4 Replies Latest reply: Jan 29, 2013 7:21 AM by craig.carrigan RSS

    Ticket Verification

    craig.carrigan

      I have a question about the Verify Ticket mechanism in MVM 7.5

       

      In previous versions of MVM, if I clicked Verify, and the host was off line, it would just time out in a short amount of time and report back " Still Vulnerable" If the machine ended up coming out of service I just closed all the tickets associated with that asset.

       

      In Version 7.5 it seems that in the ticket activity window it just shows in Progress until the end of time

       

      If an admin who is clicking "Verify" and then 'Next Ticket" is rapid succesion to verify running patches, seems to be up the resources on the engine, and my scheduled scans are failing.

       

      I did a reboot of my engine and I clicked Verify on a host that I pulled the ethernet cable out of. In the logs it shows it is on retry 20 and has been running about an hour.

       

      Is there a way I can set the timeout limit on the amount of tries the engines will attempt to Verify the vulnerability?

       

      Message was edited by: craig.carrigan on 1/15/13 1:51:57 PM CST
        • 1. Re: Ticket Verification

          Hi Craig,

           

          Are you on 7.5 patch 1?  I just tested this and the behavior was consistent between 7.0.8 and 7.5.1.

           

          -Cathy

          • 2. Re: Ticket Verification
            craig.carrigan

            Seems I am having a resource issue. One of my Sys admins clicked Verify, and Next ticket, a lot. This is not unusual for myself or any of the admins to do. Since in the old versions it takes a while for the scanner to spin up and do the scan. I used to do 100 at at time, then go back to the beginning to see which ones passed or failed.

             

            Well he did exactly what we always did, at about 6 pm. On the following day at Midnight when my scheduled scans kicked off, there were 79 tickets pending

             

            Here is an abbreviated Log Sample, you can see the tickets are just sitting there

             

             

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 | Enumerating module versions in Application Folder (C:\Program Files (x86)\Foundstone\):

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSAssessment.exe (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSDiag.exe (7.5.0.5005)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSDiscovery.exe (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSLogDispatcher.exe (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSLogToDiskSvc.exe (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSScanCtrlSvc.exe (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSScanEngineSvc.exe (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSUpdate.exe (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSUpdateService.exe (5.0.0.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   TransformerX.exe (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   Discovery.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FASLModule.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSAuthenticateHelper.dll (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSEventLog.dll ()

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSResultProcessor.DLL (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSResultProcessorBridge.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSScanEngine.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   Interop.FSLogDispatcher.dll (1.0.0.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   libeay32.dll (0.9.8.6)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   Packet.dll (4.1.2.2001)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   Scheduler_MB.dll (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   ShellModule.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   ssleay32.dll (0.9.8.6)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   WebFSLModule.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   WebScanModule.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   WHAM.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   WirelessModule.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   wpcap.dll (4.1.2.2001)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   zlibdll.dll (1.1.3.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 | Enumerating module versions in Common Folder (C:\Program Files (x86)\Common Files\Mcafee\Foundscan\):

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FStelnet.exe (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   plink.exe (0.0.0.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   atl71.dll (7.10.6030.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   capicom.dll (2.1.0.2)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   dbghelp.dll (6.6.7.5)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FASL.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslCache.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslMisc.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslNB.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslRaw.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslReg.dll (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslSec.dll (7.5.0.14106)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslSh.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FaslSock.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSCore.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   FSCoreU.dll (7.5.1.1006)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   libeay32.dll (0.9.8.6)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   msvcp71.dll (7.10.6030.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   msvcr71.dll (7.10.6030.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   Packet.dll (4.1.2.2001)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   pcre3.dll (7.0.2632.17573)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   pcredll.dll (7.8.0.0)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   ssleay32.dll (0.9.8.6)

            2013-01-19 00:00:01-06:00 |  | 4 | LogToDiskSvc | 0x1170 |   wpcap.dll (4.1.2.2001)

            2013-01-19 00:00:01-06:00 | U73_C142_J174_JNVVS_T128811_CH186636 | 4 | ScanEngineSvc | 0x082C | PostResource resource='/engine/postDiscoveryResponse/' param='engineId=C6FE3A1E-3C7E-444B-A64E-602AA851EAD2&msgId=3CD53597-9836-4445-A 143-70A3BE0B5408&jobId=U73_C142_J174_JNVVS_T128811_CH186636&retries=95&timeout=1 0800000'

            2013-01-19 00:00:02-06:00 | U73_C142_J174_JNVVS_T128811_CH186636(3CD53597-9836-4445-A143-70A3BE0B5408) | 4 | ResultProcessor | 0x0012 | Starting ProcessDiscoveryResults...

            2013-01-19 00:00:02-06:00 | U73_C142_J174_JNVVS_T128811_CH186636(3CD53597-9836-4445-A143-70A3BE0B5408) | 4 | ResultProcessor | 0x0012 | ProcessDiscoveryResults is done.

            2013-01-19 00:00:02-06:00 | U73_C142_J174_JNVVS_T128811_CH186636 | 4 | ScanEngineSvc | 0x082C | Ack action='Retry'

            2013-01-19 00:00:02-06:00 | U73_C142_J174_JNVVS_T128811_CH186636 | 2 | ScanEngineSvc | 0x082C | Unable to send (0xa0fbf064)[E_ENGINE_HTTP_RETRY].  Retry #96 in 4 minute(s).

