Showing results for 
Show  only  | Search instead for 
Did you mean: 

Looking for a query


I don't even know if this is possible.

But i am looking for a query that can show me recurring workstations that get infected. For example:

1. Workstations get infected and cleaned by mcafee

2. If this workstation gets infected again in a momth he should report it in dashboard (or e-mail)

Is this possible?

Thanks in advance!

5 Replies
Level 9
Report Inappropriate Content
Message 2 of 6

Re: Looking for a query

The only method I can think of at the moment, would be to create a query that shows you the number of infections for the month. You can then use the webAPI to trigger running the query.

If you need any more information, let me know and I will do my best to provide help.

Re: Looking for a query


At the moment i am using the malware detection history . Put that in a excel every day  and cross reference them. (with smart handlers that detect when computers come more then 1 in the list).

I want to automate the process that i see in a report or query  that  a computer within a month that gets infected more then 2x  that EPO reports it to me . Like in a diagram or just send me a email.

Because i wanna reimage that machine.

Also is it possible to see what mcafee didnt clean?

Message was edited by: dpkrijgsman on 4/15/14 4:36:33 AM CDT
Level 9
Report Inappropriate Content
Message 4 of 6

Re: Looking for a query

I guess I am still trying to understand what exactly it is that you are wanting?

You could use the VSE: Computers with threats Detected per Week

You could duplicate this report and adjust it as needed, for instance, you could change it to report "event generated time = Day" and add the "Threat Handled".

This would look something like:

PC???? (Computer Name)

     April 17, 2014 (Date of Detection)

          True: 10 (Handled)

          False: 1 (Handled)

This data would indicate that you had 11 total threats, 10 were handled correctly 1 was not. Thus you would need to image it,

You could change the "event generated time" to weekly or even monthly.

This however doe's not automate the E-mail response to you....However it does allow you to see users who frequently become infected.

This said, why not just set up an auto response only when a threat is not handled? Ignore when they are, however have it send you a message when "Handled=FALSE" thus only notifying you of Failed cleans. ....

All of this said, I would really recommend following the direction I gave you in a previous post about Malware / Spyware blocking. I have been running 8 Plus years, and as long as I have these enabled and setup correctly I have a wonderful out of box experience....very little issue

Not sure if this helps....


Re: Looking for a query

HI pwolfe ,

Thank you for your reply.

To answer your questions i am looking for a report that will give me workstations that have been infected more then 3 times in 1 month.

So lets say computer A  is infected on 1 januari but also on 20 and 23 januari. Then the report will give me these result.

But the report will not show me computers that have been infected only once.

I will look into the  VSE: Computers with threats Detected per Week report . Thankyou !

As regaring my previous post where you replied  i cannot do this because we are repackaging msi and use temp for to run it from.

Enable: Anti-Spyware maximum protection - "Prevent all programs from running files from the Temp folder"

Enable: Anti-Spyware maximum protection - "Prevent execution of scripts from the Temp folder"

Enable: Common Standard Protection - "Prevent common programs from running files from the Temp folder"

Enable: Common Standard Protection - "Prevent installation of Browser Helper Objects and Shell Extensions"

But thanks again for your replies!

Level 9
Report Inappropriate Content
Message 6 of 6

Re: Looking for a query

Not sure if this will give you any ideas on the install of MSI's with those settings enabled, however we package and deploy both MSI's & .exe Setup files. I have 2 ways around this.

First, add the calling process, and the msi or .exe to the exclusion list, (This is does not always work, however does most of the time), we are not a Microsoft shop, we are Novell OES 11 & Zenworks site. So I add all of the Novell & ZCM/Zenworks exe's to the allowed list for each exclusion. This works most of the time. As I deploy my MSI's & EXE's using zenworks, and as long as I add the .exe or .msi to the exclusion as well it usually is fine.

Second, our VSE 8.8 "access protection" policy has been set as follows:

Enabled - Enable access protection

as %95 of my users are "Standard Users" on workstations they have no rights and they can not stop the mcafee services anyways, as by default you need admin rights to do so, thus allowing me to administratively. As we use Zenworks I just add the following to my installers. (all installers run as a local system with admin rights or admin account for rights)

  • sc stop mcshield - With Wait until completed

  • Run setup.exe or Msi - With Wait until completed
  • sc start mcshield - With Wait until completed

By doing this McAfee is disabled during the install, this also allows faster installs as the "Access Scanner" will not scan this install.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community