cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Alert when mcafee agent is stopped

Jump to solution

Is there a way to create a case in ESM or an Alert when the Mcafee Agent is disabled or has been stopped on a host?

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Alert when mcafee agent is stopped

Jump to solution

Another option would be to use a Dynamic Watchlist to query ePO for the Last Communication date older than a specified date/time...

The following query will return a list of endpoints:

     USE ePO_EPO531; SELECT NodeName FROM EPOLeafNode WHERE LastUpdate < DATEADD(HOUR,-4,GETDATE())

In the example above, replace ePO_EPO531 with your ePO database name and HOUR,-4 with your expected age of returned systems (DAY,-1 would return a list of endpoints that have not checked in within the last day, etc)

Configure a watchlist in SIEM to use the SQL query against the ePO database and populate a list of HOSTNAME values.

View solution in original post

6 Replies

Re: Alert when mcafee agent is stopped

Jump to solution

Moved provisionally to SIEM for faster handling.

---

Peter

Moderator

btkarp
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Alert when mcafee agent is stopped

Jump to solution

I think your only option is set the time threshold and create alarms off the triggered inactivity flags.

McDuff
Level 11
Report Inappropriate Content
Message 4 of 7

Re: Alert when mcafee agent is stopped

Jump to solution

Yes I'd be interested in hearing what others are doing for this.  Currently the only thing we do is run a powershell script that cycles through all of the systems that haven't checked in, checks if they are pingable, and if so, attempts to restart the agent.  

Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Alert when mcafee agent is stopped

Jump to solution

Thanks for the replies it gives me something to go off.

I think we will run a combination of both, we already have the query to tell us what agents have not responeded within the last hour so we can use that for the PS script.  I will have a chat with the team incharge of manging the agents to see if they can set the time threshold so we can have some visibility in the SIEM.

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Alert when mcafee agent is stopped

Jump to solution

Another option would be to use a Dynamic Watchlist to query ePO for the Last Communication date older than a specified date/time...

The following query will return a list of endpoints:

     USE ePO_EPO531; SELECT NodeName FROM EPOLeafNode WHERE LastUpdate < DATEADD(HOUR,-4,GETDATE())

In the example above, replace ePO_EPO531 with your ePO database name and HOUR,-4 with your expected age of returned systems (DAY,-1 would return a list of endpoints that have not checked in within the last day, etc)

Configure a watchlist in SIEM to use the SQL query against the ePO database and populate a list of HOSTNAME values.

View solution in original post

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Alert when mcafee agent is stopped

Jump to solution

Thankyou Michael!

That has been perfect.  We were able to run the query and retrieve a list of instances that have not responded within a given timeframe.

Thanks for the idea of a PS script also, this will give me some more stuff to play around with!!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community