2 Replies Latest reply on Dec 12, 2012 3:41 AM by sysengrnz

    Event Parser and Host Intrusion Prevention Service Issue

    sysengrnz

      Hi All,

       

      I have recently been working through an issue where the McAfee ePolicy Orchestrator 4.6.0 Event Parser service will not start if the McAfee Host Intrusion Prevention service is enabled. After trolling through numerous Knowledge Base articles, funneling through countless amounts of forums and filtering through the logs I have not been able to resolve this issue.

       

      I have filtered through the Server.log/Orion.log and eventparser.log files including the SQL Server logs to identify root cause. Due to not gaining much traction on this issue I've decided to fire this out to the world in the hope that somebody can point me in the right direction.

       

      1.     No revelent events are reported via Windows Event Viewer

      2.     Server.log looks clean and doesn't appear to hint at any abnormal activity when eventparser service starts.

      3.     Eventparser.log displays the below output:

      4.     I've eliminated the SQL/DB Server as the point of failure and have localized the issue to the EPO Server and the HIPS Policy.

      5.     Checked the other HIPS related policies (General/IPS) and there doesn't appear to be anything configured that would break this.

          

      20121118180628 I #01560 EVNTPRSR Initializing Server...

      20121118180628 I #01560 EVNTPRSR Database initialization: Starting.

      20121118180628 I #01560 NAISIGN  RSA BSAFE Crypto-C Micro Edition FIPS 140-2 Module 3.0.0.1

      20121118180629 E #01560 EPODAL   COM Error: 0x80040E4D

      20121118180629 E #01560 EPODAL   File: .\ePOData_Connection.cpp(481)

      20121118180629 E #01560 EPODAL   Function: DAL2_CConnection::GetConnection

      20121118180629 E #01560 EPODAL   Meaning: IDispatch error #3149

      20121118180629 E #01560 EPODAL   Source: Microsoft OLE DB Provider for SQL Server

      20121118180629 E #01560 EPODAL   Description: Login failed for user 'DOMAIN\EX01$'.

      20121118180629 E #01560 EPODAL   COM Error: 0x80040E4D

      20121118180629 E #01560 EPODAL   File: .\ePOData_Connection.cpp(510)

      20121118180629 E #01560 EPODAL   Function: DAL2_CConnection::GetConnection

      20121118180629 E #01560 EPODAL   Meaning: IDispatch error #3149

      20121118180629 E #01560 EPODAL   Source: Microsoft OLE DB Provider for SQL Server

      20121118180629 E #01560 EPODAL   Description: Login failed for user 'DOMAIN\EX01$'.

      20121118180629 E #01560 EPODAL   COM Error: 0x80004002

      20121118180629 E #01560 EPODAL   File: .\ePOData_Connection.cpp(296)

      20121118180629 E #01560 EPODAL   Function: DAL2_CConnection::Init

      20121118180629 E #01560 EPODAL   Meaning: No such interface supported

      20121118180629 E #01560 EPODAL   Source: (null)

      20121118180629 E #01560 EPODAL   Description: (null)

      20121118180629 E #01560 EPODAL   DAL2_CConnection::Init: Error 0x80004002 returned from credentials callback. Database NOT available

      20121118180629 E #01560 EVNTPRSR Database initialization: Failed (hr=0x80004002).

      20121118180629 E #01560 EVNTPRSR Failed to initialize database layer. Cannot continue.

      20121118180629 I #01560 EVNTPRSR EventParser Stopped.

      20121118180629 I #01560 EVNTPRSR Cleaning up Server...

       

      On disabling HIPS and restarting the service:

      20121118181041 I #06248 EVNTPRSR Initializing Server...

      20121118181041 I #06248 EVNTPRSR Database initialization: Starting.

      20121118181042 I #06248 NAISIGN  RSA BSAFE Crypto-C Micro Edition FIPS 140-2 Module 3.0.0.1

      20121118181042 I #06248 EVNTPRSR Database initialization: Succeeded.

      20121118181042 I #06248 EVNTPRSR Starting performance monitor.

      20121118181042 I #06248 EVNTPRSR Starting plugin monitor.

      20121118181042 I #06248 EVNTPRSR Starting restart monitor.

      20121118181042 I #06248 EVNTPRSR Starting work queue with 256 threads.

      20121118181042 I #07408 EVNTPRSR Performance monitor started.

      20121118181042 I #10252 EVNTPRSR Plugin monitor started.

      20121118181042 I #00432 EVNTPRSR Restart monitor started.

      20121118181042 I #06248 EVNTPRSR Starting event listener.

      20121118181042 I #06280 EVNTPRSR Event listener started.

       

