hello i also have a couple of Red Hat Enterprise Linux Server release 5.10 (Tikanga) generating many File I/O errors like the following
any idea ?
xxx Event Received Time: 6/24/16 11:14:06 AM Event Generated Time: 6/24/16 11:13:03 AM Agent GUID: 3A9F0C5A-B755-E311-982B-000000000000 Detecting Prod ID (deprecated): NULL Detecting Product Name: VirusScan Enterprise for Linux Detecting Product Version: 18.104.22.168822 Detecting Product Host Name: xxxxxx Detecting Product IPv4 Address: 10.100.200.76 Detecting Product IP Address: 10.100.200.76 Detecting Product MAC Address: DAT Version: none Engine Version: none Threat Source Host Name: Threat Source IPv4 Address: 0.0.0.0 Threat Source IP Address: 0.0.0.0 Threat Source MAC Address: Threat Source User Name: Threat Source Process Name: Threat Source URL: Threat Target Host Name: xxxxxx Threat Target IPv4 Address: 0.0.0.0 Threat Target IP Address: 0.0.0.0 Threat Target MAC Address: Threat Target User Name: oracle Threat Target Port Number: Threat Target Network Protocol: Threat Target Process Name: OAS Threat Target File Path: none Event Category: Scan failed Event ID: 1046 Threat Severity: Error Threat Name: none Threat Type: Unknown Action Taken: None Threat Handled: True Analyzer Detection Method: OASEvents received from managed systems Event Description: File I/O errors.
That event is from OnAccessScan - not ODS.
But the file I/O means engine could not access items for scanning
You could evaluate the location of the files either in OAS or ODS and decide if you wan to exclude that filetype or locationfrom scanning.
The event states "oracle" - if the machine is hosting databases and some locked files used by databases may produce scan errors as they cannot be opened scanned in OAS or ODS so to avoid errors you could exclude.
If you want to maintain scanning everything and simply avoid the events getting to db - in ePO - Server Settings - Event Filtering - this list the events that will and won't be sent to ePO - if you deselect 1046 - this will change the agent policy locally not to send those events.
thanks for the prompt and meaningful reply - i'll check again OAS exclusions