cancel
Showing results for 
Search instead for 
Did you mean: 

Event reporting

Is there a policy setting that controls how often the ePO processes VirusScan events? :confused:

Situation: I am running ePO 4.0 Patch-4. I have serveral User-defined programs in the VS 8.5 PUP policy which have been triggered, in both real-world and testing scenarios. But the events don't show up in my ePO for several days. Even when I click Send Events from the host Status Monitor and can see the event being uploaded, the ePO doesn't display/report it for a few days. I would like to be able to see these events at least the same day they occur. Smiley Wink

Any help would be greatly appreciated. Smiley Happy

Regards,

JV
Tags (1)
4 Replies

RE: Event reporting

Anybody, anybody...Bueller, Bueller? grin
tonyb99
Level 13
Report Inappropriate Content
Message 3 of 5

RE: Event reporting

do you mean in data in reports or as notifications?

If its the notifications I would say you need to tweak the thresholds for minimums or if there should lots then allow more per hour/day whatever.

If its reports are you sure you are pulling in the data? I use the cmdagent.exe -p -e -c run after successfull dat updates to help get my data back to the server asap plus rolling wakeups.

Have you checked the parser log you may be getting events knocked back due to duplicate GUIDs, agent overinstalls of the agent 4, DAL errors or timeouts due to SQl failures etc etc etc

RE: Event reporting

I have a Notification rule setup to fire on each occurance of a User-defined PUP detection, and it works. But the "Event Generated" date and "Event Received" date are always days apart. Can't figure out why the disparity. Smiley Sad

The MA policy is set to wakeup and receive updates every hour, as well as, enforce policy every 5 minutes. So the events should be uploaded every hour.

While testing, I personally triggered the alert on my machine serveral times. Each time I clicked on "Send Events" in the McAfee Agent->Status Monitor, I could see the number of events, which corresponded to the number of triggered alerts, get uploaded to the ePO. It just takes a few days for the ePO to send a notification and/or show up in reports. :confused:

I'll see if I can locate the parser log you spoke of. Much appreciated.

Regards,

JV

RE: Event reporting

The Parser log didn't yeild any information that I could realily identify.

I did, however, figure out that anything left in quarantine will be reported as an event, at least daily, until deleted from quarantine. That's good to know. Smiley Wink

Any other thoughts on the "delayed reporting" quandary? :confused:

Regards,

JV