cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
ezim
Level 9
Report Inappropriate Content
Message 1 of 11
‎09-11-2020 08:25 AM

McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

Since updating to MA 5.6.5.236 we are seeing Event ID 2402 "Deployment/Update Successful" in the "Client Events" logs of our machines

The 2402 events are "2402: Update Failed (High)".

Does anybody else see that?
Does anybody know what causes these spurious looking entries?

 


Event ID: 2402
Severity: Critical
Event Received Time: 11/09/20 00:17:18 BST
Event Generated Time: 11/09/20 00:15:56 BST
Host Name: xxxxxxx
User Name:
IP address: x.x.x.x
Version:
SP HotFix:
Extra DAT Names:
Event Type: Update
Error Code: Deployment/Update Successful
Locale: en
Site Name: ePO_EPO01
Initiator ID: EPOAGENT3000
Initiator Type: UpdateTask
Product Name: McAfee Agent

 

Event ID: 2401
Severity: Informational
Event Received Time: 10/09/20 23:42:19 BST
Event Generated Time: 10/09/20 23:14:45 BST
Host Name: xxxxxxx
User Name:
IP address: x.x.x.x
Version: 4192.0
SP HotFix:
Extra DAT Names:
Event Type: AMCore
Error Code: Deployment/Update Successful
Locale: en
Site Name: ePO_EPO01
Initiator ID: EPOAGENT3000
Initiator Type: UpdateTask
Product Name: AMCORDAT2000

0 Kudos
Reply
1 Solution

Accepted Solutions
ezim
Level 9
Report Inappropriate Content
Message 7 of 11
‎09-14-2020 07:08 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

Hello @cdinet,

I've dug a bit deeper on a machine at the time the events occur.

It is the following update task:
#7304 ScrptMain START [C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe -script C:\ProgramData\McAfee\Agent\update\UpdateMain.McS -id 31015 -localeid 0409 -logfile C:\ProgramData\McAfee\Agent\logs\McScript -parent FRAMEWORK -initiator 1 -installdir C:\Program Files\McAfee\Agent\\x86\ -taskid ma.cert.update.task.id]

It turns out the we didn't have the matching "MsgBus Cert Updater package" signed in to the repository the machine was using for its update.

This is described here: KB85552 "ma.cert.update.task fails nightly at 00:00 local system time on endpoints running McAfee Agent 5.0.1 and later".

I've signed this in now and will be checking what results get reported tonight.

 

So, I'm guessing what we see reported is that the update task has run. It was triggered and ran successfully. But the task's result is a failure, because it couldn't update the "MsgBus Certificate".

View solution in original post

0 Kudos
Reply
10 Replies
Hem
Employee
Employee
Report Inappropriate Content
Message 2 of 11
‎09-11-2020 08:41 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

If you have event ID checked in Event filtering (configuration->server settings->Event filtering) then event will be generated and will be displayed. If don't want then please uncheck event ID from event filter.

0 Kudos
Reply
ezim
Level 9
Report Inappropriate Content
Message 3 of 11
‎09-11-2020 08:44 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

I do want to see the 2402 events as they show failures.

The "Error Code" however says "Deployment/Update Successful".

 

This has started happening since installing the McAfee Agent 5.6.5.236

0 Kudos
Reply
Hem
Employee
Employee
Report Inappropriate Content
Message 4 of 11
‎09-11-2020 11:06 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

then you can uncheck 2402 from event filtering.

0 Kudos
Reply
ezim
Level 9
Report Inappropriate Content
Message 5 of 11
‎09-14-2020 01:45 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

Hello @Hem ,

I'm sorry, but you are missing what I am saying.

I'll try to explain again. The Event ID 2402 is for failed events.
For example alerting us to issues where the machine is not able to access a repository.

An "Error Code" that I would expect to see is for example: "Unable to find valid repository" which is a failure.

 

However, since updating the Agent we receive frequent 2402 Events displaying "Deployment/Update Successful". Which looks like a mismatch between Event ID and Error Code.

0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 6 of 11
‎09-14-2020 06:25 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

I agree, that looks like a mismatch in event type.  Please open a ticket and try to get a mer from a client returning that event that would have logs for the same time frame.  We need to know exactly what happened with the task.  Also an export of the event details would be very helpful to match with the task run time.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
ezim
Level 9
Report Inappropriate Content
Message 7 of 11
‎09-14-2020 07:08 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

Hello @cdinet,

I've dug a bit deeper on a machine at the time the events occur.

It is the following update task:
#7304 ScrptMain START [C:\Program Files\McAfee\Agent\x86\McScript_InUse.exe -script C:\ProgramData\McAfee\Agent\update\UpdateMain.McS -id 31015 -localeid 0409 -logfile C:\ProgramData\McAfee\Agent\logs\McScript -parent FRAMEWORK -initiator 1 -installdir C:\Program Files\McAfee\Agent\\x86\ -taskid ma.cert.update.task.id]

It turns out the we didn't have the matching "MsgBus Cert Updater package" signed in to the repository the machine was using for its update.

This is described here: KB85552 "ma.cert.update.task fails nightly at 00:00 local system time on endpoints running McAfee Agent 5.0.1 and later".

I've signed this in now and will be checking what results get reported tonight.

 

So, I'm guessing what we see reported is that the update task has run. It was triggered and ran successfully. But the task's result is a failure, because it couldn't update the "MsgBus Certificate".

0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 8 of 11
‎09-14-2020 07:14 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

In that log when the cert updater task runs, does it say the task failed or was successful?  If failed, that would explain it.  You can also compare the events you are seeing with that time frame.  If the time frames don't match, then you need to compare it to what tasks are running the time the event occurred, then check the logs for that same time frame.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
ezim
Level 9
Report Inappropriate Content
Message 9 of 11
‎09-14-2020 07:30 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

It is at the time when the event is generated and says:

2020-09-14 00:08:03 I #7304 ScrptMgr These updates will be applied if they are in the repository: EPOAGENT5000META.
2020-09-14 00:08:03 I #7304 ScrptMgr Updates were not applied because the detection scripts were not found in the Evaluation branch: EPOAGENT5000META.

 

The EPOAGENT5000META directory, is associated with the MA MsgBus Cert Updater package (according to another KB).

0 Kudos
Reply
cdinet
Employee
Employee
Report Inappropriate Content
Message 10 of 11
‎09-14-2020 08:02 AM

Re: McAfee Agent 5.6.5.236 - Event ID 2402 "Deployment/Update Successful"

Jump to solution

Ok, that makes sense.  The task itself would be successful as far as running the task and reaching the repositories, just not finding the package in right branch.  Issue should go away once you have package in current branch and change policy to point to current branch, or put package in branch it is expecting it in from the agent policy.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC