8 Replies Latest reply on Jan 5, 2012 4:31 AM by JoeBidgood

    no more threat events since a month

    mcdave

      Hi,

       

      Since 3/23/2011 we dont receive any threat events anymore from our clients to our epo server

       

      Any ideas?

       

      grtz

      Dave

        • 1. Re: no more threat events since a month
          Sailendra Pamidi

          I would first check the EventParser.log (DB\Logs\EventParser.log) if there are errors parsing them -

           

          A good place to start would be the KB53035

          • 2. Re: no more threat events since a month

            Also check here on your EPO Server.  C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events

             

            We used to have this problem.  That folder should be empty until it receives an event from a client then you will see a file or files appear in that folder then disappear once the parser handles it.  If there are files that are "stuck" in there open them with notepad and try to determine if what the detecting product is.  In our case we had some older VirusScan Enterprise installations that were no longer supported by our version of EPO therefore the parser could not deal with the alert.

             

            Also try restarting the McAfee Event Parser service and see if that helps.  I have to do that manually about once a month to keep the events working properly.

            1 of 1 people found this helpful
            • 3. Re: no more threat events since a month
              mcdave

              Restarting the Event Parser Service solved the issue.

               

              Thx

              • 4. Re: no more threat events since a month

                No problem.  Glad it helped.  Something our company does on a daily basis is have a member of our Help Desk go to this site to trigger a threat event so we can see if we receive the McAfee email alert.

                 

                http://www.eicar.org/anti_virus_test_file.htm

                 

                Something you may want to consider at least on a weekly basis so you know when the Event Parser is hung up.

                • 5. Re: no more threat events since a month

                  Hello,

                   

                  Recently I discover that I had a similar problem like the one reported by mcdave. There're no threat events logged for more than 2 weeks when I check about them in ePO.

                  I checked the event parser log and I found the followings:

                   

                  20120103104021    E    #2744    DAL         Source = Microsoft OLE DB Provider for ODBC Drivers

                  20120103104021    E    #2744    DAL         Description = [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified

                  20120103104024    E    #2744    DAL         DAL2_CConnection::GetConnection: giving up retrying connection.

                  20120103104024    E    #2744    DAL         CConxIndex::~CConxIndex(): hr=0x80004003,

                  20120103104124    I    #2744    EVNTPRSR    Trying to re-establish a connection with the database.

                  20120103104124    E    #2744    DAL         COM Error :80004005 in DAL2_CConnection::GetConnection

                  20120103104124    E    #2744    DAL         Meaning = Unspecified error

                  20120103104124    E    #2744    DAL         Source = Microsoft OLE DB Provider for ODBC Drivers

                  20120103104124    E    #2744    DAL         Description = [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified

                  20120103104125    E    #2744    DAL         COM Error :80004005 in DAL2_CConnection::GetConnection

                  20120103104125    E    #2744    DAL         Meaning = Unspecified error

                  20120103104125    E    #2744    DAL         Source = Microsoft OLE DB Provider for ODBC Drivers

                  20120103104125    E    #2744    DAL         Description = [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified

                  20120103104128    E    #2744    DAL         COM Error :80004005 in DAL2_CConnection::GetConnection

                  20120103104128    E    #2744    DAL         Meaning = Unspecified error

                  20120103104128    E    #2744    DAL         Source = Microsoft OLE DB Provider for ODBC Drivers

                  20120103104128    E    #2744    DAL         Description = [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified

                  20120103104131    E    #2744    DAL         DAL2_CConnection::GetConnection: giving up retrying connection.

                  20120103104131    E    #2744    DAL         CConxIndex::~CConxIndex(): hr=0x80004003,

                  20120103104231    I    #2744    EVNTPRSR    Trying to re-establish a connection with the database.

                  20120103104231    E    #2744    DAL         COM Error :80004005 in DAL2_CConnection::GetConnection

                  20120103104231    E    #2744    DAL         Meaning = Unspecified error

                  20120103104231    E    #2744    DAL         Source = Microsoft OLE DB Provider for ODBC Drivers

                  20120103104231    E    #2744    DAL         Description = [Microsoft][ODBC Driver Manager] Data source name not found and no default driver

                   

                  Actually the log file created today, is full of this kind of messages and the backup file too. Checking the backup file I found that this kind of messages started to log at 28th of December.

                   

                  PLEASE HELP! 

                  • 6. Re: no more threat events since a month
                    JoeBidgood

                    These messages imply that the event parser can't talk to SQL, which is definitely not good. Before anything else, have you tried restarting the three ePO services (or, preferably, the entire ePO server)?

                     

                    Thanks -

                     

                    Joe

                    • 7. Re: no more threat events since a month

                      Hi Joe,

                      I have an issue similar but not properly the same.

                      From about the last 3 weeks, I did not receive event ID 1284, but in general "threat handled equal to false" events. Tipically I receive many of these kind of events.

                      I have upgraded my ePO server from 4.5 P4 to ePO 4.6 P1 and McAfee Agent from 4.5 P3 to 4.6 P1. It seems that the issue is concerned the upgrade.

                      • 8. Re: no more threat events since a month
                        JoeBidgood

                        Could you start a new thread for this? It's easier if we keep things separate

                         

                        Thanks -

                         

                        Joe