Loading...

Knowledge Center


McAfee Agent 5.6 Hotfix 1264214 uploads the same events more than once and results in a backlog on the ePolicy Orchestrator server
Technical Articles ID:   KB91418
Last Modified:  5/31/2019

Environment

McAfee Agent (MA) 5.6.0 Hotfix 1264214 (Build 5.6.0.878)

Problem

The same client events are uploaded to the ePolicy Orchestrator (ePO) server repeatedly in the MA 5.6.0 Hotfix 1264214 versions. The flood of events results in the following issues:
  • A backlog of unparsed events in the ePO_InstallDir\Db\Events\ folder on ePO server and remote handlers.
  • Reduced performance of the ePO server or remote Agent Handler.
  • Disk space usage issues:
    • On the ePO server – caused by the backlog of events referenced in the first bullet item above.
    • On the SQL database – caused by the successful parsing of the flood of events.
The masvc_systemname.log file, located in the Agent data directory (ProgramData\McAfee\Agent\logs by default on Windows), reports the following error removing events from the local Agent database during upload:

 event.Critical: Failed in ma_db_transaction_begin, error = 217

System Change

You installed or upgraded to MA 5.6.0 HF1264214 (Build 5.6.0.878).

Cause

MA is unable to obtain a transaction lock on the MA database and remove events that have already been uploaded. This issue happens when the client computer is put to sleep while the Agent is committing changes to the local database files. 

Solution

This issue is resolved in McAfee Agent (MA) 5.6.1.

To view other MA 5.6.x known issues and resolved issues, see KB90993.

The updated Agent version prevents the duplication from occurring but it does not remove the duplicate events from the ePO database. You can use the following steps to identify the issue and clean up the database:
  1. ​Download the FindDupEvents.zip file attached to this article. This file contains the SQL script used to find the duplicate events.
  2. Extract the FindDupEvents.sql file from the .zip file.
  3. Run the script against your ePO database.
NOTE: If the result confirms that you are experiencing the issue described in this article, update the agent on the client systems to MA 5.6.1 at the earliest. The client systems that send duplicate events to ePO are displayed in the result. If the systems are not updated and only purge for duplicate events, the client might keep sending duplicate events to ePO. Ensure that you update the agent version on all endpoints as this issue can reoccur at any time on any endpoint using MA 5.6.0.878. If the script returns no result, skip step 3 and 4.
  1. Before you continue with the next step, ensure that you have a recent backup of the ePO database (this backup includes the separate events database in ePO 5.10).
  2. Download the PurgeDupEvents.zip file attached to this article. This file contains the SQL script used to purge the duplicate events from the ePO database.
  3. Extract the PurgeDupEvents.sql file from the .zip file.
  4. Run the script against your ePO database
NOTE: The purge script might take several hours to complete. The ePO services can remain running while the purge script is running. 
  1. Periodically repeat these steps until all Agents in the environment are no longer using MA 5.6.0.878. 

Issue resolutions in updates and major releases are cumulative; Technical Support recommends that you install the latest version. To find the most recent release for your product, visit the Product Downloads site at http://www.mcafee.com/us/downloads/downloads.aspx.

McAfee product software, upgrades, maintenance releases, and documentation are available from the Product Downloads site at: http://www.mcafee.com/us/downloads/downloads.aspx.

NOTE: You need a valid Grant Number for access. KB56057 provides additional information about the Product Downloads site, and alternate locations for some products.

Workaround

Option 1 - Use Deploy Agents from the ePO console to reinstall the McAfee Agent:
  1. From within the McAfee ePO console, select an impacted endpoint and choose Actions - Agent - Deploy Agents.
  2. Within the Deploy McAfee Agent configuration, select Force installation over existing version and populate the needed authentication credentials. 
NOTE: For more information about the requirements for an Agent deployment, see KB56386.

Option 2 - Restart the McAfee Agent service:
  1. In the McAfee Agent General policy, ensure that the Self-Protection is disabled.
  2. Restart the McAfee Agent services:
    1. Press the Windows key + R.
    2. Type services.msc into the field and press Enter. 
    3. Right-click McAfee Agent Service, and select Restart
  3. ​Close the services window.
Option 3 - Disable generation of the most commonly duplicated events from the ePO server Event Filtering page:
  1. In the ePO console, navigate to Server SettingsEvent Filtering.
  2. Edit Event Filtering and verify that only the option The agent forwards: Only selected events to the server is selected.
  3. Scroll down through the list of events and deselect event IDs. This action prevents the events from being generated at the client (MA) side. The most commonly duplicated event IDs can vary from environment to environment, but it appears McAfee Agent product events are the biggest offenders. Examples of these event IDs are 2401, 2402, 2422, 2427, 2411, 2412.

IMPORTANT: If you disable these event IDs within the Event Filtering page, it only stops additional events from being generated. It cannot prevent the ePO server or remote Agent Handlers from uploading and parsing existing events.

Related resources:
  • KB82881 - Explanation of the McAfee Agent 5.x policy setting 'Self-Protection (Windows Only)'
  • KB82740 - REGISTERED - How to temporarily disable self-protection for McAfee Agent 5.x in the McAfee Agent policy
    The referenced article is available only to registered ServicePortal users.

    To view registered articles:
    1. Log on to the ServicePortal at http://support.mcafee.com.
    2. Type the article ID in the search field on the home page.
    3. Click Search or press Enter.

Attachment

FindDupEvents.zip
769Bytes • < 1 minute @ broadband


Attachment

PurgeDupEvents.zip
1K • < 1 minute @ broadband


Rate this document

Beta Translate with

Select a desired language below to translate this page.

Languages:

This article is available in the following languages:

English United States
Spanish Spain

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.