3rd December 2022

Cannot Disable or Delete Policy in McAfee Active Response Triger(KB92368) – (Cannot disable trigger “42.”) Error and Solution

Active Response is an endpoint detection and response tool for advanced threats. It is located in Mcafee product province. It can be executed via Mcafee ePO. If you have 2 TIE servers on your system, you may usually encounter this problem. Let’s look at how the error happened first. We click “menu> Active Response Catalog” on Mcafee ePO.

Active Response Catalog
Active Response Catalog

 

We click the “Triggers” tab on the “Active Response Catalog” screen. Here, we will try to delete the “File Malware Create3” rule we created earlier. To remove the “File Malware Create3” rule, we click “Action> Delete” at the bottom.

Triggers
Triggers

 

When we click the “Delete” button, it asks if we are sure we want to delete it. We click on the “Yes” button.

Delete
Delete

 

When we click the “Yes” button, it says that the rule is active. “Some of the selected triggers are enabled.” gives the error.

Some of the selected triggers are enabled
Some of the selected triggers are enabled

 

To disable our “File Malware Create3” rule, click the “Action> Disable” button below. The error here is (Cannot disable trigger ”42″.).

Cannot disable trigger ''42"
Cannot disable trigger ”42″

 

When we want to add md5 hash to the “File Malware Create” rule we wrote, it is seen that there is no post-addition.

no post-addition
no post-addition

 

The solution to the Error

If you have 2 TIE servers on your system, you may usually encounter this problem. You should run the following commands on the primary TIE Server with the root user. After running it, give wake up to tie, mar, EPO and Dlx servers to get a policy.

/opt/McAfee/tieserver/postgresql/bin/psql -Umfetie tie
alter table if exists mar_trigger_term_platform drop constraint fk__mar_trigger_term_platform__trigger_term_id;
alter table if exists mar_trigger_term_platform add constraint fk__mar_trigger_term_platform__trigger_term_id FOREIGN KEY (trigger_term_id) REFERENCES mar_term(id) ON DELETE CASCADE;
The solution to the Error
The solution to the Error

 

LEARN MORE  How to Perform SMB Login Control in MSF in Penetration Tests?

After running the commands, give wake up to tie, mar, EPO and Dlx servers to get a policy.

wake up agents
wake up agents

 

Once the servers get a policy, try again to delete the rule from Triggers, disable it and add the md5 hash. You will see that the problem has been resolved.

Disable the rule
Disable the rule
delete the rule
delete the rule

 

Leave a Reply

Your email address will not be published. Required fields are marked *