cancel
Showing results for 
Search instead for 
Did you mean: 

VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

We are still evaluating 8.8, but I noticed that we are only getting our 1202 events (On-demand scan started) from systems with 8.7.

I double-checked...

  • the Event Filtering is still set to accept and parse these
  • the latest VSE extensions are installed
  • the events are being generated (and sent) on the client side
  • the event ID in the client-side XML file is accurate

I seem to be getting 1203 (On demand scan complete) just fine, but it's awfully hard for me to calculate how long the scans are taking with only half of the story.

Anyone else notice anything like this? I figured I would come here, before going to support (*twitch, wince, groan*).

--Joel E.

1 Solution

Accepted Solutions

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

Sorry for the delayed result.....

Support stated that this would be resolved with patch 1 for VSE 8.8; however, they declined to confirm my assumption that the fix would be in the ePO extension rather than in the client-side software.

I'm assuming that the release would be in the October timeframe, but no official word.

Thanks,

--Stephen

View solution in original post

9 Replies
jguenrdc
Level 12
Report Inappropriate Content
Message 2 of 10

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

I have noticed this with 8.8 also.  In ePO, only the 1203 event is shown in the Threat Event Log.  The 1203 event's "event generated time" (which is how it is sorted in the Threat Event Log) is the on-demand scan start time, and the "event received time" (you can see this by clicking on the entry in the Threat Event Log) is when the scan completed.  It seems like a bug to me.  I like the way 8.7 does it better, with both events showing up in the Threat Event Log.

Jay

Message was edited by: jguenrdc on 5/20/11 5:30:23 PM CDT

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

I have looked over the data from these 8.8 test systems for the past week or so. At first it looked like what you suggested was true, but then I noticed more and more discrepancies.

After using a spreadsheet to review the ODS log data (adjusted for timezone) and compare to the ePO event data, I believe DetectedUTC and ReceivedUTC both remain accurate labels and values. But still need the start times!

--Joel E.

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

Opened a support ticket, sent them MER output, still waiting...

--Joel E.

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

Sorry for the delayed result.....

Support stated that this would be resolved with patch 1 for VSE 8.8; however, they declined to confirm my assumption that the fix would be in the ePO extension rather than in the client-side software.

I'm assuming that the release would be in the October timeframe, but no official word.

Thanks,

--Stephen

View solution in original post

dmcgeary McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 10

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

It will not be an "extension" - ePO side fix. Until Patch 1, you may want turn off the event, in event filtering because it is just getting error’d out on when it hits the event parser. Might as well save Event Parser the work

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

dmcgeary, do you have some other info that supports your rather definative statement?

I have compared the client-side XML files generated when 8.8 is installed with the 8.7 XML files. I couldn't find any difference between the 1202's made by either version (aside from product version)... no extra spaces, no odd characters, etc. So, my assumption is that the client-side of this is working properly, and that the error is on the event parser side of things--which indicate an ePO extension as the solution.

I'm not concerned about the Event Parser performance. Our handlers all have been ridicuoulsy over-powered from day one; moreover, since the 4.6 upgrade, they have also been remarkably stable as well.

--Joel

Highlighted
dmcgeary McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

What do you see for a time stamp in the 1202 event that is reported by the client?

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

Ha ha! Good call!

<GMTTime>1899-12-30T00:00:00</GMTTime><UTCTime>1601-01-01T04:00:00</UTCTime>

When going back and forth, I was expecting the timestamps not to match, but it didn't occur to me that the value would be sooooo messed up.

Thanks!

--Joel

on 8/24/11 1:04:55 PM EDT
wwarren McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: VSE 8.8 Event ID 1202 filtering issue?

Jump to solution

The date/time stamp problem for this event (and some others) will be fixed with Patch 1 for 8.8.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community