cancel
Showing results for 
Search instead for 
Did you mean: 
jjames
Level 8

EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

I've been given the task to manage my organization's McAfee EPO 4.6.  I've been able to troubleshoot and fix a number of issues thanks to searching through McAfee's Community, but I am currently having an issue with figuring out how to resolve a constant event being thrown (Event ID 1119).  If this was just a few computers I'd try a fresh install on each of the clients but unfortunately ~75% +/- of our computers are generating this error. 

I have found a similar issue involving VirusScan 8.7 where the fix is to apply patch 3, but these clients are all running VirusScan 8.8 patch 2; and I believe Patch 3 for 8.8 is only for Windows 8 or Server 2012.

Similar to the issue in 8.7; the event will be thrown for a client even if they are updated to the current DAT.  I have even physically examined the client to see what version they are running to verify everything matches. 

     - I can see the progression in the EPO queries/reports for threats by events for each client saying "update failed" and it displays the incorrect version (i.e 9/13 - 7195 ... 10/1 -7213, 10/2 -7214, 10/3 -7215, 10/4 -7216)

     - I look at the client (through EPO or physically go to the PC) on any given day, and it shows the current release for the client (ie. for today 10/4/13 the event message 1119 will say 7216, client says it's 7217)

     - I check the client's log file, and it shows the update went through without any problems for each of the days.

I am running McAfee EPO on Windows Server 2008 Enterprise (32 bit).  All Clients are Windows 7 Professional (64 bit).

If this is a known issue and I have somehow overlooked the discussion where it is answered, please let me know...

If additional information/log files are needed, please let me know and I will provide them.

Thank you.

-Jason James;

Message was edited by: jjames on 10/4/13 12:44:22 PM CDT
0 Kudos
1 Solution

Accepted Solutions
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

I had to submit a ticket for this, but I was given a reply and a fix.  I apologize for not posting it sooner I got distracted with other work items.  But the following is an excerpt from McAfee on how to fixt this error.

"If you note the timestamps, the two update tasks are running at the same time. The task ending in 82F5 is a locally configured task on the client (not configured in ePO). In the VSE 8.8 policy you can go to the  General Options Policies  >Display Options > and select to “Disable Default AutoUpdate Task Schedule.” This should prevent the task conflict and further prevent the event 1119 creation."

Once this setting was applied the only time I received the 1119 event message one additional time for each computer and afterwards it stopped.  The only time I still receive the Event 1119 message is if I'm dealing with a computer that was offline when we applied the fix but it is still only a one time deal.

Hope this helps...

-Jason;

Message was edited by: jjames on 5/27/14 10:35:14 AM CDT

on 5/27/14 10:36:55 AM CDT
0 Kudos
11 Replies
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

Does anyone have a thought of what is causing this issue or what I can try to resolve this problem?

0 Kudos
roebbu
Level 9

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

What's the exact error message of EventID 1119?

I have also ePo 4.6.6, VSE 8.8 P2 and Win7 x64 but it's running smoothly.

0 Kudos
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

I've included today's (10/15/2013) Event message from the server, the client update log file, and a screen shot showing the event 1119 messages for one of the many computers generating this issue.  In regards to the screen shot - all items listed are for a single computer. 

It's not as bad as having over a million 1092 & 1095 events (I had 50,000 to 100,000 of those two events being generated every day because of VM servers), but I'm still having several hundred 1119 events being generated daily which still makes it difficult to examine logs and find items that need to be addressed.

If additional information is needed, or I'm missing something in the logs let me know.

Thanks,

-Jason;

Server - Event 1119 Message

Server ID: <removed>
Event Received Time: 10/15/13 8:39:43 AM
Event Generated Time: 10/15/13 7:40:39 AM
Agent GUID: <removed>
Detecting Prod ID (deprecated): VIRUSCAN8800
Detecting Product Name: VirusScan Enterprise
Detecting Product Version: 8.8
Detecting Product Host Name: <removed>
Detecting Product IPv4 Address: <removed>
Detecting Product IP Address: <removed>
Detecting Product MAC Address: 
DAT Version: 7227.0000
Engine Version: 5600.1067
Threat Source Host Name: 
Threat Source IPv4 Address: <removed>
Threat Source IP Address: <removed>
Threat Source MAC Address: 
Threat Source User Name: 
Threat Source Process Name: 
Threat Source URL: 
Threat Target Host Name: <removed>
Threat Target IPv4 Address: <removed>
Threat Target IP Address: <removed>
Threat Target MAC Address: 
Threat Target User Name: SYSTEM
Threat Target Port Number: 
Threat Target Network Protocol: 
Threat Target Process Name: 
Threat Target File Path: 
Event Category: Update ended
Event ID: 1119
Threat Severity: Warning
Threat Name: none
Threat Type: None
Action Taken: none
Threat Handled: true
Analyzer Detection Method: AutoUpdate

