VSE 6807 & 6808 DAT Integrity Reporter

Version 8

    Overview

     

    This tool is used to provide a ‘snapshot’ collection of data from the environment (or where the tool has been run), allowing the ePolicy Orchestrator Admin to run a report that shows which VirusScan Enterprise 8.8 systems have been affected by DAT 6807 or 6808. Using this information you can target/identify systems in your environment that need remediation. Its intended purpose is for detection only, and it makes no modifications to the systems. This tool operates in a manner that you may not expect, so it is important to thoroughly review the .htm document below to achieve expected results. It may be run many times to reassess the environment. It has been tested and verified by McAfee, and is supported on all versions of ePO 4.5 and 4.6.

     

     

    Details

     

    It inspects registry values and files including the OnAccessScanLog.txt, McScript.log, and McScript_backup.log to determine if the system has run the affected DAT versions, and generates an Agent Event to capture findings from the system. It is delivered as an ePO package that is intended to be checked into and deployed by ePO.

     

     

    Requirements

     

    The tool requires the VirusScan Enterprise 8.8 and VirusScan Enterprise Reports extensions. Make sure that you have the following two extensions checked in before proceeding:

     

    • VIRUSCAN8800 - Currently either versions 8.8.0.169 or 8.8.0.191 (Patch 1)
    • VIRUSCANREPORTS - Currently only version 1.2.0.136

     

    They are located inside of VSE880LML.zip or VSE880LMLRP1.Zip that can be download with the appropriate grant number.


    Important Documentation

     

    It is important to thoroughly review the .htm document below for known issues and frequently asked questions before proceeding. For example:

     

    ePO says the Product Deployment failed?

    The product task will "Fail" on purpose. Refer to the Event data being returned for the analytical information.

    The product task fails on purpose because if it succeeded, the Agent response is hardcoded to invoke an Update - this behavior is tied to any product deployment task.

    Note: A product deployment failure event is generated when this occurs, Event 2412. You may consider purging this event from your database as the cause is known, and expected behavior for this tool. See the documentation for event purging information.

     


    Other

     

    We have provided an importable query to track 6807-6808 remediation status. It can be used both directly and as a template for custom queries. The ePO 4.6 compatible query is included with the package, and we have provided the ePO 4.5 compatible query seperately below.

     

    There were no changes to the ePO product package between the 2.0.0.7 RTS and the RTW releases, though there were updates to the documentation.

     

     

    Chris Smith

    Sr Sales Engineer

    McAfee, Inc.