2 Replies Latest reply on Sep 25, 2012 12:48 PM by greatscott

    Large Number of 1092 event entries and high growth

    resourcegroup

      I have recently been tasked with moving our mcafee database to a new SQL server, as we have been having issues with the current build.

      As a temporary measure, this was placed on a third SQL server, a development build machine which was out of use, whilst the new server was being prepared. At this time, I made a backup of the database, which was roughly 10GB

       

      Fast forward 3 weeks, and, despite delays, the database is being moved to a new production server, but, upon dismounting and creating a backup of the database, it has grown to apporx. 40GB in size

       

      Investigation has lead me to identify a huge number of 1092 events in the DB. A query turned up 11,000,000 entries ina  database which only contains approx. 13 million entries.To me, this seems obscene, as does the growth in general, and i was wondering if anyone could point me towards potential causes of this

       

      Regards

        • 1. Re: Large Number of 1092 event entries and high growth
          Event IDNameSeverity
          1092Access Protection rule violation detected and blockedMinor

           

          I had this same problem with VSE 8.7 on Windows 2008 R2 (only x64 if I remember correctly). The events were generated when the McAfee services were queried for the status. I modified the default Access Protection rules in ePO in the past, and because of that some specific rules to block these events, that are installed by VSE 8.7, are not loaded.

           

          I just filtered out the events and removed them from the database using SQL.

          • 2. Re: Large Number of 1092 event entries and high growth
            greatscott

            I think the larger overarching issue is event control.

             

            I would create a dash to monitor all threat events, perhaps broken out by threat name, over a given period of time (hour, day, week, month). It is necessary so you can avoid things like this from happening. When events go unchecked, databases fill up, and things go awry quickly within ePO, especially in a large environment.