      I have uploaded two wireshark dumps - one of normal operation and one with HIPS enabled. Of note: The Database is listening on 1433 and the EPO Server has a policy applied to allow 'any' local port destined for the DB server on the remote port '1433'. The Wireshark dump implies that this traffic is leaving the NIC in both situation. To validate this I also performed a TCPDump on the SQL Server and can confirm that the packets are being received on the DB Server and that it's sending acknowledgements back to the EPO Server.

       

      The interesting part of this issue is that when HIPS is enabled on the EPO, this server receives a FIN, ACK back from the Database instead of maintaining the connection. I'm not sure if it's related or a red heiring.

       

      I can confirm that when the event parser service is running(with HIPS turned off), the server establishes a connection and the process starts up.

       

      TCP    172.20.0.3:56897       172.20.0.10:1433       ESTABLISHED     7380

       

      I've confirmed that I've allowed this type of connection in policy (screen shot provided).

       

      Any thoughts/suggestions would be great at this point.

       

      Regards,

       

       

      Andrew

        • 1. Re: Event Parser and Host Intrusion Prevention Service Issue
          MaxPat

          Hi,

           

          Im bumped with the same issue, just disabled firewall service on HIPS and EventParser service went up. Ill check what firewall affect this and ill let you know.

           

          Regards.

          • 2. Re: Event Parser and Host Intrusion Prevention Service Issue
            sysengrnz

            Hi Maximo - How did you get on with this issue?

             

            I still haven't managed to crack this fault - I have been trialling different things in the lab environment to resolve but still no luck, would be great to get to the root cause so that we can finally deploy this in to UAT and then hopefully Prod.

            I've filtered through a lot of documents to date and I haven't seen any McAfee articles or forums that mention this exact issue. There are similar problems that have been discussed in the public forum but none of which point to the HIPS Firewall process as the root cause.


            Based on my current logic;

             

            20121118181041 I #06248 EVNTPRSR Database initialization: Starting.

            20121118181042 I #06248 NAISIGN RSA BSAFE Crypto-C Micro Edition FIPS 140-2 Module 3.0.0.1

            20121118181042 I #06248 EVNTPRSR Database initialization: Succeeded.

             

            The fault has to exist within the process thats performed between the FIPS 140-2 Module loading and the EVNTPRSR Initialization - it looks like there is a fundamental process that is started "possibly trying to establish a short lived listener - which the firewalls blocking" prior to following on to the EVNTPRSR Database initialization occuring and eventually succeeding.

             

            20121118180628 I #01560 EVNTPRSR Database initialization: Starting.

            20121118180628 I #01560 NAISIGN RSA BSAFE Crypto-C Micro Edition FIPS 140-2 Module 3.0.0.1

            20121118180629 E #01560 EPODAL COM Error: 0x80040E4D

             

            I'm going to look at putting a god rule at the top of this particular EPO servers policy allowing all ports locally. If this resolves the issue then this is probably something that I'll re-format and post as a McAfee KB article.

            ***The God rule allowing all protocols/any source local or remote in both directions at the top of policy does not resolve this issue*** - This has to be an underlying issue with the process. Will continue to debug.

             

            Let me know if you think the above is a likely scenario based on the tests you have done and I'll be sure to post if I find anything else of relevence.

            ***Further diagnosis points to th McAfee application terminating the "event parser runtime" - suspect at this stage because HIPS is preventing the Remote Procedural Call/Process from running.

            Microsoft Exchange relies heavily on the RPC ephemeral ports to be open for it to function correctly - I can confirm that Exchange is operating  correctly (Uses its unique exchange RPC Service),

            Out of curiosity, does McAfee EPO use the build in Microsoft Windows RPC Service?

             

             

            If you notice anything askew please do let me know.

             

            Thanks ,

             

            Andrew Hardy

            CCNA-S, CCNA. CEH, FCSNA, ITIL

             

            Message was edited by: sysengrnz on 12/12/12 12:21:59 AM

             

            Message was edited by: sysengrnz on 12/12/12 3:39:48 AM

             

            Message was edited by: sysengrnz on 12/12/12 3:41:30 AM