            2013-01-19 00:00:19-06:00 |  | 4 | Assessment | 0x0C50 | ThreadManager | [P1] | 0 | 0 | 0 | 0 | [TM] | 0 | 4 | 0 | 69 | 0 | 0 | [Modules] | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | [Process] | 8 | 28024 | 205984 | [System] | 5 | 701 | 0 | [D1] | 69 | 7 | 62 | 7 | 0 | 0 | 0 | 0 | 0 | 0 |

            2013-01-19 00:00:37-06:00 |  | 4 | ScanEngineSvc | 0x0824 | <Job id="U73_C142_J171_JNVVS_T10528_CH186502"

             

            status="Running" percentDone="50" pauseFlags="0" hostsTotal="1" hostsDiscovered="0" hostsAssessed="0" elapsedTime="P0DT05H38M17S" duration="P0DT05H38M17S" startTimeUTC="2013-01-19T00:22:20Z">

            2013-01-19 00:00:37-06:00 |  | 4 | ScanEngineSvc | 0x0824 | <Job id="U73_C142_J174_JNVVS_T125723_CH186663"

             

            There are 97 Entries like the one in Bold

             

            When my Scheduled Scans started up at midnight the following day, it starts and goes through all the discovery process steps, and then hangs on assessment.

             

            After that the scan job drops into line with the rest of the 79 entries for waiting tickets. And this is how it sat for the next 3 days until I came back to work and had to cancel all the scans, and then stop the scan engine service to clear out the cue

             

             

             

            2013-01-19 00:06:54-06:00 | U4_C231_J500_JN2 | 4 | ScanEngine | 0x0E78 | D0 - synced state Completed, current Completed, next Completed

             

            2013-01-19 00:06:54-06:00 | U4_C231_J500_JN2 | 4 | ScanEngine | 0x0E78 | Job conditions: loadCount=0, fixupCount=1, discoveryBatchAvail=0, hostRemainingCount=0, pendingTasks=0, msgQueueCount=0

             

            2013-01-19 00:06:54-06:00 | U4_C231_J500_JN2 | 4 | ScanEngine | 0x0E78 | Assessment usage: allocated = 0, started = 0

             

            2013-01-19 00:07:01-06:00 | U73_C142_J174_JNVVS_T13393_CH186579 | 4 | ScanEngineSvc | 0x08E0 | PostResource resource='/engine/postDiscoveryResponse/' param='engineId=C6FE3A1E-3C7E-444B-A64E-602AA851EAD2&msgId=BF1CEDE2-4DC0-4745-9 4E3-BF066C26C163&jobId=U73_C142_J174_JNVVS_T13393_CH186579&retries=99&timeout=10 800000'

             

            2013-01-19 00:07:03-06:00 | U73_C142_J174_JNVVS_T13393_CH186579(BF1CEDE2-4DC0-4745-94E3-BF066C26C163) | 4 | ResultProcessor | 0x0012 | Starting ProcessDiscoveryResults...

             

            2013-01-19 00:07:03-06:00 | U73_C142_J174_JNVVS_T13393_CH186579(BF1CEDE2-4DC0-4745-94E3-BF066C26C163) | 4 | ResultProcessor | 0x0012 | ProcessDiscoveryResults is done.

             

            2013-01-19 00:07:02-06:00 | U73_C142_J174_JNVVS_T13393_CH186579 | 4 | ScanEngineSvc | 0x08E0 | Ack action='Retry'

             

            2013-01-19 00:07:02-06:00 | U73_C142_J174_JNVVS_T13393_CH186579 | 2 | ScanEngineSvc | 0x08E0 | Unable to send (0xa0fbf064)[E_ENGINE_HTTP_RETRY].  Retry #100 in 2 minute(s).

             

            2013-01-19 00:07:19-06:00 |  | 4 | Assessment | 0x0C50 | ThreadManager | [P1] | 0 | 0 | 0 | 0 | [TM] | 0 | 4 | 0 | 69 | 0 | 0 | [Modules] | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | [Process] | 10 | 205312 | 345760 | [System] | 3 | 705 | 0 | [D1] | 69 | 7 | 62 | 7 | 0 | 0 | 0 | 0 | 0 | 0 |

             

            2013-01-19 00:07:40-06:00 |  | 4 | ScanEngineSvc | 0x0824 | <Job id="U4_C231_J500_JN2" status="Running" percentDone="16" pauseFlags="0" hostsTotal="3" hostsDiscovered="0" hostsAssessed="0" elapsedTime="P0DT00H06M52S" duration="P0DT00H06M52S" startTimeUTC="2013-01-19T06:00:48Z">

             

            2013-01-19 00:07:40-06:00 |  | 4 | ScanEngineSvc | 0x0824 | <Job id="U73_C142_J171_JNVVS_T10528_CH186502" status="Running" percentDone="50" pauseFlags="0" hostsTotal="1" hostsDiscovered="0" hostsAssessed="0" elapsedTime="P0DT05H45M20S" duration="P0DT05H45M20S" startTimeUTC="2013-01-19T00:22:20Z">

             

            2013-01-19 00:07:40-06:00 |  | 4 | ScanEngineSvc | 0x0824 | <Job id="U73_C142_J174_JNVVS_T125723_CH186663" status="Running" percentDone="50" pauseFlags="0" hostsTotal="1" hostsDiscovered="0" hostsAssessed="0" elapsedTime="P0DT04H53M37S" duration="P0DT04H53M37S" startTimeUTC="2013-01-19T01:14:03Z">

            • 3. Re: Ticket Verification

              Hi Craig,

               

              Is the scan controller on this system?  You might check the Scan Controller logs for any errors or exceptions.

               

              Do you have a Service Request opened for this issue?  A service request should be your next step. 

               

              Thanks!
              Cathy

              • 4. Re: Ticket Verification
                craig.carrigan

                I have a scan controller on each one of my engines. The support ticket is in the works. Thank You