cancel
Showing results for 
Search instead for 
Did you mean: 
chooyq
Level 7

Unable to login Mcafee ePolicy 5.1.0 after patch for Petya ransomware

Hi all, I have encountered a issue with logging in to Mcafee ePolicy 5.1.0 after deployment of Petya ransomware patches. However, I have uninstalled the patches for Petya ransomware and still unable to access the login page. The Mcafee application server service started and stopped running after around 1mins. I have also extracted the server logs and Event Parser logs. Please help !

0 Kudos
3 Replies
tkinkead
Level 12

Re: Unable to login Mcafee ePolicy 5.1.0 after patch for Petya ransomware

Both logs are full of this:

20170629150739W#03216EPODAL  Login for MOTION\administrator failed. Building profile and retrying.
20170629150739E#03216PONTUTILFailed to create local ePO User Group, push agent aborted!  System error code 1379
20170629150739E#03216EPODAL  ePOData_Connection.cpp(298): Failed to logon the domain user MOTION\administrator to connect to database.
20170629150739E#03216EPODAL 

ePOData_Connection.cpp(368): Error 0x80070002 returned from credentials callback. Database NOT available

Database errors all over the place, and failed logins for MOTION\administrator.  First, are you really running ePO services under your domain "administrator" account?  You should really be running ePO under a separate service account with appropriate permissions (primarily, local admin on the ePO server).

Second, and more importantly to your question, is your database running?  If so, did your administrator account credentials change?

0 Kudos
chooyq
Level 7

Re: Unable to login Mcafee ePolicy 5.1.0 after patch for Petya ransomware

Yes, it's running under administrator account. Account credentials was changed in May. However, it was not affected then. I've tried to navigate to core-config but shows the same page. Doesn't shows mcafee epolicy at all.

0 Kudos
brentil
Level 12

Re: Unable to login Mcafee ePolicy 5.1.0 after patch for Petya ransomware

The service starting and then stopping after a minute or two is typically indicative of the database being offline.  If this machine hasn't been rebooted in a while then services would have kept running even with bad credentials, so your DB credentials might have been impacted too in whatever change was done previously.

0 Kudos