7 Replies Latest reply on Jul 1, 2010 9:20 AM by andymease

    Insert Statement in Database table EPOEvents.

    jgpedro

      Hi,

       

      I´m trying to insert some record directly in the EPO Database. I'm having some issues when declaring the statment. This is what i got so far:

       

       

      /********************************************************************/

      insert into epoevents
      (AutoGUID,
      ServerID,
      ReceivedUTC,
      DetectedUTC,
      AgentGUID,
      Analyzer,
      AnalyzerName,
      AnalyzerVersion,
      AnalyzerHostName,
      AnalyzerIPV4,
      AnalyzerIPV6,
      AnalyzerMAC,
      AnalyzerDATVersion,
      AnalyzerEngineVersion,
      AnalyzerDetectionMethod,
      SourceHostName,
      SourceIPV4,
      SourceIPV6,
      SourceMAC,
      SourceUserName,
      SourceProcessName,
      SourceURL,
      TargetHostName,
      TargetIPV4,
      TargetIPV6,
      TargetMAC,
      TargetUserName,
      TargetPort,
      TargetProtocol,
      TargetProcessName,
      TargetFileName,
      ThreatCategory,
      ThreatEventID,
      ThreatSeverity,
      ThreatName,
      ThreatType,
      ThreatActionTaken,
      ThreatHandled)
      values (convert(varchar(36),'953A4B7E-E5F0-4FA2-BE43-EB8876F58006'),
      'S-NAIDB-02',
      convert(varchar(24),'2010-06-14 14:17:28.670',121),
      convert(varchar(24),'2010-06-14 13:10:25.000',121),
      '37C06B93-D200-48FE-BE5D-C9E219A4F6DE',
      'VIRUSCAN8600',
      'VirusScan Enterprise',
      8.5,
      'T000B0881050',
      -1964544555,
      '0x00000000000000000000FFFF0AE76DD5',
      NULL,
      '4.0.0',
              '0.0.0',
      'AutoUpdate',
      'NULL',
      'NULL',
      'NULL',
      'NULL',
      'NULL',
      'NULL',
      'NULL',
      'T000B0881050',
      -1964544555,
      '0x00000000000000000000FFFF0AE76DD5',
      NULL,
      'SYSTEM',
      NULL,
      NULL,
      NULL,
      NULL,
      'ops.update.end',
      1119,
      4,
      'none',
      'none',
      'none',
      1)

      /******************************************************************************* ********************************/

       

      But i get the following error from the SQL Server =

      "Server: Msg 257, Level 16, State 3, Line 1
      Implicit conversion from data type varchar to binary is not allowed. Use the CONVERT function to run this query."

       

      Can someone give me hints about the data conversion for this table.

       

      Thanks.

        • 1. Re: Insert Statement in Database table EPOEvents.
          rackroyd

          Why would you want to do this ?

          It's essentially unsupportable by McAfee to do so.

           

          Rgds,

           

          Rob.

          • 2. Re: Insert Statement in Database table EPOEvents.
            jgpedro

            Hi,

            Well some of the event where purged and we need to get them back to production. Using a BackUP i can rescue this records and insert them into the DATABASE.

             

            Make sense? Any other workaround?

             

            Thanks

            • 3. Re: Insert Statement in Database table EPOEvents.
              JoeBidgood

              Why not just restore the entire DB backup? That would restore them...

               

              HTH -

               

              Joe

              • 4. Re: Insert Statement in Database table EPOEvents.
                jgpedro

                OK, thats is an option. Anyway I still want to find some info about the fix that I´m trying to do. It looks like the direct SQL EPO database manipulation is taken as a DANGER ZONE and a NO GO AREA. Can someone help me with the data conversions?


                Thanks

                • 5. Re: Insert Statement in Database table EPOEvents.

                  Jose,

                  You can create event .xml files with the information you want then drop them in the events folder and they will be parsed by the event parser and inserted into the database.  I did this when testing the auto creation of tickets.  Instead of having to actually get infection events from systems I create a lot of different 'fake' events and dropped them into the events folder to trigger the response.  If you need more details let me know and I'd be happy to help you.

                   

                  Andrew

                  • 6. Re: Insert Statement in Database table EPOEvents.
                    jgpedro

                    Hi Andy,

                     

                    I apreciate your help, that would be great! So, where do I begin?

                     

                    Thanks !

                    • 7. Re: Insert Statement in Database table EPOEvents.
                      Jose,
                      Here is a sample virus event.  You can fill in any of the fields with the information for your event.  Copy the text into a new file and rename it to an .xml file (I've attached an example) then drop it in the events folder and you should see the event parser parse it and insert it into the db.  You can do this with any type of event - you just need an example one first to get the format...let me know if this works for you.


                      <?xml version="1.0" encoding="UTF-8" ?>
                      <VirusDetectionEvent>
                      <MachineInfo>
                      <MachineName>Computername</MachineName>
                      <AgentGUID>{Guid}</AgentGUID>
                      <IPAddress>IP</IPAddress>
                      <RawMACAddress>Mac</RawMACAddress>
                      <OSName>Windows XP</OSName>
                      <UserName>NT AUTHORITY\SYSTEM</UserName>
                      <TimeZoneBias>300</TimeZoneBias>
                      </MachineInfo>
                      <ScannerSoftware ProductName="VirusScan Enterprise" ProductVersion="8.5" ProductFamily="TVD">
                      <EngineVersion>5400.1158</EngineVersion>
                      <DATVersion>5858.0000</DATVersion>
                      <ScannerType>OAS</ScannerType>
                      <TaskName>OAS</TaskName>
                      <ProductFamily>TVD</ProductFamily>
                      <ProductName>VirusScan Enterprise</ProductName>
                      <ProductVersion>8.5</ProductVersion>
                      <DetectionInfo>
                      <EventID>1292</EventID>
                      <Severity>2</Severity>
                      <GMTTime>2010-01-12T10:06:42</GMTTime>
                      <UTCTime>2010-01-12T15:06:42</UTCTime>
                      <FileName>C:\DOCUME~1\Username\LOCALS~1\Temp\7zE1A.tmp\bamawosa.dll</FileName>
                      <VirusName>W32/Sality.gen</VirusName>
                      <Source />
                      <VirusType>1</VirusType>
                      <szVirusType>virus</szVirusType>
                      </DetectionInfo>
                      </ScannerSoftware>
                      </VirusDetectionEvent>

                       

                       

                      on 7/1/10 9:20:36 AM GMT-05:00