1 2 Previous Next 11 Replies Latest reply: May 27, 2014 10:36 AM by jjames RSS

    EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119

    jjames

      I've been given the task to manage my organization's McAfee EPO 4.6.  I've been able to troubleshoot and fix a number of issues thanks to searching through McAfee's Community, but I am currently having an issue with figuring out how to resolve a constant event being thrown (Event ID 1119).  If this was just a few computers I'd try a fresh install on each of the clients but unfortunately ~75% +/- of our computers are generating this error. 

       

      I have found a similar issue involving VirusScan 8.7 where the fix is to apply patch 3, but these clients are all running VirusScan 8.8 patch 2; and I believe Patch 3 for 8.8 is only for Windows 8 or Server 2012.

       

      Similar to the issue in 8.7; the event will be thrown for a client even if they are updated to the current DAT.  I have even physically examined the client to see what version they are running to verify everything matches. 

           - I can see the progression in the EPO queries/reports for threats by events for each client saying "update failed" and it displays the incorrect version (i.e 9/13 - 7195 ... 10/1 -7213, 10/2 -7214, 10/3 -7215, 10/4 -7216)

           - I look at the client (through EPO or physically go to the PC) on any given day, and it shows the current release for the client (ie. for today 10/4/13 the event message 1119 will say 7216, client says it's 7217)

           - I check the client's log file, and it shows the update went through without any problems for each of the days.

       

      I am running McAfee EPO on Windows Server 2008 Enterprise (32 bit).  All Clients are Windows 7 Professional (64 bit).

       

      If this is a known issue and I have somehow overlooked the discussion where it is answered, please let me know...

       

      If additional information/log files are needed, please let me know and I will provide them.

       

      Thank you.

       

      -Jason James;

       

      Message was edited by: jjames on 10/4/13 12:44:22 PM CDT
        • 1. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
          jjames

          Does anyone have a thought of what is causing this issue or what I can try to resolve this problem?

          • 2. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
            roebbu

            What's the exact error message of EventID 1119?

             

            I have also ePo 4.6.6, VSE 8.8 P2 and Win7 x64 but it's running smoothly.

            • 3. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
              jjames

              I've included today's (10/15/2013) Event message from the server, the client update log file, and a screen shot showing the event 1119 messages for one of the many computers generating this issue.  In regards to the screen shot - all items listed are for a single computer. 

               

              It's not as bad as having over a million 1092 & 1095 events (I had 50,000 to 100,000 of those two events being generated every day because of VM servers), but I'm still having several hundred 1119 events being generated daily which still makes it difficult to examine logs and find items that need to be addressed.

               

              If additional information is needed, or I'm missing something in the logs let me know.

               

              Thanks,

               

              -Jason;

               

               

              Server - Event 1119 Message

               

              Server ID: <removed>
              Event Received Time: 10/15/13 8:39:43 AM
              Event Generated Time: 10/15/13 7:40:39 AM
              Agent GUID: <removed>
              Detecting Prod ID (deprecated): VIRUSCAN8800
              Detecting Product Name: VirusScan Enterprise
              Detecting Product Version: 8.8
              Detecting Product Host Name: <removed>
              Detecting Product IPv4 Address: <removed>
              Detecting Product IP Address: <removed>
              Detecting Product MAC Address: 
              DAT Version: 7227.0000
              Engine Version: 5600.1067
              Threat Source Host Name: 
              Threat Source IPv4 Address: <removed>
              Threat Source IP Address: <removed>
              Threat Source MAC Address: 
              Threat Source User Name: 
              Threat Source Process Name: 
              Threat Source URL: 
              Threat Target Host Name: <removed>
              Threat Target IPv4 Address: <removed>
              Threat Target IP Address: <removed>
              Threat Target MAC Address: 
              Threat Target User Name: SYSTEM
              Threat Target Port Number: 
              Threat Target Network Protocol: 
              Threat Target Process Name: 
              Threat Target File Path: 
              Event Category: Update ended
              Event ID: 1119
              Threat Severity: Warning
              Threat Name: none
              Threat Type: None
              Action Taken: none
              Threat Handled: true
              Analyzer Detection Method: AutoUpdate

              Event Description: The update failed; see event log

               


              Client Update Log

               

              10/15/2013 7:40:37 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate
              10/15/2013 7:43:07 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Checking update packages from repository <Removed>

              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Initializing update...
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying catalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting catalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: catalog.xml
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM These updates will be applied if they are in the repository:  Engine, DAT, VSCANCEU1000, EXTRADAT1000, BOCVSE__1000, SUPERDAT1000, VIRUSCAN8800.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying V2engdet.mcs.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest Engine.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying V2datdet.mcs.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest DATs.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying BocDet_VSE.McS.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Searching available updates for BOC DAT.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Downloading PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Extracting PkgCatalog.z.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Loading update configuration from: PkgCatalog.xml
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest BOC DAT.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Verifying VSE880Det.McS.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Searching available updates for McAfee VirusScan Enterprise 8.8.0.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest HotFix 793781.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest Patch 2.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Product(s) running the latest HotFix 805660.
              10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Update Finished

