Skyhigh CASB Known and Resolved Issues
For Skyhigh Cloud Connector Known Issues, see Skyhigh Cloud Connector Known and Resolved Issues.
Date |
Description and Workaround (if any) |
Found in Release |
Fixed in Release |
---|---|---|---|
June 9, 2022 |
When an inline DLP policy is created for Exchange Online, and the policy is violated, an email notification is sent to internal or external users’ email addresses via To/From/ Cc/Bcc fields with the remediation action to delete the message from the user's mailbox. The incident generated doesn’t show the information of the Bcc recipients. A known issue has been identified when an email contains multiple events, such as Bcc recipients or internal and external recipients, the event that is processed first deletes the original violating email from the user's mailbox. The incident created for this event includes the Bcc recipients’ information along with the email message and associated metadata before being deleted. Due to the recent deletion of the email, the subsequent events can’t find this email. As a result, the subsequent incidents cannot populate the Bcc recipients’ details. |
5.5.2 | - |
May 10, 2022 |
When running the ODS Scan for OneDrive, the scan is auto paused, and the status of the scan does not proceed from the initializing phase due to a large user base which results in rate-limiting. The scan restarts and fetches the root folders from the beginning if there is an error during the initialization phase. This issue has been fixed by adding a feature flag to change the logic of fetching root folders from the ODS crawler phase instead of the initialization phase. To enable this feature flag, contact Skyhigh CASB Support for assistance. |
6.0.0 | |
March 28, 2022 |
There is a Known Issue where the CWPP PoP/Agent may fail to communicate with Skyhigh CASB if it is older than one year. This happens because the certificate has expired. To fix the issue, renew your certificates, and then uninstall and reinstall the Agent. For details, see Known Issue - CWPP PoP/Agent May Fail to Communicate if Older than One Year. |
5.5.5 | 5.5.5 Hotfix |
March 2, 2022 |
When DLP is used to process the files, all DLP activities including the reporting of DLP incidents results in rate limiting and it doesn’t allow any CSPs to process their files. This is due to the CSP being flooded with too many files sync events. This issue has been fixed by adding a feature flag to skip DLP for specific events. The file sync events will not be processed if this feature flag is enabled. To enable this feature flag, contact Skyhigh CASB Support for assistance. |
- | 5.5.5 |
Feb 17, 2022 |
In a newly created UCE or Skyhigh CASB tenant, on the Policy Settings > Enterprise DLP > Unified Cloud Edge DLP tab, the Use Classifications defined in McAfee Endpoint DLP option is greyed out and can't be enabled. This way, you can only create UCE-style policies for API-based Skyhigh CASB DLP policies. To also be allowed to create Skyhigh CASB DLP policies, contact Support. | 5.5.4 | - |
Feb 15, 2022 | There is a known issue where the Quarantine S3 bucket is not accessible to the root user. As a workaround, validation steps are to be performed on AWS Console and AWS CLI. For details on the workaround, see NRT DLP and Malware Scan for AWS S3. | 5.4.2 | 5.5.2 |
Dec 20, 2021 |
When running the ODS Scan for Salesforce, Skyhigh CASB API starts sending bulk jobs and does not close automatically once the scan job is completed. This issue has been fixed by adding a feature flag to close the bulk jobs of Salesforce. Contact Skyhigh CASB Support for assistance. |
- |
5.5.3 |
Dec 15, 2021 | McAfee Enterprise is aware of CVE-2021-44228, commonly referred to as Log4Shell, recently released by Apache. Attackers can leverage log messages or log message parameters to perform remote code execution on LDAP servers and other JNDI-related endpoints. This vulnerability is considered critical, with a CVSS(3.0) score of 10.0. For details, see McAfee Enterprise coverage for Apache Log4j CVE-2021-44228 Remote Code Execution. | - | - |
