210
    • CWPP Logger ver- 1.5.1
5.4.1  
June 9, 2021 In the Analytics > Users page, the user with detokenized permissions cannot search for plain text user names and source IP addresses from Omnibar.  5.4.1  
June 7, 2021

MVISION Cloud generates incidents for the misconfigured AWS security groups that are attached to EC2 instances but does not generate the incidents for the misconfigured security groups that are not attached to any EC2 instances.

This issue was fixed by updating the policies related to security groups so that they now evaluate the non-attached security groups too for any misconfigurations and generate incidents. 

After the fix, you may see an increase in the number of incidents being reported that is directly proportional to the number of misconfigured, non-attached security groups in your environment. As part of the fix , following policies were modified :

  • Security Groups should not have unrestricted CIFS access
  • Security Groups should not have unrestricted MSSQL access
  • Security Groups should not have unrestricted FTP access
  • Security Groups should not have unrestricted ICMP access
  • Security Groups should not have unrestricted MongoDB access
  • Security Groups should not have unrestricted DNS access
  • Security Groups should not have unrestricted MySQL access
  • Security Groups should not have unrestricted NetBIOS access
  • Security Groups should not have unrestricted Oracle Database access
  • Security Groups should not have unrestricted PostgreSQL access
  • Security Groups should not have unrestricted Remote Desktop access
  • Security Groups should not have unrestricted RPC access
  • Security Groups should not have unrestricted SMTP access
  • Security Groups should not have unrestricted SSH access
  • Security Groups should not have unrestricted Telnet access
  • Security Groups should not have unrestricted MSSQL Database (UDP) access
  • Security Groups should not have unrestricted VNC listener access
  • Security Groups should not have unrestricted VNC Server access
  • Non HTTP/HTTPS ports should not have unrestricted access
  • Security Groups should not have unrestricted inbound access on uncommon ports
  • Security Groups should not have unrestricted outbound access
- 5.4.1
April 22, 2021 When using MVISION Cloud - Cloud Access Policy for contextual access control and when a  policy is configured that unmanaged devices are allowed to access Office 365 UI through web browsers, navigating to "Power Automate" (also known as "Flow") will cause the user to be logged out of the Office 365 session on the unmanaged device. Access to Office 365 from managed devices is not affected. As a workaround, McAfee suggests to implement a request classifier to block access to "Power Automate" from unmanaged devices. The functionality implemented with "Power Automate" is still fully functional, only the ability to create or edit these flows is then blocked when accessing Office 365 from an unmanaged / high risk device
ref: AM-21967
5.3  
Dec. 17, 2020

When configuring your Microsoft Azure instance to use with Security Configuration Audit, Azure will ask for approval to connect multiple times. Skyhigh CASB asks for consent and forces the user to go through the approval process due to the consent parameter in the OAuth URL. This is caused by configuring the security setting "App Approval Authorization Process" in your Azure tenant. For a workaround, see Workaround - Enable Security Configuration Audit for Microsoft Azure.

5.2.2 -
Dec. 7, 2020

Container Vulnerability Scans (CVS) are based on the Common Vulnerability Scoring System (CVSS), which assigns industry-standard scores to vulnerabilities. Skyhigh CASB uses CVSSv2 and CVSSv3, defaulting to CVSSv3 when there are differences. You may notices changes in the reported Vulnerability Severity as Skyhigh CASB upgrades from CVSSv2 to CVSSv3.

5.2.2 -
Oct. 1, 2020

If you have changed the weight of a Risk Attribute, there may be a mismatch in the value of the metrics displayed in the Cloud Service Advisor and the Services Overview. Skyhigh CASB does not consider tenant-specific overrides in risk scoring while computing services in the Cloud Service Advisor.

5.1.1 -
Sept. 21, 2020

As IaaS Config Audit policy names were updated. Note the following issues:

  • Saved Views that use the previous names won’t show the correct incidents. If Dashboard cards or Reports are created using these Saved Views, those are affected too. As a workaround, you can update the Saved Views to refer to the updated names or search using the corresponding new name. This issue will be fixed in an upcoming hotfix. 
  • Some policies and incidents still refer to the previous names.
5.2.0 -
Aug 25, 2020 Some Cloud Security Advisor metrics have been split into product-specific groups for Shadow IT, SaaS, and IaaS. For this reason, you may see a drop in your Visibility and Control scores. For details, see Cloud Security Report 5.1.2 -
Aug 18, 2020

Known Issue for Intune Mobile Device Management (MDM) for New User Enrollment or iOS 13.x. Users on iPhones or iPad devices on iOS cannot enroll through the Intune application and are getting a blank page.

This issue is resolved. For details, see Create a Cloud Access Policy for MDM

5.1.2 6.0.1
June 26, 2020 When you create a vertical bar chart and update the dimensions, sometimes the chart will not load. If you select another chart type, such as line, donut, or horizontal bar, then switch back, the vertical bar chart is displayed. This issue will be fixed in a future release.  5.1.0 -
Jan 20, 2020 On the Incidents > Threats and Anomalies > Shadow Anomalies page, there is a known issue when you try to mark an anomaly as invalid, the button behaves irregularly. Sometimes the anomaly is marked invalid and sometimes it is not. Also, on the same page, when you use the button to add or remove a user from the Watchlist, the change is made in the backend, but the icon in the user interface does not reflect this. This will be fixed in a future release.  4.2.2 -

 

  • Was this article helpful?