1 Reply Latest reply on Oct 24, 2012 4:44 PM by soviatt

    Fields In Queries From Threat Tables Not Populated With Data

    soviatt

      ePO 4.6.4.202

       

      When I use a Dashboard monitor to display threats then click the displayed event or manually run a query to examine the details of a threat such as:

      Host IPS: Desktop High Triggered Signatures - "Msgina registry key modified" (as an example), there will be some if not all results in the table for which certain fields are blank: System Name, MAC address, User Name, for instance.

       

      So I can have say, 5 machines that have reported a vulnerability, and all 5 can be the same machine, and when I click that vulnerability to display the Threat Log tables, one entry is blank for the fields I've listed (there are other blank fields too but this is just representative);

      OR, I can have multiple machines with the same vulnerability and all of them contain certain blank fields;

      OR, I can have multiple machines with the same vulnerability - some entries have populated data fields, some entries contain fields that are blank.

       

      When I click on any of the displayed line items, whether there are blank fields or not, the Threat Log Details table displays ALL the data.

       

      Another symptom of this is that in the System Details view, there will be no Related Items bar at the bottom of the Host IPS 8.0 Even Information box and no "Go to related system" link - but ONLY for entries in the table with blank fields.

       

        This started happening when I updated ePO from 4.6.0.1.

       

      While I'm at it, I have a peristant blank entry in the table (monitor) "Threat Event Descriptions in the last 24hrs" on my Dashboard. It went incognito after the update; this blank trickles down to the System Tree view dashboard for individual machines too. I use the "Threat Event Descriptions in the last 24 hours" as one of my monitors.

       

      Anyone seen this or similar results?

        • 1. Re: Fields In Queries From Threat Tables Not Populated With Data
          soviatt

          Here's a similar symptom I've been able to not resolve, but to at least identify the cause for:

           

          In my dashboard, I am posting Threat Events in the Past 24 Hours. Since updating ePO from 4.6.0.1 to 4.6.0.4 there is always one line of threat descriptions that is blank. I can click on it and display the table of events, but I had no idea what the "Threat" was.

           

          I finally figured it out. It is Event ID: 18000. If I go to Menu>Server Settings>Event Filter to look up the code, its not there. That is why the line item in my monitor is blank. Event ID: 18000 is supposed to be "HIPS Intrusion Detected and Handled". It USED to show up before I updated my ePO. I see this on two separate ePO servers running on two separate domains.

           

          I just love my McAfee!