Automatic 'Threat Notification' responses stop working when 'Automatic Response' is enabled
Technical Articles ID:
KB77567
Last Modified: 11/23/2020
Last Modified: 11/23/2020
Automatic 'Threat Notification' responses stop working when 'Automatic Response' is enabled
Technical Articles ID:
KB77567
Last Modified: 11/23/2020 EnvironmentMcAfee ePolicy Orchestrator (ePO) 5.x
McAfee Host Intrusion Prevention (Host IPS) 8.0 ProblemWhen you enable an ePO Automatic Response for events filtered on a Host IPS property, automatic Threat Notification responses on the ePO server might stop working.
NOTE: Only Automatic Responses from the event group ePO Notification Events and event type Threat are affected. The Detected systems and Status responses are not affected. Orion.log displays the following every minute: 2013-03-01 11:24:00,535 DEBUG [mfs:pool-2-thread-6] dispatcher.NotificationDispatcherInternalTask - NotificationDispatcherInternalTask Running... 2013-03-01 11:24:00,535 INFO [mfs:pool-2-thread-6] dispatcher.ThreatNotification - BEGIN Defined at Notification: 1362137040535 2013-03-01 11:24:00,542 ERROR [mfs:pool-2-thread-6] dispatcher.ThreatNotification - Error processing notification. Operation aborted. com.mcafee.orion.core.query.sexp.SerializationException: Reference to unknown table:epoThreatEvent at com.mcafee.orion.core.query.QueryEnvironment.getTable(QueryEnvironment.java:164) at com.mcafee.orion.core.query.QueryEnvironment.cacheColumn(QueryEnvironment.java:120) at com.mcafee.orion.core.query.QueryEnvironment.getColumnInfo(QueryEnvironment.java:90) at com.mcafee.orion.core.query.sexp.SexpProp.toSql(SexpProp.java:174) at com.mcafee.orion.core.query.sexp.ops.SexpIsBlank.toSql(SexpIsBlank.java:57) at com.mcafee.orion.core.query.sexp.ops.SexpUnaryOperator.toSql(SexpUnaryOperator.java:38) at com.mcafee.orion.core.query.sexp.ops.SexpNegationOperator.toSql(SexpNegationOperator.java:79) at com.mcafee.orion.core.query.sexp.SexpList.makeSql(SexpList.java:244) at com.mcafee.orion.core.query.sexp.ops.SexpBooleanOperator.toSql(SexpBooleanOperator.java:38) at com.mcafee.orion.core.query.sexp.SexpList.makeSql(SexpList.java:244) at com.mcafee.orion.core.query.sexp.ops.SexpBooleanOperator.toSql(SexpBooleanOperator.java:38) at com.mcafee.orion.core.query.sexp.SexpList.makeSql(SexpList.java:244) at com.mcafee.orion.core.query.sexp.ops.SexpBooleanOperator.toSql(SexpBooleanOperator.java:38) at com.mcafee.orion.core.query.sexp.ops.SexpWhere.toSql(SexpWhere.java:52) at com.mcafee.orion.core.query.QueryBuilder.makeQuery(QueryBuilder.java:301) at com.mcafee.orion.core.query.QueryBuilder.makeQuery(QueryBuilder.java:252) at com.mcafee.orion.core.query.QueryBuilder.getQuerySQL(QueryBuilder.java:226) at com.mcafee.orion.core.query.QueryBuilder.getQuerySQL(QueryBuilder.java:83) at com.mcafee.epo.notifications.dispatcher.ThreatNotification.makeWhereClause(ThreatNotification.java:257) at com.mcafee.epo.notifications.dispatcher.DefinedAtNotification.execute(DefinedAtNotification.java:46) at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherService.fireAllEvents(NotificationDispatcherService.java:20) at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherInternalTask.run(NotificationDispatcherInternalTask.java:34) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) at java.util.concurrent.FutureTask$Sync.innerRunAndReset(FutureTask.java:317) at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:150) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$101(ScheduledThreadPoolExecutor.java:98) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.runPeriodic(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:204) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) 2013-03-01 11:24:00,543 INFO [mfs:pool-2-thread-6] dispatcher.ThreatNotification - END Defined at Notification: 1362137040543 System ChangeYou enabled a new Automatic Response for events filtered on a Host IPS property.
SolutionThis issue is resolved in Host IPS 8.0
McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: https://www.mcafee.com/enterprise/en-us/downloads/my-products.html.
NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products. Patches are cumulative. Technical Support recommends that you install the latest one.
For information about this release, see the following:
Affected ProductsLanguages:Glossary of Technical Terms |
|