I think you are concerned with McAfee Epo database performance!
Please can you tell me if your EPO server is running slowly?
Your environment needs to include specific hardware and software to run McAfee ePolicy Orchestrator 5.1. I think you have review first these requirements and recommendations before installing your McAfee ePO software to make sure that your installation is successful.
Please confirm me that there no problem with the requirement before going to next step.
Thank you for the response.
I understand that performance could be an issue in its current environment. All three devices are virtualised on the same host machine however they are as responsive as they would be on a physical machine unless one of the VM's is busy (usually installations/high disk read/write) however I keep the load evenly spread across all three and only one machine is doing anything other than idling when running a performance impacting task.
To double check this, I have just ran a quick test by forcing alerts with one of my rules, pushing the events to the ePO and the ePO was able to show a graph containing the information it received less than a minute ago. Why is this not the case with the HIPS compliance? What is the difference between a threat event log being uploaded in comparison to the actual service being enabled/disabled?
Although I understand that performance is a very important point to make, I don't believe the virtual environment or performance of the host machine is what is causing the issue I am experiencing.
Another quick update, running a server task named 'Host IPS 8.0 Property Translator' updates the queries straight away. Do I have to run this every time I want to make sure my queries are all up to date? If so, why is this? the ePO Server knows the status in the system tree...
I'm assuming whatever field your query is pulling from in the DB is not getting updated ASAP when you disable the policy. Meaning, the field the query is pulling from is not the same field as when you look at it from the system tree.
If you click on the query, Actions -> View SQL, you can then take the SQL and run it within SSMS if you have access; right after you switch the policy and see if this is the case. If you query in the DB runs and pulls back the policy as not being disabled, then it is probably a missing trigger or not being enforced properly to update that field in the DB.
Sorry its taken me a while to get back to you, full of busy!
I've attached a screenshot of the SQL from the query below, I'm not sure what you refer to with SSMS? This is currently a lab environment so I do have access to anything which I need access to :-)
Is this 'Host IPS 8.0 Property Translator' the trigger which should run every time the query is ran?
Yes, it is basically because whatever field your Report is pulling from, is not the same DB field as the system tree.
SSMS is SQL Server Management Studio - the back end of ePO. If you take the SQL from the report, which you posted, and run it within the query analyzer in SQL, that is just how you could verify that the fields the report is pulling from in the DB are not getting updated immediately.
By trigger I mean triggers within the DB - procedural code that is executed in response to certain events on a particular table/view. These update certain fields, and I am thinking it is not updating the field your report is pulling from immediately.
So it looks like you'll just have ro run the Host IPS 8.0 Property Translator, as you mentioned that seemed to remedy it, or wait 15 min or so.