1 2 Previous Next 13 Replies Latest reply on Jan 5, 2012 12:44 PM by scoutt

    Threat Event Log

    scoutt

      I have installed 4.6.1 and everything is good so far. But one thing I can't seem to find out is how to make the agent report a virus if the desktop has recevied one. My automatic responses are all set yet the threat event log is empty and I know there should be some. I know it is a setting some place I missed. My agents are communicating just fine as we are getting the policies, but they are not sending the virus from the OnAccessScanLog.txt ?

        • 1. Re: Threat Event Log
          hem

          I will suggest you to generate Eicar events (https://eicar.org =>Antimalware files). While trying to save the eicar files, it will be detected by VSE.

           

          Please open Agent monitor window and click on 'send events' so that events will reach to the ePO server \DB\Events.

           

          Please look at \Events folder whether events are accumulating there or getting parsed. If accumulating then you need to check DB connectivity/upgrade the reporting extension and if it's parsed then you should be able to see under 'Threat event log'.

          • 2. Re: Threat Event Log
            scoutt

            No, that event folder is empty besides teh debug and unknown folders in there.. Yes, I am using the Eicar file to check on this.

            • 3. Re: Threat Event Log
              hem

              Ok, could you please check Eventpaser log if events are succesfully parsed to DB?

              • 4. Re: Threat Event Log
                scoutt

                I see some of this

                 

                20111230091751    I    #05708    EVNTPRSR    Succeeded <UpdateEvents>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\5b5c071d-af7b-4bf3-a29c-f2f2953333c1-2011 1228115009078172900000E8C.xml, IEPOEventHandler

                20111230091752    I    #05704    EVNTPRSR    Succeeded <UpdateEvents>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\a212765d-3b8c-48db-b5f4-b3f39c657496-2011 1230091300500260300000320.txml, IEPOEventHandler

                20111230091804    I    #05708    EVNTPRSR    Succeeded <UpdateEvents>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\6fc7b7cd-3d3b-43ab-a13e-c68afb2175f4-2011 12300913140937311000007C4.txml, IEPOEventHandler

                20111230091836    I    #05708    EVNTPRSR    Succeeded <UpdateEvents>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\26d1a89b-d504-42f7-ae3a-54182b6a099a-2011 1230081040413098100000F38.xml, IEPOEventHandler

                20111230091836    W    #05704    EVNTPRSR    Skipping <TaskStatusEvent>, no plugin available.

                20111230091836    W    #05688    EVNTPRSR    Skipping <TaskStatusEvent>, no plugin available.

                20111230091926    W    #05472    EVNTPRSR    Skipping <VirusDetectionEvent>, no plugin available.

                20111230092008    W    #05688    EVNTPRSR    Skipping <TaskStatusEvent>, no plugin available.

                 

                but I also see a lot of these

                 

                20111230090653    W    #05688    EVNTPRSR    Skipping <BehaviourBlockEvent>, no plugin available.

                • 5. Re: Threat Event Log
                  scoutt

                  does the agent rely on the sitelist to report back to ePO? so if the DNS setting in the site list is wrong it will never report right?

                  • 6. Re: Threat Event Log
                    hem

                    Yes, if the server information is not correct into the sitlist then it will not forward the events to correct ePO server.

                     

                    I will suggest you to correct the server info in sitelist (by opening in notepad and save it) or else will suggest to un/reinstall the agent.

                    • 7. Re: Threat Event Log
                      JoeBidgood
                      20111230091926    W    #05472    EVNTPRSR    Skipping <VirusDetectionEvent>, no plugin available.

                       

                       

                      This would imply that there is no event handler available for VSE events, which in turn usually means that the VSE reporting extension is missing or not functioning correctly.

                      Before anything else check in the latest VSE 8.8 reporting extension. If it's already installed then remove it an install it again. (You can do this with reporting extensions, but not with management extensions - removing a management extension will remove any policies and tasks associated with that extension, which is almost always A Bad Thing.)

                      You can fin the reporting extension in the VSE install set - it's a zip file called (in the latest package) VIRUSCANREPORTS120(136).zip.

                       

                      HTH -

                       

                      Joe

                      • 8. Re: Threat Event Log
                        scoutt

                        Thank you Joe, I found that the reporting extension was not even installed.

                        • 9. Re: Threat Event Log
                          JoeBidgood

                          That would do it    Is everything OK now?

                           

                          Regards -

                           

                          Joe

                          1 2 Previous Next