Loading...

Knowledge Center


Policies are not enforced for a scanner profile (Hi, Low, or Default) after an ePolicy Orchestrator server or VirusScan Enterprise extension upgrade
Technical Articles ID:   KB81867
Last Modified:  3/20/2018
Rated:


Environment

McAfee VirusScan Enterprise (VSE) 8.8.x

For details of VSE 8.x supported environments, see KB51111.

Summary

Recent updates to this article:

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Date Update
March 20, 2018 Added a reference to KB84091 (unpublished), which was a duplicate of this article. Transferred one symptom from the unpublished article to this article.
July, 27 2017 Consolidated symptoms from KB86016 (unpublished) into Problem 2 section. 

Problem

You see the following issues after you either upgrade your VSE extension or your ePolicy Orchestrator (ePO) server:
  • Configured VSE policies are not being enforced.
  • Policy changes on some systems are successfully applied, but not on others.
The dwExclusionCount in _dataStore.xml inside DataStore.bin does not match the exact number of exclusions created in ePO by SaveAgentPolicy.

Problem

Corrupt policy issues can also prevent a VSE extension from successfully upgrading.

The example below is where the VSE 8.8 Patch 6 (build 8.8.0.412) management extension fails and the following is recorded in the Orion log:
 
[echo] Real_Upgrade called. [execute-sql] [execute-sql] WARN: [execute-sql] WARN: [execute-sql] [execute-sql] [execute-sql] post_upgrade: [echo] Post_Upgrade called.
BUILD FAILED X:\PROGRA~1\McAfee\EPOLIC~1\server\extensions\installed\VIRUSCAN8800\8.8.0.412\install.xml:78: com.mcafee.orion.core.cmd.
CommandException: null at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1321) at com.mcafee.orion.core.cmd.
CommandInvoker.invokeCommand(CommandInvoker.java:1016) at com.mcafee.orion.core.cmd.
CommandInvoker.invoke(CommandInvoker.java:985) at com.mcafee.orion.core.cmd.
CommandInvoker.invoke(CommandInvoker.java:962) at com.mcafee.orion.core.ext.tasks.cmd.
ExecuteCommandTask.execute(ExecuteCommandTask.java:92) at org.apache.tools.ant.
UnknownElement.execute(UnknownElement.java:291) at sun.reflect.
GeneratedMethodAccessor991.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.
Method.invoke(Method.java:606) at org.apache.tools.ant.dispatch.DispatchUtils.execute(DispatchUtils.java:106) at org.apache.tools.ant.
Task.perform(Task.java:348) at org.apache.tools.ant.Target.execute(Target.java:390) at org.apache.tools.ant.Target.performTasks(Target.java:411) at org.apache.tools.ant.
Project.executeSortedTargets(Project.java:1399) at org.apache.tools.ant.
Project.executeTarget(Project.java:1368) at com.mcafee.orion.core.ext.InstallScriptImpl.runTask(InstallScriptImpl.java:429) at com.mcafee.orion.core.ext.
InstallScriptImpl.upgrade(InstallScriptImpl.java:313) at com.mcafee.orion.core.ext.ExtensionInstaller.upgradeImpl(ExtensionInstaller.java:1332) at com.mcafee.orion.core.ext.
ExtensionInstaller.upgrade(ExtensionInstaller.java:1112) at com.mcafee.orion.core.ext.
ExtensionInstaller.upgrade(ExtensionInstaller.java:922) at com.mcafee.orion.core.ext.cmd.
UpgradeExtensionCmd.invoke(UpgradeExtensionCmd.java:33) at com.mcafee.orion.core.cmd.
CommandInvoker.invoke(CommandInvoker.java:1282) at com.mcafee.orion.core.cmd.
CommandInvoker.invokeCommand(CommandInvoker.java:1016) at com.mcafee.orion.core.cmd.
CommandInvoker.invoke(CommandInvoker.java:985) at com.mcafee.orion.core.cmd.
CommandInvoker.invoke(CommandInvoker.java:835) at com.mcafee.orion.core.cmd.
CommandInvoker.invoke(CommandInvoker.java:789) at com.mcafee.orion.console.ui.ext.ExtensionActions.install(ExtensionActions.java:433) at sun.reflect.
NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.
DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at com.mcafee.orion.core.servlet.mvc.
MvcActionFactoryBase.executeAction(MvcActionFactoryBase.java:55) at com.mcafee.orion.core.servlet.ControllerServlet.executeAction(ControllerServlet.java:351) at com.mcafee.orion.core.servlet.
..
...
ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.