               

              Screen Shot of EPO showing Events for a single computer

               

              Event_1119_Error.jpg

              • 4. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
                mbauman8

                hi James,

                What about this:

                 

                Event ID 1119 — Network Name Resource Availability

                http://technet.microsoft.com/en-us/library/cc773512%28v=ws.10%29.aspx

                 

                Check DNS configuration

                     

                The Network Name resource could not register one or more Domain Name System (DNS) names. If you do not currently have Event Viewer open, see "Opening Event Viewer and viewing events related to failover clustering." If the event contains an error code that you have not yet looked up, see "Finding more information about error codes that some event messages contain." After reviewing event messages, check the following:

                     

                Can you give more details?

                Thanks

                Martin

                • 5. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
                  jjames

                  Just in case I did check the Windows Logs, and did not find the Event ID 1119.  However, the early errors that I did fix on the server was the "CAPI2" Event ID 11, and the "Apache Services" Event ID 3299 both of which were handled before I started messing the EPO last month.  I have corrected the 11 and 3299 so I am unsure if mentioning them even matter at this point.  I also went into the DNS and veirfied several of the clients (including the one I've posted about above) were present.

                   

                  At this time, as far as I can tell, everything is in regards to the McAfee EPO, agents, and VirusScan Enterprise.

                   

                  The Event ID 1119 is stating that the updates are failing and an Event is being generated in the EPO, when examining the client (either through the EPO Server, accessing through the network, or physically going to the Client computer) it shows that it is fully up to date.  The Client logs (as posted above) also do not seem to point to any update failure.  The logs (both EPO and Client side) are pretty much identical accross the board from the number that I have examined (I have not examined all but a good portion of them). 

                   

                  The only thing I can consider is that the client is requesting the update twice, the EPO is timing out or mis-interpretting when the update is submitted/finished for the client.  From the logs posted above:

                   

                  Server Side

                  Event Received Time: 10/15/13 8:39:43 AM

                  Event Generated Time: 10/15/13 7:40:39 AM

                   

                  Client Side

                  10/15/2013 7:40:37 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate

                  10/15/2013 7:43:07 AM NT AUTHORITY\SYSTEM Starting task: AutoUpdate

                  ...

                  10/15/2013 7:43:14 AM NT AUTHORITY\SYSTEM Update Finished

                   

                  According to this, at 7:40 the event is generated but the update isn't competed until 7:43 after the update starts again (I'm guessing that's what the two back to back AutoUpdates mean).  This occurs through all the logs I've examined.

                   

                  If there is anything specific that anyone would like me to include, let me know and I will see about posting it.

                   

                  Thanks,

                   

                  -Jason;

                  • 6. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
                    jjames

                    Were there anymore thoughts on this matter?  I've still not come up with any solutions on my end. 

                     

                    if someone wants a specific log / report / infomation to help get a better understanding please let me know and I will see about getting it posted.

                     

                    Thanks,

                     

                    -Jason;

                    • 7. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
                      jjames

                      Just in case it helps anyone have an idea...

                       

                      I was going through the list on the EPO server and noticed that some of the computers suddenly stopped generating the event message, and then a few others that had been performing fine suddenly started generating the event message (EVENT ID 1119).

                       

                      I'm at a loss here, is this a known issue that I've somehow overlooked?  Am I S.O.L. and just have to deal with it?

                      • 8. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
                        mbauman8

                        hi james,

                        did you deploy all hotfix?

                        did you update and install all ms patches? (just to be sure that it is no other issue )

                        martin

                         

                         

                        =======

                        IMPORTANT: VSE 8.8 Patch 2 requires the following hotfixes to be installed in the following order: Hotfix 805660, 778101, 820636, then Hotfix 846582.

                         

                        https://kc.mcafee.com/corporate/index?page=content&id=KB77043

                        https://kc.mcafee.com/corporate/index?page=content&id=KB75374

                        https://kc.mcafee.com/corporate/index?page=content&id=KB76727

                        https://kc.mcafee.com/corporate/index?page=content&id=KB78149

                        • 9. Re: EPO 4.6.6 - Virus Scan 8.8 Patch 2 - Issue with Event ID 1119
                          jjames

                          Yes the MS Updates are current.  As for the VSE 8.8 Hotfixes, I've got 805660, 793781, and 778101 already setup in the EPO.  I checked in the my products > downloads > VSE 8.8 > Patches, but I did not see the others listed.

                           

                          On a side note, it looks like I fixed a single re-occurring event 1119 issue on a server running VSE 8.7 patch 5, by updating the engine 5300 to 5600. 

                           

                          Unfortunately the VSE 8.8 computers already have their engine at 5600.  I did however try updating a few of their agents from 4.6 to 4.8...This does not appear to fix the problem since I am still getting the Event 1119 update failed from those computers.

                           

                          -Jason;

                          1 2 Previous Next