1 2 Previous Next 11 Replies Latest reply on Jul 23, 2015 8:45 AM by serc09

    Error while trying to duplicate VSE policies

    serc09

      Hey guys,

       

      using EPO 5.1.1 and VSE 8.8. P4 and well, everything's working smooth.

       

      But while i'm trying to duplicate the 'McAfee Default - On-Access General Policies' i get a message 'An unknown error has occured." after klicking 'OK' in the windown where i can name the copied policy.

      I can duplicate the 'McAfee Default - Access Protection Policies' without any problems.

      Also tried to give the copied policy a short name like 'test' - same error....

       

      Hope anyone can help me out.

      THX in advance

       

      Kind regards

      Serc

        • 1. Re: Error while trying to duplicate VSE policies
          mmcgary

          Sounds like corrupt VSE extensions. Back up all your current policies/policy assignments/client tasks/queries for Virusscan and delete the Virusscan extensions from Menu/Software/Extensions. Check the latest extensions back in and confirm you can duplicate the policy without error. If so import everything back in and things should work properly.

          • 2. Re: Error while trying to duplicate VSE policies
            serc09

            THX for your answer.

             

            I think i found the reason - a full SQL-DB...

            Will check the sql-guys for help.

             

            keep you informed...

            • 3. Re: Error while trying to duplicate VSE policies
              mmcgary


              Here's a sql query to purge old events if you need it. Match the 2 dates up and it will purge all events before that date.

               


              SET rowcount 10000

              DELETE FROM epoEvents
              WHERE detectedutc < '2015-04-22' /* will delete all events older than this date */

              WHILE @@rowcount > 0
              BEGIN
                DELETE FROM epoEvents
                WHERE detectedutc < '2015-04-22' /* this date must match date above*/
              END
              SET rowcount 0
              GO

              • 4. Re: Error while trying to duplicate VSE policies
                serc09

                Thx mmcgary,

                 

                this released finaly ~600MB - the DB is now 9.6 GB instead of 10.2GB.

                But i think i'll have to open a case with support because this isn't normal behaviour in my eyes.

                 

                The server was built from scrath in 08/2014, then i did some testings and it gone live by the end of 10/2014.

                The server manages 86 clients (16 never reported back to the server) and 9 months later i have reached the DB limit of 10GB?

                 

                strange....

                • 5. Re: Error while trying to duplicate VSE policies
                  mmcgary

                  Run this query to get a general idea of where the space is going on the database: It's most likely for the EpoEvents table which is for all threat events.

                   

                  select object_name(id) [Table Name],

                  [Table Size] = convert (varchar, dpages * 8 / 1024) + 'MB'

                   

                  from sysindexes where indid in (0,1)

                  order by dpages desc

                   

                   

                  In most cases a great deal of Access Protection events are the reason for quick database growth. There's a default query in EPO in Queries and Reports called VSE: Top 10 Access Protection Rules Broken. Run that and see if you have a large amount of events. If so you may want to go through the most common events and see if you can add process exclusions to the Access Protection policy. The most common violation is event id 1095 for detected but not blocked.

                   

                  If you want to purge all the events for 1095 for instance and start fresh you can use this query:

                   

                  SET rowcount 10000

                  DELETE FROM epoEvents

                  WHERE threateventid = '1095'

                  WHILE @@rowcount > 0

                  BEGIN

                     DELETE FROM epoEvents

                     WHERE threateventid = '1095'

                  END

                  SET rowcount 0

                  GO

                  • 6. Re: Error while trying to duplicate VSE policies
                    serc09

                    Good Morning mmcgary,

                     

                    thx for your help.

                     

                    Yestern i run this script posted by you above:

                    SET rowcount 10000

                    DELETE FROM epoEvents
                    WHERE detectedutc < '2015-06-01' /* will delete all events older than this date */

                    WHILE @@rowcount > 0
                    BEGIN
                      DELETE FROM epoEvents
                      WHERE detectedutc < '2015-06-01' /* this date must match date above*/
                    END
                    SET rowcount 0
                    GO

                    So i deleted all epoEvents before 1. June 2015, right?

                    When i now run the query "VSE: Top 10 Access Protection Rules Broken", are the results in the time from 1. June 2015 till now?

                     

                    Here the table where the space is going in the database:

                    epo-db-space.jpg

                     

                    Do you have a SQL-Query to list the event-id and the numbers how often it happend just like the table with the database space?

                    • 7. Re: Error while trying to duplicate VSE policies
                      mmcgary

                      So i deleted all epoEvents before 1. June 2015, right?

                      When i now run the query "VSE: Top 10 Access Protection Rules Broken", are the results in the time from 1. June 2015 till now?

                       

                      Yes and yes.

                       

                      In EPO you have a default query named: Threat Event Descriptions in the Last 24 Hours. Duplicate that query and edit. On the 2nd page for "Chart" modify the "Labels are:" field with "Event ID". On the 4th page for "Filter" modify the "Event Generated Time" for whatever time frame you desire. Save and rename. This should give you a good list of all threat events sorted by Event ID.

                      • 8. Re: Error while trying to duplicate VSE policies
                        serc09

                        THX, i'll give it a try....

                        • 9. Re: Error while trying to duplicate VSE policies
                          serc09

                          Can we go in private message?

                          1 2 Previous Next