Oct 21,2021 | For policies that use the Quarantine response action, Skyhigh CASB needs access to copy, update, and delete files from the folders. If the retention policy is enabled on the SharePoint site or list, we can’t delete the file or its contents. To fix this issue, remove the Quarantine response action from the policy or remove the retention policy from the SharePoint site. | 5.5.2 | - |
Oct 12, 2021 | The Incident Export API had the following limits, which were causing too many calls to the tenants and made them time out: Default: 100, Max: 10000. To fix this issue, the limits were changed to: Default: 50, Max: 500. For details see, Incidents API. | - | 5.5.0 |
Sept 28, 2021 | Deleted EC2 instances were available on the Analytics > Resources page. This issue was fixed by saving only the active instances. The terminated instances are discarded from the DB and no longer available on the Resources page. | - | 5.5.1 |
Sept 28, 2021 | On the Policy Incidents page, for files in the Item Name column, Incident file downloads failed if they were larger than 60 MB. Also, there was no error message explaining that the file was not found. This issue has been fixed. For details, see Large File Downloads. | - | 5.5.1 |
Aug 18, 2021 |
Previously in On-Demand Scans, you couldn't scan external user chats posted in Teams. As a workaround, in the scan configuration, you could select the data scope as internal user email and external user email. Now, the issue is fixed and the ODS scans the messages posted by an external user in Teams. |
- | 5.5.0 |
Aug 18, 2021 |
If the federated chats or meetings created by external users doesn’t have user email, then ODS unable to scan the messages posted in Teams because to create the scan, ODS requires user email. You can only get the username from the federated chats or meetings but without the user email, scans cannot be created and initiated. |
5.5.0 | - |
Aug 12, 2021 | When a DLP policy deletes files as a response action, there was a loophole where users could restore that file from the recycle bin or trash folder. That event was not recognized. This issue is now fixed. The event is recognized, and DLP policies are triggered again on restored files. | 5.3.2 | 5.5.0 |
Aug 12, 2021 |
Microsoft Azure updated some of the Azure Security Center Recommendations, as a result in Skyhigh CASB, incidents were failed to generate. This issue is fixed and we have aligned Skyhigh CASB policies with the latest Azure Security Center Recommendation policies. |
- |
5.5.0 |
July 22, 2021 |
When you upload a malware file in Microsoft Dynamics 365, then the NRT DLP policy for Microsoft Dynamics 365 cannot be triggered. This is due to Skyhigh CASB doesn't receive any events from Microsoft for malware-infected files. If the events are not received from Microsoft Dynamics 365 for the malware-infected files, then the NRT DLP Malware policy cannot be supported in Microsoft Dynamics 365. |
5.4.2 | - |
July 20, 2021 |
Configuration Audit changes in Continuous Evaluation mode are sometimes causing inconsistent results in Resources and Policy Incidents. We have made a change to aggregate events before processing them to prevent the issue. |
- | 5.4.2 |
July 20, 2021 | Previously, when you scanned a container image, items identified by different tags were counted as separate resources, even when they were referenced by the same container image. Now, when you do a scan (and don't filter out certain items), the number of Items Scanned in the scan results should match the number of Resources listed. For details, see Resources for Container Security. | - | 5.4.2 |
July 8, 2021 |
Incidents for Security Groups with Security Configuration Audit Policies are now generated even for Security Groups that are not attached to EC2 instances. This will cause an increase in incident counts. |
- | 5.4.1 |
July 8, 2021 | Previously, the Policy Incidents Cloud Card did not capture the transition of an incident to Open under Incident History, while other states are shown. This issue is fixed, and the incident history now reflects the correct workflow. | 5.4.1 | 5.4.2 |
July 8, 2021 |
|
5.4.2 | |
June 14, 2021 |
The upgrade from 5.4.0 HF to 5.4.1 in EU and Canada environments causes the PoP status to say that the PoP Manager is not in running state, or to set a PoP status to Unhealthy. To resolve this issue:
|
5.4.1 | |
