ePO doesn't parse Adaptive Threat Protection event 35111
Technical Articles ID:
KB93238
Last Modified: 2023-07-07 09:22:00 Etc/GMT
Environment
Endpoint Security (ENS) Adaptive Threat Protection (ATP) 10.7.x, 10.6.x
ePolicy Orchestrator (ePO) 5.x
Problem
The 35111 events are generated on the endpoint and successfully delivered and uploaded to ePO by the McAfee Agent. But, ePO fails to parse the received events and so they do not show up in the ePO Threat Event Log for example. When the issue occurs, the managed product events sent to ePO aren't parsed and are added to the folder <ePO installation folder>\DB\Events\Debug.
The Event Parser Log records errors similar to the one below. The Event Parser Log is located on the ePO server at <ePO installation folder>\DB\Logs.
<date and time> X #03252 EVNTPRSR source\server.cpp(1015): Processing <EPOevent>, C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\7a6087ba-1ca8-47ff-9ec1-fbc96780956d-mc_20200702065535648169800002350.xml
<date and time> X #03252 EPODAL ePOData_Connection.cpp(590): ssl Authenticate mode is 1
<date and time> X #03252 EPOEVENTS epoevents_dao.cpp(324): Events AutoID 270296
<date and time> X #03252 EPOEVENTS epoevents_dao.cpp(243): Event insert command INSERT INTO [EPExtendedEventMT]([AccessRequested],[AnalyzerGTIQuery],[AttackVectorType],[BladeName],[DurationBeforeDetection],[NaturalLangDescription],[SourceAccessTime],[SourceCreateTime],[SourceFilePath],[SourceFileSize],[SourceModifyTime],[TargetAccessTime],[TargetCreateTime],[TargetFileSize],[TargetHash],[TargetModifyTime],[TargetName],[TargetPath],[ThreatDetectedOnCreation],[EventAutoID])
<date and time> X #03252 EPOEVENTS VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);
<date and time> X #03252 EPOEVENTS epoevents_dao.cpp(243): Event insert command INSERT INTO [JTIClientEventInfo]([CertCompany],[CertName],[CertPKSHA1Hash],[CertSHA1Hash],[ContentVersion],[DetectionType],[FileCompany],[FileMD5Hash],[FileSHA1Hash],[ObjectType],[PromptComments],[Reputation],[RPSensitivityLevel],[RuleID],[SecurityPosture],[EventID])
<date and time> X #03252 EPOEVENTS VALUES(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?);
<date and time> E #03252 EPOEVENTS epoevents_dao.cpp(250): COM Error 0x80040E57, source=Microsoft SQL Server Native Client 11.0, desc=String or binary data would be truncated., msg=IDispatch error #3159
...
<date and time> E #03252 EVNTPRSR source\server.cpp(1128): Failed to process file C:\PROGRA~2\McAfee\EPOLIC~1\DB\Events\7a6087ba-1ca8-47ff-9ec1-fbc96780956d-mc_20200702065535648169800002350.xml, XML file error count 1
Cause
One of the fields included in the events exceeded the allowed length and so couldn't be inserted successfully into the ePO database.
Solution
This issue is resolved in the ENS 10.7.0 November 2020 Update.
|