Hello all. I have two networks I'm currently managing with the below McAfee products:
ePO 5.10
McAfee Agent 5.7 for Windows
VSE 8.8 Patch 15
(Non-McAfee) SQL Server 18.8
I have the same user permissions, domain admin and SQL accounts on both of my networks and the same Mixed Authentication mode established in my SQL DB's.
My trouble network, we'll call her Karen, is not currently reporting any Threat Events detected by VSE's On-Access scanner. There are also 0 files in the _Events DB on SQL and I've confirmed drilling down into the dbo.EPOEvents table is completely blank. I created an EICAR.txt file on a system on Karen and when I tried to access the file, the On-Access scanner for McAfee correctly caught and removed the file. An event was generated and stored in the On-Access scanner logs and the event was successfully uploaded to ePO according to the McAfee Status Monitor on the system. Now on Karen's ePO server, if I navigate to \DB\Events there is a folder called Debug and I see an XML file that show's the EICAR file found on network device, the system name, action taken, all the usual data that gets loaded into Threat Events on ePO.
So so far I've confirmed the VSE version is working on the system, the McAfee agent is correctly trying to load the event to ePO, and ePO receives the threat entry for further processing. I go to check the eventparser logs and I see where the VirusScan DLL files are successfully loaded after the syslog thread. Next I see the <UpdateEvents>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.xml and after that is this:
#09172 VseBLL DAL->ExecQuery failed. hr=80004005
#09172 EVNTPRSR source/server.cpp(1064): COM Error 0x0800004005, source=(null), desc=(null), msg=Unspecified error
After this, it attempts to requeue the xml for retry and repeats this process failing over and over. Now "Bob", my other network, is working 100% correctly with the same setup. EICAR.txt is deployed on a system, On-Access scan responds and sends an event to ePO and it's now present in my DB and now my ePO Dashboard correctly shows the information.
Further troubleshooting:
----------------------------------
Since it was the same software/accounts/permissions on both my networks, I went ahead and killed Karen's ePO, SQL DB, and started over from scratch. All DB's loaded correctly, dbo account configured and after installing ePO the dbo account correctly syncs. I load the McAfee agent/VSE into my master repository and push it out to a different box for testing. Deploy the EICAR.txt and again, it correctly handles the file and loads an event to ePO. It's still just sitting there in \DB\Events\Debug...
Luckily it's Friday, so it's time to relax with a beer and come back to this Monday. Any and all thoughts or suggestions is greatly appreciated!
---------------------------------------------------------
EDIT: Update!
Installing CU 12 for my SQL 2019 instance and restarting my server apparently did the trick, my events are now successfully being parsed from \DB\Events and I now see logs in both the epo_events database and my threat events on ePO - I'll install the CU in my other network (which...is still working with no issue, but good practice). Thanks everyone from the troubleshooting assistance, it was a weird one!
You Deserve an Award
