any vulnerability questions have to have an SR opened and sent to dev for their official response.

Folder now is Trellix Logs

Hi All.

I have also had issues on my test VM.

Stock server 2019 no third party apps ect just EPO and the server itself running ens. All default policies.

Ran the update as standard and then things went poopy in its pants.  

Trellix ePO 5.10.0 Server service cant start (apache services and processes run)

Event Viewer Application entry:

Faulting application name: eventparser.exe, version: 5.10.0.4067, time stamp: 0x6425c1be
Faulting module name: ccme_base.dll, version: 4.1.4.0, time stamp: 0x5c6f90c3
Exception code: 0xc0000005
Fault offset: 0x000220fd
Faulting process id: 0x1330
Faulting application start time: 0x01d96b70b05dbd60
Faulting application path: C:\PROGRA~2\McAfee\EPOLIC~1\eventparser.exe
Faulting module path: C:\PROGRA~2\McAfee\EPOLIC~1\ccme_base.dll
Report Id: 07151bbb-252e-41bb-8e46-d9b2fc26d3fc
Faulting package full name:
Faulting package-relative application ID:

System Log:

The Trellix ePolicy Orchestrator 5.10.0 Event Parser service terminated unexpectedly. It has done this 46 time(s).

Tried to rerun the update but it says its already instaled.

Error Log:

[Mon Apr 10 07:30:36.795163 2023] [ssl:notice] [pid 4508:tid 576] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:30:42.562112 2023] [ssl:notice] [pid 4508:tid 576] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:30:42.562112 2023] [ssl:warn] [pid 4508:tid 576] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Apr 10 07:30:42.562112 2023] [mpm_winnt:notice] [pid 4508:tid 576] AH00455: Apache/2.4.56 (Win32) OpenSSL/1.0.2zg-fips configured -- resuming normal operations
[Mon Apr 10 07:30:42.562112 2023] [mpm_winnt:notice] [pid 4508:tid 576] AH00456: Server built: Mar 14 2023 00:08:01
[Mon Apr 10 07:30:42.562112 2023] [core:notice] [pid 4508:tid 576] AH00094: Command line: 'C:/PROGRA~2/McAfee/EPOLIC~1\\Apache2\\bin\\apache.exe -d C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Apache2 -d C:/PROGRA~2/McAfee/EPOLIC~1\\Apache2 -f C:/PROGRA~2/McAfee/EPOLIC~1\\Apache2\\conf\\httpd.conf'
[Mon Apr 10 07:30:42.592818 2023] [mpm_winnt:notice] [pid 4508:tid 576] AH00418: Parent: Created child process 4596
[Mon Apr 10 07:31:04.531776 2023] [ssl:notice] [pid 4596:tid 564] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:31:04.531776 2023] [ssl:warn] [pid 4596:tid 564] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Apr 10 07:31:30.800643 2023] [mpm_winnt:crit] [pid 4508:tid 576] AH00419: master_main: create child process failed. Exiting.
[Mon Apr 10 07:39:02.909402 2023] [ssl:notice] [pid 7148:tid 616] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:39:05.112331 2023] [ssl:notice] [pid 7148:tid 616] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:39:05.112331 2023] [ssl:warn] [pid 7148:tid 616] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Apr 10 07:39:05.128036 2023] [mpm_winnt:notice] [pid 7148:tid 616] AH00455: Apache/2.4.56 (Win32) OpenSSL/1.0.2zg-fips configured -- resuming normal operations
[Mon Apr 10 07:39:05.128036 2023] [mpm_winnt:notice] [pid 7148:tid 616] AH00456: Server built: Mar 14 2023 00:08:01
[Mon Apr 10 07:39:05.128036 2023] [core:notice] [pid 7148:tid 616] AH00094: Command line: 'C:/PROGRA~2/McAfee/EPOLIC~1\\Apache2\\bin\\apache.exe -d C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Apache2 -d C:/PROGRA~2/McAfee/EPOLIC~1\\Apache2 -f C:/PROGRA~2/McAfee/EPOLIC~1\\Apache2\\conf\\httpd.conf'
[Mon Apr 10 07:39:05.440702 2023] [mpm_winnt:notice] [pid 7148:tid 616] AH00418: Parent: Created child process 6716
[Mon Apr 10 07:39:11.612761 2023] [ssl:notice] [pid 6716:tid 596] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:39:14.472328 2023] [ssl:notice] [pid 6716:tid 596] AH01884: OpenSSL has FIPS mode enabled
[Mon Apr 10 07:39:14.472328 2023] [ssl:warn] [pid 6716:tid 596] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache]
[Mon Apr 10 07:39:28.769072 2023] [mpm_winnt:crit] [pid 7148:tid 616] AH00419: master_main: create child process failed. Exiting.

Will park the current VM and then Copy it over again from last backup and try again. 

Hello,

This week  We updated epo up 11 to 16 (service pack1) was successful.  Up 14 to up 16 also successful

we updated to sevicespack1 for 2 customer. 

In Our  lab environment  We tired VMware Workstation. we taked error. Services didn't start.  Then we tired Oracle Virtual machine  ePo update 15 to Update 16 Updated finish successfully.

We think that issue on VMware Workstation machines. 

Hi There.....

Problem is some customers take it through stages of testing and verification such as first running it on a local VM using VMware then they go to a lab environment with HYper-V and VMware then to a preprod ect ect ect.

Single point of failure sometimes throws the entire thing out the windows and I have to sit and explain to non technical people what happened.

Ill see if  if can log a support call and get the files dumps needed.  

Please open a ticket for the faulting application errors.  That has to go to development.  You will need a mer and process dump of the faulting processes.  You can use procdump for that.  If the processes are actually terminating when it crashes, use procdump -ma -t eventparser.exe (for apache process, you would use pid# of the apache process with highest memory usage)

If it is faulting without terminating, then you would use this command to get 1st chance exception and any 2nd.

procdump -ma -e 1 -n 3 eventparser.exe or pid# of apache.

If you have to start up the services to get any crash dump, then add -w option to have procdump wait till the service starts to monitor it.

For your information, SP1 upgrade failed too on our production server. To be honest, let's forget the word "Failed" to define it by a better one 'disaster" 🙂

upgrader announced a fail then proceed to a rollback. After the rollback, the SQL acccount used by the ePO was no more functionnal locally on the sql server, the tomcat process was tagged "to delete", the rollback was not really executed as the db kept SP1 informations, and there were no way to recover something functionnal especially after an ePO reboot as some needed files then were deleted, the tagged service included.

We are currently in a backup rollback process.for our ePO and our DB but it is clear that this updater is different in terms of stability than lots of the previous one.

What is your ePO running on..... I assume its a virtual. What virtualization platform are you using.

I have found very little in the logs ect that point to anything specific, all the files are there ect but i kinda rolled eyes and said some words on the third attempt. My host machine running windows 11 with VMware workstation is no slouch and beefy and when the install of sp1 went belly up and the Trellix services on the server  VM started failing both the VM and host would stop responding intermittently, no inputs from the mouse or keyboard would work and then eventually after about 20 mins it stopped doing that and i could try and look through the logs again.... but then i just turned the vm off and had to join a meeting.

i had contact with support and they are now telling not to retry the update. they have lots of information from customers side and this updater will have to be fixed