6 Replies Latest reply on Oct 27, 2011 3:01 AM by dwebb

    EEPC6.1 Events (seems slow) - MfeEpe.log attached

    redbaron51

      hi all,

       

      another Q re EEPC6.1

       

      Basically I have reimaged a laptop and left it running without intervention, i.e, not clicking "Collect and Send Props", "Enforce Policies", "Send Events", etc.

       

      From the MfeEpe.log file (see attached):

       

      10:30 -

       

      Service started

      10:36 - EpoPlugin                            enforcePolicy: new policy store created (session 1309426454).

      10:36 - EpoPlugin                            enforcePolicy: Waiting for OptIn users before enforcing policy. ---------> What does this mean???

       

      then by the looks of it the HDD started to get encrypted at

       

      2011-06-30 13:13:02,441 INFO    MfeEpeKeyServerService               keyServiceHandler: dispatching DC message (EEADMIN_1000_KSSetMachineKeyCmd, CorrelationID=1309426456).

      2011-06-30 13:13:02,457 INFO    MfeEpeKeyServerService               keyServiceHandler: dispatching DC message (EEADMIN_1000_KSSetMachineRecoveryKeyCmd, CorrelationID=1309426457).

      2011-06-30 13:13:12,582 INFO    MfeEpeKeyServerService               keyServiceHandler: handling ePO response: KSSetMachineKeyAck

      2011-06-30 13:13:12,597 INFO    MfeEpeKeyServerService               keyServiceHandler: handling ePO response: KSSetMachineRecoveryKeyAck

       

      then I believe it only links the Domain Admins (group link for back door access - test environment) at

       

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 5B4C9467AB2AC646AFBBE58BE3191BCE: user attributes

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 16AEAC8C97FD5F4998A73F6C8F610A2A: user attributes

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user B5F6D68BF05010408B7500B849953461: user attributes

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 7E4382559DB82A478CF9E88895BDCEF0: user attributes

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 16379FB85A061F4A861C069537EA7145: user attributes

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 38001D81ED9144429C063DAE8721EA61: user attributes

      2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 4465141B1A738B4DA9EBD7641B71B7AD: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 1F3D18C554C95149A9AA86D803C021AA: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 2F4EA04F337BAD4A940730B89A0EE70D: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 5E76144235DD584DBAB9FA20A1A3A125: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 980F1C0C9A42094BBD4D57294640AD11: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user CBD536AB801B8143A3BA21052E36A19E: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user D6A0A997D48014499E949824B406B581: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user F42D85BD11C34348B8032F9B7FD5E358: user attributes

      2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user FCA12B4B1FF84B45B1F04646DDFE0267: user attributes

       

      I have attached the log and would really appreciate if the McAfee techies or other gurus to comment on that.

       

      The support team usually images the laptop and wait for the HDD to be fully encrypted before rolling out to end-users. It is not an issue to tell them to hit "Collect and Send Props", "Enforce Policies", "Send Events" buttons, but just want to understand what the log tells.

       

      Help/Comments are much appreciated

        • 1. Re: EEPC6.1 Events (seems slow) - MfeEpe.log attached
          Timmah

          Hi there,

           

          enforcePolicy: Waiting for OptIn users before enforcing policy.

           

          This basically means we're waiting for the McAfee Agent to provide us with zero or more user-specific UBPs. Normally, the wait is very short. The only time we *don't* wait for these policies is on Mac OS X, which currently doesn't support them.

           

          then by the looks of it the HDD started to get encrypted at

           

          2011-06-30 13:13:02,441 INFO    MfeEpeKeyServerService               keyServiceHandler: dispatching DC message (EEADMIN_1000_KSSetMachineKeyCmd, CorrelationID=1309426456).

          2011-06-30 13:13:02,457 INFO    MfeEpeKeyServerService               keyServiceHandler: dispatching DC message (EEADMIN_1000_KSSetMachineRecoveryKeyCmd, CorrelationID=1309426457).

          2011-06-30 13:13:12,582 INFO    MfeEpeKeyServerService               keyServiceHandler: handling ePO response: KSSetMachineKeyAck

          2011-06-30 13:13:12,597 INFO    MfeEpeKeyServerService               keyServiceHandler: handling ePO response: KSSetMachineRecoveryKeyAck


           

          These messages tell us that key backup to ePO has occurred. Shortly after that (so long as the rest of activation succeeds), encryption will start.

