cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

No threat events...

Jump to solution

Since 9/30/2013, ePO doesn't show any Virusscan Threat events anymore.

Ik know we had an expired license key around that time. I updated the key and everything works great but no events...

I tested the clients and they gave no connection errors to the server.

I updated the clients from 4.6 to 4.8. Working as a charm but still no threat events.

I did all Windows Updates but no effect.

I updated ePO from 4.6.4 to 4.6.6. Everything went like a charm but still no events...

The events from Exchange are working.

The clients get their DAT updates and are reporting their info back to the ePO server.

Deployment of agents and virusscanner (8.8 P2/3) are working great.

Does anyone has any idea where to look to resolve this problem?

1 Solution

Accepted Solutions
Highlighted

Re: No threat events...

Jump to solution

I might start be ensuring that they are being sent succecssfully. Use the EICAR test string to verify your workstation can generate an event (look for the XML file). Then watch that folder when you use the "Send Events" function of the Agent's Status Monitor. If the XML file is generated and disappears (gets uploaded), then you can likely rule out any client-side problems.

Then, I would take a look at the Events folders on each Agent Handler and the ePO server. You should see files cycling through as they are processed. I would probably also check the Event Parser services on any/all Agent Handlers and the ePO server itself. Restart then, just for giggles.

Lastly, review anything related to the database. Maybe the table is full or the data file isn't set to grow. I suppose there could also be problems with purging tasks or the Event Filtering configuration that would limit this data.

Take a stab at a few of these and let us know what you find!

--Joel

View solution in original post

4 Replies
Highlighted

Re: No threat events...

Jump to solution

I might start be ensuring that they are being sent succecssfully. Use the EICAR test string to verify your workstation can generate an event (look for the XML file). Then watch that folder when you use the "Send Events" function of the Agent's Status Monitor. If the XML file is generated and disappears (gets uploaded), then you can likely rule out any client-side problems.

Then, I would take a look at the Events folders on each Agent Handler and the ePO server. You should see files cycling through as they are processed. I would probably also check the Event Parser services on any/all Agent Handlers and the ePO server itself. Restart then, just for giggles.

Lastly, review anything related to the database. Maybe the table is full or the data file isn't set to grow. I suppose there could also be problems with purging tasks or the Event Filtering configuration that would limit this data.

Take a stab at a few of these and let us know what you find!

--Joel

View solution in original post

Highlighted

Re: No threat events...

Jump to solution

I tested sending an event as you described. Works like a charm.

The only Agent Handler we have is the server itself. I looked at the folder. The events in that folder are processed but when I take al look at the DEBUG folder, there are 24.000+ events! So I found them! Now I have to find a way to let ePO process them.

With a quick internet search I found the following remark: "Events with an outdated or not installed Reports Extension will store the not parsed Event in DB\Events\DEBUG."

So I have to find out what is wrong with the reports extension... Or are the other possibilities for this behavour?

Message was edited by: sushi78 on 11/8/13 1:53:31 AM CST
Highlighted

Re: No threat events...

Jump to solution

In turns out the Reports Extension was missing....

And its clear why...

I removed VSE 8.7 from the Software manager. That, apparantly, uninstalls the Reports Extension from VSE 8.8.

I checked in VSE8.8 Reports Extension again and now I'm also the owner of Reports Extension VSE 8.7 again?!?!?! Strange?

I processed the events now. Turns out there were some very old Exchange events waiting in the debug folder.

Thanks alot!!

Message was edited by: sushi78 on 11/8/13 2:19:08 AM CST

Message was edited by: sushi78 on 11/8/13 4:44:51 AM CST
Highlighted

Re: No threat events...

Jump to solution

Anything that the parser has trouble dealing with will land in that DEBUG folder. You can try to move them from their, back into the parent folder maybe a thousand at a time. If there is still a parsing problem, they will land in the debug again.

Hopefully, this will get you all (or at least most) of your missing data.

--Joel

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community