Well, then you need to go more in details.
Let's trace the event:
Go to Services and stop McAfee Framework Service, then go to C:\ProgramData\McAfee\Common Framework\AgentEvents
Test an Eicar file and get the detection.
Do you get an event under the Folder C:\ProgramData\McAfee\Common Framework\AgentEvents?
Please, let me know if you get the event. If you get it then carry on with the flow of the event
It's strange under the windows client I don't have the service "McAfee Framework Service" neider on the server epo.
I've downloaded an Eicar test file and is blocked by the VSE on the client and now I've an XML file on C:\ProgramData\McAfee\Common Framework\AgentEvents
The XML file desapear when the agent establish a communication with the server ePO.
well sometimes this service has different name depends od the machine language.
Ok if the event has been released from the machine lets do the second step.
Go to the ePO server and stop the service Mcafee Event Parser (so we will make sure that events will not be released to the DDBB and we can see in the event folder to make sure that event goes to ePO server)
Then, go to C:\Program Files (x86)\McAfee\ePolicy Orchestrator\DB\Events and see if the event that you have sent from client has reached the ePO server. If that is the case, restart the Mcafee Event Parser service and the events should be released to the DDBB.
Please, let me know the outcome of this test
With the service "McAfee Event Parser" stopped on the ePO server I've received the events on the folder C:\Program Files\McAfee\ePolicy Orchestrator\DB\Events.
And the previous files with the Eicar detection were not XML files but TXML files.
I've checked on the ePO > Menu "Reporting" > "Threat Event Log". There's no trace about my previous detection... Only event from DATALOSS2000.
Is like the parser cannot understand all TXML log files.