cancel
Showing results for 
Search instead for 
Did you mean: 

HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

We have been seeing for some time that this procedure is trashing ePO 5.3.2. McAfee cannot even tell us what it does, but I sense it runs each time somethig 'touches' HIPS. Like you run a query which includes the HIPS patch level. If you run a standard report in SQL for 'Object Execution Statistics' you may see millions of IOs against the SP. One of McAfee asnwers was to disable the SP, but they were unable to tell me what the impact of that it. Still, I do it during the day, else ePO is typically too slow to use.

We have no adaptive mode stuff.

I would appreciate input from others from the SQL report - maybe you have it too?

 

Labels (2)
6 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

Hi Andrew,

Dev answered what it does when you had a case open for this. 

Hips updates product properties in every 60 seconds which will force to run HIP8SP_UpdateHIPProperties in every 60 seconds.  The procedure is syncing the HIP8_Properties table with HIP properties sent by end nodes, so the properties can be reported on in Dashboards and Queries.

You were given a script to update the procedure.  The original procedure had many joins, this has been reduced in the script provided.

Have you tested that script?

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

Yes, we tested the new script and I originally said it looked good, but then said the problem came back. DEV never explained why we would get 35 miliion IOs from it or what the true impact of stopping the procedure would be (although you guys were happy to suggest that we just stop it). I recently stopped it for a while and you will see I have another SR in process where the HIPS Status was showing as Unknown in a query for about 3000 systems - seems to be fixed by enabling the procedure - so I am guessing it does that at least.

We will be upgrading to 5.10 soon, so I am not sure there is much point doing a great deal more on this beforehand.

 

Re: HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

Spoiler
This is still happening in ePO 510 and I think the knock-on effects are pretty dramatic.

Apart from the fact that it trashes performance, it also causes deadlocks in SQL. This stops the handlers from being able to send events in. This means the handlers keep trying, causing apache issues and excess connections. This in turn means that clients cannot talk to the handlers and do not get policies. Eventually the handlers give up and dump the events in the debug folder, where they stay until you go and look at them. If you ask McAfee what they are, they tell you they are 'probably not important' and give various explanations on why they might be there. I have also been told to just delete them. Rather than do this, I tried copying them to the EVENTS folder and the bulk then process. The remaining ones have other issues. That's another story.

Re: HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

Also, purges cause IO issues. Depending on what you purge, SQL will again go nuts with a stored proc and cause deadlocks, which ripple back to the handlers. Sometimes these deadlocks seem to never clear. You can see the Stored Procs doing it from SQL in the  'Object Execution Statistics' report. I often end up running "dbcc freeproccache" to kill them off. Not entirely sure what the full impact of that it, but it has to be better than having ePO in a semi-non-functional state.

Highlighted
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 6 of 7

Re: HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

Please open a ticket with the hips team. An upgrade of epo shouldn't affect it one way or the other, as it is a point product stored procedure that is the problem. On the epo side, just make sure that update 4 is installed and the epoupdater log for the update shows no failures.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: HIPS Stored procedure HIP8SP_UpdateHIPProperties trashing SQL

Note that this was happening in 5.3.2 and continues to happen in 5.10u4. I have been through it already with the HIPS team and the advanced support team. Possibly even the engineering and SQL teams. Nobody really wants to touch it. At one point I was just told to disable the Stored Procedure in SQL, which is pretty crazy. That said, I do end up doing this some days when things are bad. For me, when I see 42 million IOs against an SQL SP when I open the firewall policy, that rings alarm bells straight away. But it seems only I have that response. Now that I am working with you on SQL deadlocks affecting handler event parsing, we will probably cross this bridge again.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community