           

          then I believe it only links the Domain Admins (group link for back door access - test environment) at

           

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 5B4C9467AB2AC646AFBBE58BE3191BCE: user attributes

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 16AEAC8C97FD5F4998A73F6C8F610A2A: user attributes

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user B5F6D68BF05010408B7500B849953461: user attributes

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 7E4382559DB82A478CF9E88895BDCEF0: user attributes

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 16379FB85A061F4A861C069537EA7145: user attributes

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 38001D81ED9144429C063DAE8721EA61: user attributes

          2011-06-30 19:12:04,425 INFO    EpoPlugin                            userHandler: requesting updates for user 4465141B1A738B4DA9EBD7641B71B7AD: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 1F3D18C554C95149A9AA86D803C021AA: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 2F4EA04F337BAD4A940730B89A0EE70D: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 5E76144235DD584DBAB9FA20A1A3A125: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user 980F1C0C9A42094BBD4D57294640AD11: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user CBD536AB801B8143A3BA21052E36A19E: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user D6A0A997D48014499E949824B406B581: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user F42D85BD11C34348B8032F9B7FD5E358: user attributes

          2011-06-30 19:12:04,440 INFO    EpoPlugin                            userHandler: requesting updates for user FCA12B4B1FF84B45B1F04646DDFE0267: user attributes

           

          I'm not sure what you mean by linking (adding users to the machine?), but the most likely cause of these users requesting user attributes is that their UBP changed.

           

          The logs do indicate that the machine or ePO may be having trouble with Add Local Domain Users. In a few instances, an event is sent up to ePO to request the addition of local domain users (at: 10:36:00,527 then: 16:26:22,388 then: 16:37:48,837 and finally 09:14:23,222). None of the requests receive a reply.

           

          Any chance you could attach (or send via private message) the orion.log?

           

          Kind regards,

           

          Tim

          • 2. Re: EEPC6.1 Events (seems slow) - MfeEpe.log attached
            redbaron51

            Hi tim,

             

            Thanks for the prompt reply.

             

            I'm not sure what you mean by linking (adding users to the machine?) ----> I've added a group at Data Protection -- Encryption Users -- Organization level -- Group Users -- so they will have access to all encrypted systems. Running a query EE Users I can see all users who belong to that group (good).

             

            Orion log attached as requested.

             

            Help/comments are much appreciated

            • 3. Re: EEPC6.1 Events (seems slow) - MfeEpe.log attached
              Timmah

              Hi again,

               

              So if I understand you correctly, you have a group of admins assigned at the organisation level, and ALDU enabled in the policy for all other users. Seems logical. The user attributes requests are almost certainly due to a UBP setting change for the admin group of users.

               

              Unfortunately, the orion log isn't giving us any clues as to why ALDU is failing.

               

              A few things to try:

               

              - Check that the event parser service is running for the AgentHandler assigned to the machine (probably ePOs' own).

              - Check the Agent Handler logs (server.log, eventparser.log, EpeEventHandler.log, EpePolicyHandler.log).

              - Grab the ALDU event that gets sent up, and take a peak at the contents for an idea of which users are being detected for addition.

               

              Feel free to attach any more logs/events/info ; I'll be happy to take a look!

               

              Cheers,

               

              Tim

              1 of 1 people found this helpful
              • 4. Re: EEPC6.1 Events (seems slow) - MfeEpe.log attached
                redbaron51

                Hi Tim,

                 

                Thanks again for your assistance.

                 

                Stupid Q:

                 

                As per your post, How do I:

                 

                "Grab the ALDU event that gets sent up, and take a peak at the contents for an idea of which users are being detected for addition."

                 

                I think there is def. something wrong because state: "Created ALDU events" stays "forever" on McAfee Endpoint Encryption System Status Window

                 

                Not sure how to upload logs via PM, therefore I will PM you a password for the zip file.

                 

                Another Q that I couldn't find an answer on Documentation:

                 

                - When a user changes their password (either via CTRL+ALT+DEL or via domain pssw policy enforcement) how can I see on a log or on the McAfee Agent Monitor?

                 

                Thanks again

                • 5. Re: EEPC6.1 Events (seems slow) - MfeEpe.log attached
                  alexander_h

                  Hi Mate,

                   

                  Try To untick the ADD LOCAL DOMAIN USER, also restart the event parser and let us know the result

                  • 6. Re: EEPC6.1 Events (seems slow) - MfeEpe.log attached
                    dwebb

                    This symptom indicates that

                     

                    1) the client has a firewall on, meaning that ePO can't connect to the client

                    2) the client is behind a NAT, again meaning that ePO can't connect to the client (if this is a VM, check the network settings are not set to NAT).

                     

                    If my suspicion is correct, then pressing Collect and Send in the client MA will "nudge" the process along, as when the client dials in to the Agent Handler, the server->client message will be delivered meanign that the client can continue with its policy enforcement.