Cause

The cause is unknown at this time. What is known is the catalyst for this behavior is typically a report of a recent upgrade, whether it is the ePO server or a VSE extension. Even after this, some form of corruption is taking place in the SQL database.

Solution

For Technical Support and Engineering to investigate this issue, we require a copy of your ePO database prior to the upgrade that introduced the problem. The pre-upgrade copy of the database is required so that Technical Support can reproduce the corruption as it occurs. Working with a post-corruption copy of the database has so far proven inconclusive for finding the root cause.

As a temporary measure, implement the workaround provided below.

IMPORTANT: The following files are required for Technical Support:
  • Minimum Escalation Requirements (MER) files for your specific product. For information about downloading the MERs for each McAfee product, see KB59385.
  • Other files and logs, as requested by Technical Support.

To contact Technical Support, log on to the ServicePortal and go to the Create a Service Request page at https://support.mcafee.com/ServicePortal/faces/serviceRequests/createSR:
  • If you are a registered user, type your User Id and Password, and then click Log In.
  • If you are not a registered user, click Register and complete the required fields. Your password and logon instructions will be emailed to you.

Workaround

Identify the corrupt policy, delete it, and then recreate the policy.

IMPORTANT: Create a backup of the SQL database before you proceed with these steps.

You can use the following SQL commands to query the corruption and also to correct it.
Use [<DB name>]

 
High Risk Policies query
Identify the corruption via these select statements. Be aware that the DELETE version of this query will remove the objects identified here.  

select TypeTextID,SectionName  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Wrkstn_Untrusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_UntrustedScan_Policies'

select TypeTextID,SectionName from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Server_Untrusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_UntrustedScan_Policies'

 If you have confirmed these objects can or should be removed, use these commands to remove the High Risk policies.

Delete From EPOPolicySettingValues where PolicySettingValuesID in
(select PolicySettingValuesID  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Wrkstn_Untrusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_UntrustedScan_Policies')
 
Delete From EPOPolicySettingValues where PolicySettingValuesID in
(select PolicySettingValuesID  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Server_Untrusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_UntrustedScan_Policies') 

Low Risk Policies query
Identify the corruption via these select statements. Be aware that the DELETE version of this query will remove the objects identified here.

select TypeTextID,SectionName  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Wrkstn_Trusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_TrustedScan_Policies'

select TypeTextID,SectionName from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Server_Trusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_TrustedScan_Policies'

If you have confirmed these objects can or should be removed, use these commands to remove the Low Risk policies.

Delete From EPOPolicySettingValues where PolicySettingValuesID in
(select PolicySettingValuesID  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Wrkstn_Trusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_TrustedScan_Policies')
 
Delete From EPOPolicySettingValues where PolicySettingValuesID in
(select PolicySettingValuesID  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Server_Trusted%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_TrustedScan_Policies')

OAS Default Policies query
Identify the corruption via these select statements. Be aware that the DELETE version of this query will remove the objects identified here.

select TypeTextID,SectionName  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Wrkstn_Default%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_DefaultScan_Policies'

select TypeTextID,SectionName from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Server_Default%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_DefaultScan_Policies'

If you have confirmed these objects can or should be removed, use these commands to remove the OAS Default policies.

Delete From EPOPolicySettingValues where PolicySettingValuesID in
(select PolicySettingValuesID  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Wrkstn_Default%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_DefaultScan_Policies')

Delete From EPOPolicySettingValues where PolicySettingValuesID in
(select PolicySettingValuesID  from EPOPolicyObjects
inner join EPOPolicyTypes on EPOPolicyTypes.TypeID = EPOPolicyObjects.TypeID
inner join EPOPolicyObjectToSettings on EPOPolicyObjects.PolicyObjectID = EPOPolicyObjectToSettings.PolicyObjectID
inner join EPOPolicySettings on EPOPolicyObjectToSettings.PolicySettingsID = EPOPolicySettings.PolicySettingsID
inner join EPOPolicySettingValues on EPOPolicySettings.PolicySettingsID = EPOPolicySettingValues.PolicySettingsID
where EPOPolicySettingValues.SectionName LIKE 'Server_Default%' and FeatureTextID ='VIRUSCAN8800' and TypeTextID != 'VSC700_DefaultScan_Policies')

NOTE: After you have identified and removed the corrupted policies, create new VSE policies.

Previous Document ID

KB86016, KB84091

Rate this document

Languages:

This article is available in the following languages:

English United States
Spanish Spain
Japanese

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.