McAfee 8.5.0i, patch 5, managed by ePo 4.0. About 300 seats. the ePo policy for User Interface Options shows that all items in the console are supposed to be password protected, and when I'm logged into a workstation as an admin, they are. That is, I can start the console, click Tools/Unlock User Interface, enter a password, and have access to disable access protection, stop on-access scanning, etc.
However, when I'm logged on to the same workstation as a regular user, I can't do that. All options are grayed-out, and I can't stop the services (which our helpdesk techs sometimes need to do for troubleshooting).
What I don't get is that I don't see anything in ePo policies that says "admins can do this, users can't." I'd like for any logged-in user to be able to enter the password (which we change regularly and don't give out to users) and access the console.
Hmmm... I guess I should have read the documentation:
------------ Non-administrators — Users without administrator rights. Non-administrators run all VirusScan Enterprise applications in read-only mode. They can view some configuration parameters, run saved scans, and run immediate scans and updates. They cannot change any configuration parameters, create, delete, or modify saved scan or update tasks.
Administrators — Users with administrator rights. Administrators must type the password to access the protected tabs and controls in read/write mode. If a password is not provided for a protected item, they view it in read-only mode. -------------
So, the password only matters to Admins. I just now got back to my desk after talking to helpdesk and telling them that they can't try to "solve" problems by disabling the software- they'll have to troubleshoot the problem, ask for exceptions to scans, etc.
Well alrighty. I can unlock the console now by dropping the console exe into a runas window launched with local admin privs.
I tried explaining the idea to a McAfee technician over an IM session. They insisted that I had to log off of the machine and log back on as an admin to do this. My response "Um, no, I would lose my IM to you then."
Either way, I can get to it now. Props to bhamill for reading the manual and educating the masses.
The snippet below is based on the assumption of trust.Do you trust the machine that you will be typing your administrative credentials into? Is there a keylogger or malicious app resident to the machine that will glean your password?
A word of advice: supply a local admin account if possible and NOT a domain admin account. Local admin privs that are compromised suck, domain admin privs that are compromised are on another level (literally!).
Open a command prompt. "runas /user:LocalAdmin cmd" where 'LocalAdmin' is a local or domain admin on the machine.
Once the new window is opened with the admin privileges (the title should read 'c:\windows\system32\cmd.exe (running as LocalAdmin)'), launch the VirusScan console ('c:\program files\McAfee\VirusScan Enterprise\mcconsol.exe').
Once the console is opened, go to Tools->'Unlock User Interface'. By providing the password, you are no longer in read-only mode. Please remember to lock the interface back when done. AND CLOSE THE COMMAND SHELL WHEN FINISHED.
This works on an XP machine.
FYI, I NEVER log into my machine with an admin account. I open the command shell with elevated privs and drag-n-drop the application icon(s) into the shell. Wanna browse to a folder with elevated privs? Type 'cd' then drag the folder icon into the shell; this places the command shell in the directory 'dropped' into the shell.
A word of caution: not everything should be run with administrative privileges. I also recommend that you DO NOT LAUNCH Internet Explorer with elevated privs unless absolutely needed.