cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 7

Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Hello all,

I am new to this site and to the ePO Web API but I'd like to start out by saying this has got to be one of the most robust and flexible web APIs I've ever worked with. I'm quite impressed. Being new, I have several questions that documentation does not cover. I'll post a series of questions but my very first regards the ability to query whether or not a machine is in a state where it needs a reboot.

I have worked with a couple of other Anti-Virus platforms where a machine will get into a state where it needs to be rebooted, usually because of a client update, but sometimes because an infected file is in use by the system and will be deleted on reboot. In fact, browsing around the ePO database, I discovered records in the EPOEventFilterDesc table where the description is exactly that. For example, event id 1312 has in the description column: "The file %FILENAME% is infected with %VIRUSNAME% %VIRUSTYPE%. The file will be deleted on reboot. Detected using Scan engine version %ENGINEVERSION% DAT version %DATVERSION%."

What I am looking to do is provide administrators with a report that says "These machines need to be rebooted as soon as possible" and let the admins work out a schedule that will allow for down time.

Does anyone know if anything like this is available anywhere? I've read all the documentation and poked around the database, but just couldn't find exactly what I was looking for.

Thanks,

-Eddie

1 Solution

Accepted Solutions
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Eddie,

  Here is the query I use for this very same thing your looking for. I plan on using the reboot tools in this community to take it a step further and automatically reboot workstations and notify on servers with a pop-up.

http://hop.tl/ngHSwC5o0B4dnUX_1s

- Stephen

View solution in original post

6 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Hi Eddiec,

Could you clarify my doubt ?

How your going to notify the Admins/Users ?

If you wants ePO to deliver the mail to you then its simple create automatic response based on the screen shot.

event ID.JPG

event1.JPG

Note : also add all the event ID's which are related to the reboot request a

Here i have shared my knowledge as per my understanding if its not related or not that much worth pls excuse and ignore 

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Eddie,

  Here is the query I use for this very same thing your looking for. I plan on using the reboot tools in this community to take it a step further and automatically reboot workstations and notify on servers with a pop-up.

http://hop.tl/ngHSwC5o0B4dnUX_1s

- Stephen

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Stephen,

This is excellent, thank you very much. I am still wondering if the endpoint would ever get into a state where a client or dat update requires a reboot, but I can cross that bridge when I come to it. Your query gives me exactly what I need for now. Thank you.

For any other coders out there who can't really use the ePO interface and need to access all data through the web API, here is Stephen's exported query written as an ad-hoc query:

target=EPOEvents&select=(select EPOEvents.DetectedUTC EPOEvents.TargetHostName EPOEvents.ThreatEventID EPOEvents.ThreatName)&where=(where (and (in EPOEvents.ThreatEventID 1028 1055 1104 1312 1313 1314 1315 1316 1317 1318 1414 1415 1416) (newerThan EPOEvents.ReceivedUTC 3600000))))&order=(order (asc EPOEvents.DetectedUTC)(asc EPOEvents.TargetHostName) (asc EPOEvents.ThreatName))

Stephen, I have another question I've posted about dates, but maybe you can help me out here. What does that 3600000 value represent for your newerThan parameter? Maybe I can figure this out myself playing with the GUI but what did you select that resulted in that 3600000 value?

Thanks,

-Eddie

Message was edited by: eddiec on 4/6/12 12:43:38 PM CDT
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Lakshmanan,

That's very helpful. Thank you for your reply. I'm not actually looking to have ePO deliver an email. I have another system that my administrators use that I am integrating with the ePO server. So as a programmer I am pulling data out of ePO and putting it into our custom reports in our third party system. The reasons for this are complex but the simplest reason is so that we can give admins and users access to data without giving them access to ePO.

That being said, your answer provided me with some additional areas to look at to give me more clues, and I very much appreciate that.

-Eddie

Former Member
Not applicable
Report Inappropriate Content
Message 6 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Event Receive time is within the last hour, so I assume 3600000 is milliseconds.

Former Member
Not applicable
Report Inappropriate Content
Message 7 of 7

Re: Can I query information about whether or not an endpoint has been rebooted?

Jump to solution

Stephen,

I feel silly for not realizing that. Thank you that helps very much.

-Eddie

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community