cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
serc09
Level 10
Report Inappropriate Content
Message 1 of 12

Error while trying to duplicate VSE policies

Jump to solution

Hey guys,

using EPO 5.1.1 and VSE 8.8. P4 and well, everything's working smooth.

But while i'm trying to duplicate the 'McAfee Default - On-Access General Policies' i get a message 'An unknown error has occured." after klicking 'OK' in the windown where i can name the copied policy.

I can duplicate the 'McAfee Default - Access Protection Policies' without any problems.

Also tried to give the copied policy a short name like 'test' - same error....

Hope anyone can help me out.

THX in advance

Kind regards

Serc

1 Solution

Accepted Solutions
mmcgary
Level 12
Report Inappropriate Content
Message 6 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

Run this query to get a general idea of where the space is going on the database: It's most likely for the EpoEvents table which is for all threat events.

select object_name(id) [Table Name],

[Table Size] = convert (varchar, dpages * 8 / 1024) + 'MB'

from sysindexes where indid in (0,1)

order by dpages desc

In most cases a great deal of Access Protection events are the reason for quick database growth. There's a default query in EPO in Queries and Reports called VSE: Top 10 Access Protection Rules Broken. Run that and see if you have a large amount of events. If so you may want to go through the most common events and see if you can add process exclusions to the Access Protection policy. The most common violation is event id 1095 for detected but not blocked.

If you want to purge all the events for 1095 for instance and start fresh you can use this query:

SET rowcount 10000

DELETE FROM epoEvents

WHERE threateventid = '1095'

WHILE @@rowcount > 0

BEGIN

   DELETE FROM epoEvents

   WHERE threateventid = '1095'

END

SET rowcount 0

GO

View solution in original post

11 Replies
mmcgary
Level 12
Report Inappropriate Content
Message 2 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

Sounds like corrupt VSE extensions. Back up all your current policies/policy assignments/client tasks/queries for Virusscan and delete the Virusscan extensions from Menu/Software/Extensions. Check the latest extensions back in and confirm you can duplicate the policy without error. If so import everything back in and things should work properly.

serc09
Level 10
Report Inappropriate Content
Message 3 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

THX for your answer.

I think i found the reason - a full SQL-DB...

Will check the sql-guys for help.

keep you informed...

mmcgary
Level 12
Report Inappropriate Content
Message 4 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution


Here's a sql query to purge old events if you need it. Match the 2 dates up and it will purge all events before that date.


SET rowcount 10000

DELETE FROM epoEvents
WHERE detectedutc < '2015-04-22' /* will delete all events older than this date */

WHILE @@rowcount > 0
BEGIN
  DELETE FROM epoEvents
  WHERE detectedutc < '2015-04-22' /* this date must match date above*/
END
SET rowcount 0
GO

serc09
Level 10
Report Inappropriate Content
Message 5 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

Thx mmcgary,

this released finaly ~600MB - the DB is now 9.6 GB instead of 10.2GB.

But i think i'll have to open a case with support because this isn't normal behaviour in my eyes.

The server was built from scrath in 08/2014, then i did some testings and it gone live by the end of 10/2014.

The server manages 86 clients (16 never reported back to the server) and 9 months later i have reached the DB limit of 10GB?

strange....

mmcgary
Level 12
Report Inappropriate Content
Message 6 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

Run this query to get a general idea of where the space is going on the database: It's most likely for the EpoEvents table which is for all threat events.

select object_name(id) [Table Name],

[Table Size] = convert (varchar, dpages * 8 / 1024) + 'MB'

from sysindexes where indid in (0,1)

order by dpages desc

In most cases a great deal of Access Protection events are the reason for quick database growth. There's a default query in EPO in Queries and Reports called VSE: Top 10 Access Protection Rules Broken. Run that and see if you have a large amount of events. If so you may want to go through the most common events and see if you can add process exclusions to the Access Protection policy. The most common violation is event id 1095 for detected but not blocked.

If you want to purge all the events for 1095 for instance and start fresh you can use this query:

SET rowcount 10000

DELETE FROM epoEvents

WHERE threateventid = '1095'

WHILE @@rowcount > 0

BEGIN

   DELETE FROM epoEvents

   WHERE threateventid = '1095'

END

SET rowcount 0

GO

View solution in original post

serc09
Level 10
Report Inappropriate Content
Message 7 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

Good Morning mmcgary,

thx for your help.

Yestern i run this script posted by you above:


SET rowcount 10000


DELETE FROM epoEvents
WHERE detectedutc < '2015-06-01' /* will delete all events older than this date */


WHILE @@rowcount > 0
BEGIN
  DELETE FROM epoEvents
  WHERE detectedutc < '2015-06-01' /* this date must match date above*/
END
SET rowcount 0
GO




So i deleted all epoEvents before 1. June 2015, right?

When i now run the query "VSE: Top 10 Access Protection Rules Broken", are the results in the time from 1. June 2015 till now?

Here the table where the space is going in the database:

epo-db-space.jpg

Do you have a SQL-Query to list the event-id and the numbers how often it happend just like the table with the database space?

mmcgary
Level 12
Report Inappropriate Content
Message 8 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

So i deleted all epoEvents before 1. June 2015, right?

When i now run the query "VSE: Top 10 Access Protection Rules Broken", are the results in the time from 1. June 2015 till now?

Yes and yes.

In EPO you have a default query named: Threat Event Descriptions in the Last 24 Hours. Duplicate that query and edit. On the 2nd page for "Chart" modify the "Labels are:" field with "Event ID". On the 4th page for "Filter" modify the "Event Generated Time" for whatever time frame you desire. Save and rename. This should give you a good list of all threat events sorted by Event ID.

serc09
Level 10
Report Inappropriate Content
Message 9 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

THX, i'll give it a try....

serc09
Level 10
Report Inappropriate Content
Message 10 of 12

Re: Error while trying to duplicate VSE policies

Jump to solution

Can we go in private message?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community