June 9, 2021 | In the Analytics > Users page, the user with detokenized permissions cannot search for plain text user names and source IP addresses from Omnibar. | 5.4.1 | |
June 7, 2021 |
MVISION Cloud generates incidents for the misconfigured AWS security groups that are attached to EC2 instances but does not generate the incidents for the misconfigured security groups that are not attached to any EC2 instances. This issue was fixed by updating the policies related to security groups so that they now evaluate the non-attached security groups too for any misconfigurations and generate incidents. After the fix, you may see an increase in the number of incidents being reported that is directly proportional to the number of misconfigured, non-attached security groups in your environment. As part of the fix , following policies were modified :
|
- | 5.4.1 |
April 22, 2021 | When using MVISION Cloud - Cloud Access Policy for contextual access control and when a policy is configured that unmanaged devices are allowed to access Office 365 UI through web browsers, navigating to "Power Automate" (also known as "Flow") will cause the user to be logged out of the Office 365 session on the unmanaged device. Access to Office 365 from managed devices is not affected. As a workaround, McAfee suggests to implement a request classifier to block access to "Power Automate" from unmanaged devices. The functionality implemented with "Power Automate" is still fully functional, only the ability to create or edit these flows is then blocked when accessing Office 365 from an unmanaged / high risk device ref: AM-21967 |
5.3 | |
Dec. 17, 2020 |
When configuring your Microsoft Azure instance to use with Security Configuration Audit, Azure will ask for approval to connect multiple times. Skyhigh CASB asks for consent and forces the user to go through the approval process due to the consent parameter in the OAuth URL. This is caused by configuring the security setting "App Approval Authorization Process" in your Azure tenant. For a workaround, see Workaround - Enable Security Configuration Audit for Microsoft Azure. |
5.2.2 | - |
Dec. 7, 2020 |
Container Vulnerability Scans (CVS) are based on the Common Vulnerability Scoring System (CVSS), which assigns industry-standard scores to vulnerabilities. Skyhigh CASB uses CVSSv2 and CVSSv3, defaulting to CVSSv3 when there are differences. You may notices changes in the reported Vulnerability Severity as Skyhigh CASB upgrades from CVSSv2 to CVSSv3. |
5.2.2 | - |
Oct. 1, 2020 |
If you have changed the weight of a Risk Attribute, there may be a mismatch in the value of the metrics displayed in the Cloud Service Advisor and the Services Overview. Skyhigh CASB does not consider tenant-specific overrides in risk scoring while computing services in the Cloud Service Advisor. |
5.1.1 | - |
Sept. 21, 2020 |
As IaaS Config Audit policy names were updated. Note the following issues:
|
5.2.0 | - |
Aug 25, 2020 | Some Cloud Security Advisor metrics have been split into product-specific groups for Shadow IT, SaaS, and IaaS. For this reason, you may see a drop in your Visibility and Control scores. For details, see Cloud Security Report. | 5.1.2 | - |
Aug 18, 2020 |
Known Issue for Intune Mobile Device Management (MDM) for New User Enrollment or iOS 13.x. Users on iPhones or iPad devices on iOS cannot enroll through the Intune application and are getting a blank page. This issue is resolved. For details, see Create a Cloud Access Policy for MDM. |
5.1.2 | 6.0.1 |
June 26, 2020 | When you create a vertical bar chart and update the dimensions, sometimes the chart will not load. If you select another chart type, such as line, donut, or horizontal bar, then switch back, the vertical bar chart is displayed. This issue will be fixed in a future release. | 5.1.0 | - |
Jan 20, 2020 | On the Incidents > Threats and Anomalies > Shadow Anomalies page, there is a known issue when you try to mark an anomaly as invalid, the button behaves irregularly. Sometimes the anomaly is marked invalid and sometimes it is not. Also, on the same page, when you use the button to add or remove a user from the Watchlist, the change is made in the backend, but the icon in the user interface does not reflect this. This will be fixed in a future release. | 4.2.2 | - |