Event Description: The update failed; see event log


Client Update Log

10/15/2013 7:40:37 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate
10/15/2013 7:43:07 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Checking update packages from repository <Removed>

10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Initializing update...
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying catalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting catalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: catalog.xml
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM These updates will be applied if they are in the repository:  Engine, DAT, VSCANCEU1000, EXTRADAT1000, BOCVSE__1000, SUPERDAT1000, VIRUSCAN8800.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying V2engdet.mcs.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest Engine.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying V2datdet.mcs.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest DATs.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying BocDet_VSE.McS.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Searching available updates for BOC DAT.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest BOC DAT.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying VSE880Det.McS.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Searching available updates for McAfee VirusScan Enterprise 8.8.0.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest HotFix 793781.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest Patch 2.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest HotFix 805660.
10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Update Finished

Screen Shot of EPO showing Events for a single computer

Event_1119_Error.jpg

0 Kudos
mbauman8
Level 11

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

hi James,

What about this:

Event ID 1119 — Network Name Resource Availability

http://technet.microsoft.com/en-us/library/cc773512%28v=ws.10%29.aspx

Check DNS configuration

     

The Network Name resource could not register one or more Domain Name System (DNS) names. If you do not currently have Event Viewer open, see "Opening Event Viewer and viewing events related to failover clustering." If the event contains an error code that you have not yet looked up, see "Finding more information about error codes that some event messages contain." After reviewing event messages, check the following:

     

Can you give more details?

Thanks

Martin

0 Kudos
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

Just in case I did check the Windows Logs, and did not find the Event ID 1119.  However, the early errors that I did fix on the server was the "CAPI2" Event ID 11, and the "Apache Services" Event ID 3299 both of which were handled before I started messing the EPO last month.  I have corrected the 11 and 3299 so I am unsure if mentioning them even matter at this point.  I also went into the DNS and veirfied several of the clients (including the one I've posted about above) were present.

At this time, as far as I can tell, everything is in regards to the McAfee EPO, agents, and VirusScan Enterprise.

The Event ID 1119 is stating that the updates are failing and an Event is being generated in the EPO, when examining the client (either through the EPO Server, accessing through the network, or physically going to the Client computer) it shows that it is fully up to date.  The Client logs (as posted above) also do not seem to point to any update failure.  The logs (both EPO and Client side) are pretty much identical accross the board from the number that I have examined (I have not examined all but a good portion of them). 

The only thing I can consider is that the client is requesting the update twice, the EPO is timing out or mis-interpretting when the update is submitted/finished for the client.  From the logs posted above:

Server Side

Event Received Time: 10/15/13 8:39:43 AM

Event Generated Time: 10/15/13 7:40:39 AM

Client Side

10/15/2013 7:40:37 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate

10/15/2013 7:43:07 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate

...

10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Update Finished

According to this, at 7:40 the event is generated but the update isn't competed until 7:43 after the update starts again (I'm guessing that's what the two back to back AutoUpdates mean).  This occurs through all the logs I've examined.

If there is anything specific that anyone would like me to include, let me know and I will see about posting it.

Thanks,

-Jason;

0 Kudos
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

Were there anymore thoughts on this matter?  I've still not come up with any solutions on my end. 

if someone wants a specific log / report / infomation to help get a better understanding please let me know and I will see about getting it posted.

Thanks,

-Jason;

0 Kudos
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

Just in case it helps anyone have an idea...

I was going through the list on the EPO server and noticed that some of the computers suddenly stopped generating the event message, and then a few others that had been performing fine suddenly started generating the event message (EVENT ID 1119).

I'm at a loss here, is this a known issue that I've somehow overlooked?  Am I S.O.L. and just have to deal with it?

0 Kudos
mbauman8
Level 11

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

hi james,

did you deploy all hotfix?

did you update and install all ms patches? (just to be sure that it is no other issue )

martin

=======

IMPORTANT: VSE 8.8 Patch 2 requires the following hotfixes to be installed in the following order: Hotfix 805660, 778101, 820636, then Hotfix 846582.

https://kc.mcafee.com/corporate/index?page=content&id=KB77043

https://kc.mcafee.com/corporate/index?page=content&id=KB75374

https://kc.mcafee.com/corporate/index?page=content&id=KB76727

https://kc.mcafee.com/corporate/index?page=content&id=KB78149

0 Kudos
jjames
Level 8

Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

Jump to solution

Yes the MS Updates are current.  As for the VSE 8.8 Hotfixes, I've got 805660, 793781, and 778101 already setup in the EPO.  I checked in the my products > downloads > VSE 8.8 > Patches, but I did not see the others listed.

On a side note, it looks like I fixed a single re-occurring event 1119 issue on a server running VSE 8.7 patch 5, by updating the engine 5300 to 5600. 

Unfortunately the VSE 8.8 computers already have their engine at 5600.  I did however try updating a few of their agents from 4.6 to 4.8...This does not appear to fix the problem since I am still getting the Event 1119 update failed from those computers.

-Jason;

0 Kudos