Posts by iMasck

Hello Chris,

I have created a Python Scanner and I need to send the data to an SQL database over DXL. As far as I read from you answer that can be possible.

Regards,

Eduard

Hello everyone,

I would like to ask what can I do with OpenDXL. What I mean by that, is if I can send some data to the server where my ePO environment is installed, and write that data to an SQL Database. Or is just that OpenDXL have only pre-built functionalities?

Thanks in advance.

Hello Viji,

Sorry for late answering, but thanks a lot for your team support. I think that I will stick with the Orion.log error until my script finish his job. Meanwhile we will update MAR and Hopefully the errors wont show anymore.

Thanks again,

Eduard

Hello Chris,

No no, I didn't update anything, I just have two ePO environments:

1 - This is the main one and it is running MAR 2.3 with Hotfix 4. (In this one I found the ERROR lines in Orion)

2 - This ePO is more oriented to development, and it is running MAR 2.4 and MVISION EDR. Also here is where I tested my script at the beginning and I didn't find any errors in Orion.

I don't have MVISION EDR installed in the first one. So it makes me thinking that It may be because of MAR 2.3 H4 and updating it, may be a solution but its not that easy.

I know my English may be confusing, so tell me if there is more need for clarification.

Thanks a lot,

Eduard

Hello Chris,

I have tested the same script into another smaller infrastructure and with MAR 2.4 and MVISION EDR I don't find any ERROR logs in Orion.

It is interesting, I never though that this may cause the problem. Update the other one could be a solution, but Its not as easy as it sounds.

Thanks a lot,

Eduard

Hello Chris,

The versions that I am using:

MAR 2.3 - Hotfix 4

TIE Server & Platform 2.3.1.125

DXL Broker 5.0.1.223

Meanwhile I will test the same script in another configuration with MAR 2.4 and MVISION EDR.

Regards,

Eduard

Hello Chriss,

Thank you for your answer, right now I have only MAR installed. Should I also install EDR?

Thanks again,

Eduard

Hello everyone,

I have created a script to change automatically a bunch of hashes to whatever reputation I want. Looks like reputations are properly set in TIE Server and also the reputation is working fine. What I mean by that is that I have tested a HASH changed to KNOWN MALCIOUS over DXL and Antivirus automatically deleted that file. Also I have tested another options, like get_file_reputations and I didn't find any error.

So when I was checking orion.log I saw this ERROR per hash:

_{ERROR [core-CommandInvoker-thread-33] command.RemediationHistoryChangeReputationCommand - Cannot execute command}

_{com.mcafee.tie.server.ext.exception.TieDxlCommunicationException: Error during request handling. Error code: 0}

_{at com.mcafee.tie.server.ext.service.impl.TieServerDxlCommunicatorImpl.sendTieRequest(TieServerDxlCommunicatorImpl.java:83)}

_{at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.doTieRequest(TieServerBaseCommunicatorImpl.java:156)}

_{at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.doTieRequest(TieServerBaseCommunicatorImpl.java:129)}

_{at com.mcafee.tie.server.ext.service.impl.TieServerBaseCommunicatorImpl.getFileInfo(TieServerBaseCommunicatorImpl.java:273)}

_{at com.mcafee.tie.server.ext.service.management.TieManagementServiceImpl.getFileInfo(TieManagementServiceImpl.java:72)}

_{at com.intel.edr.service.impl.ReputationServiceImpl.getFileInfoBySha1s(ReputationServiceImpl.java:158)}

_{at com.intel.edr.service.impl.ReputationServiceImpl.getFileInfosBy(ReputationServiceImpl.java:235)}

_{at com.intel.edr.command.RemediationHistoryChangeReputationCommand.runTask(RemediationHistoryChangeReputationCommand.java:90)}

_{at com.intel.edr.command.RemediationHistoryChangeReputationCommand.invoke(RemediationHistoryChangeReputationCommand.java:76)}

_{at com.mcafee.orion.core.cmd.CommandInvoker.invoke(CommandInvoker.java:1274)}

_{at com.mcafee.orion.core.cmd.CommandInvoker$AsyncCommandRunner.call(CommandInvoker.java:1150)}

_{at java.util.concurrent.FutureTask.run(FutureTask.java:266)}

_{at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)}

_{at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)}

_{at java.lang.Thread.run(Thread.java:748)}

It looks like I have those errors only when the script is changing the reputation and I don't know why since reputations are properly set after the script.

I have tested a bunch of different configurations with the brokers, but the error is still there.

I can provide the code if there is any need to do so.

Can someone explain me why orion.log is genereting those ERRORS?

Thank you for your time