cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
serc09
Level 10
Report Inappropriate Content
Message 1 of 12
‎07-20-2015 06:55 AM

Error while trying to duplicate VSE policies

Jump to solution

Hey guys,

using EPO 5.1.1 and VSE 8.8. P4 and well, everything's working smooth.

But while i'm trying to duplicate the 'McAfee Default - On-Access General Policies' i get a message 'An unknown error has occured." after klicking 'OK' in the windown where i can name the copied policy.

I can duplicate the 'McAfee Default - Access Protection Policies' without any problems.

Also tried to give the copied policy a short name like 'test' - same error....

Hope anyone can help me out.

THX in advance

Kind regards

Serc

0 Kudos
Reply
1 Solution

Accepted Solutions
mmcgary
Level 12
Report Inappropriate Content
Message 6 of 12
‎07-22-2015 07:56 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

Run this query to get a general idea of where the space is going on the database: It's most likely for the EpoEvents table which is for all threat events.

select object_name(id) [Table Name],

[Table Size] = convert (varchar, dpages * 8 / 1024) + 'MB'

from sysindexes where indid in (0,1)

order by dpages desc

In most cases a great deal of Access Protection events are the reason for quick database growth. There's a default query in EPO in Queries and Reports called VSE: Top 10 Access Protection Rules Broken. Run that and see if you have a large amount of events. If so you may want to go through the most common events and see if you can add process exclusions to the Access Protection policy. The most common violation is event id 1095 for detected but not blocked.

If you want to purge all the events for 1095 for instance and start fresh you can use this query:

SET rowcount 10000

DELETE FROM epoEvents

WHERE threateventid = '1095'

WHILE @@rowcount > 0

BEGIN

   DELETE FROM epoEvents

   WHERE threateventid = '1095'

END

SET rowcount 0

GO

View solution in original post

0 Kudos
Reply
11 Replies
mmcgary
Level 12
Report Inappropriate Content
Message 2 of 12
‎07-21-2015 07:40 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

Sounds like corrupt VSE extensions. Back up all your current policies/policy assignments/client tasks/queries for Virusscan and delete the Virusscan extensions from Menu/Software/Extensions. Check the latest extensions back in and confirm you can duplicate the policy without error. If so import everything back in and things should work properly.

0 Kudos
Reply
serc09
Level 10
Report Inappropriate Content
Message 3 of 12
‎07-21-2015 10:15 PM

Re: Error while trying to duplicate VSE policies

Jump to solution

THX for your answer.

I think i found the reason - a full SQL-DB...

Will check the sql-guys for help.

keep you informed...

0 Kudos
Reply
mmcgary
Level 12
Report Inappropriate Content
Message 4 of 12
‎07-22-2015 05:54 AM

Re: Error while trying to duplicate VSE policies

Jump to solution


Here's a sql query to purge old events if you need it. Match the 2 dates up and it will purge all events before that date.


SET rowcount 10000

DELETE FROM epoEvents
WHERE detectedutc < '2015-04-22' /* will delete all events older than this date */

WHILE @@rowcount > 0
BEGIN
  DELETE FROM epoEvents
  WHERE detectedutc < '2015-04-22' /* this date must match date above*/
END
SET rowcount 0
GO

0 Kudos
Reply
serc09
Level 10
Report Inappropriate Content
Message 5 of 12
‎07-22-2015 07:26 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

Thx mmcgary,

this released finaly ~600MB - the DB is now 9.6 GB instead of 10.2GB.

But i think i'll have to open a case with support because this isn't normal behaviour in my eyes.

The server was built from scrath in 08/2014, then i did some testings and it gone live by the end of 10/2014.

The server manages 86 clients (16 never reported back to the server) and 9 months later i have reached the DB limit of 10GB?

strange....

0 Kudos
Reply
mmcgary
Level 12
Report Inappropriate Content
Message 6 of 12
‎07-22-2015 07:56 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

Run this query to get a general idea of where the space is going on the database: It's most likely for the EpoEvents table which is for all threat events.

select object_name(id) [Table Name],

[Table Size] = convert (varchar, dpages * 8 / 1024) + 'MB'

from sysindexes where indid in (0,1)

order by dpages desc

In most cases a great deal of Access Protection events are the reason for quick database growth. There's a default query in EPO in Queries and Reports called VSE: Top 10 Access Protection Rules Broken. Run that and see if you have a large amount of events. If so you may want to go through the most common events and see if you can add process exclusions to the Access Protection policy. The most common violation is event id 1095 for detected but not blocked.

If you want to purge all the events for 1095 for instance and start fresh you can use this query:

SET rowcount 10000

DELETE FROM epoEvents

WHERE threateventid = '1095'

WHILE @@rowcount > 0

BEGIN

   DELETE FROM epoEvents

   WHERE threateventid = '1095'

END

SET rowcount 0

GO

View solution in original post

0 Kudos
Reply
serc09
Level 10
Report Inappropriate Content
Message 7 of 12
‎07-22-2015 10:24 PM

Re: Error while trying to duplicate VSE policies

Jump to solution

Good Morning mmcgary,

thx for your help.

Yestern i run this script posted by you above:


SET rowcount 10000

DELETE FROM epoEvents 
WHERE detectedutc < '2015-06-01' /* will delete all events older than this date */

WHILE @@rowcount > 0
BEGIN
  DELETE FROM epoEvents
  WHERE detectedutc < '2015-06-01' /* this date must match date above*/
END
SET rowcount 0
GO



So i deleted all epoEvents before 1. June 2015, right?

When i now run the query "VSE: Top 10 Access Protection Rules Broken", are the results in the time from 1. June 2015 till now?

Here the table where the space is going in the database:

epo-db-space.jpg

Do you have a SQL-Query to list the event-id and the numbers how often it happend just like the table with the database space?

0 Kudos
Reply
mmcgary
Level 12
Report Inappropriate Content
Message 8 of 12
‎07-23-2015 06:00 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

So i deleted all epoEvents before 1. June 2015, right?

When i now run the query "VSE: Top 10 Access Protection Rules Broken", are the results in the time from 1. June 2015 till now?

Yes and yes.

In EPO you have a default query named: Threat Event Descriptions in the Last 24 Hours. Duplicate that query and edit. On the 2nd page for "Chart" modify the "Labels are:" field with "Event ID". On the 4th page for "Filter" modify the "Event Generated Time" for whatever time frame you desire. Save and rename. This should give you a good list of all threat events sorted by Event ID.

0 Kudos
Reply
serc09
Level 10
Report Inappropriate Content
Message 9 of 12
‎07-23-2015 06:08 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

THX, i'll give it a try....

0 Kudos
Reply
serc09
Level 10
Report Inappropriate Content
Message 10 of 12
‎07-23-2015 06:13 AM

Re: Error while trying to duplicate VSE policies

Jump to solution

Can we go in private message?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2020 McAfee, LLC