I am creating an automatic response that triggers when a managed ondemand scan has been cancelled by the user. (Event 1035) When a user cancels their weekly managed ODS, I manually move their computer to a "Scan Now" group and do an agent wakeup call. Once I see that scan32.exe is running on the computer, I sort it back to its original location.
The automatic response I have created attempts to do this using 2 steps. The problem that I have is that step 1 and step 2 need a delay in between them.
Step 1 applies a tag to the computer, sorts it which moves the computer to the "Scan Now" group and then does the wakeup call.
Step 2 removes the temporary tag and resorts the computer putting it back in its proper location, then does another wakeup to ensure the computer sill has the correct policies.
I need to delay Step 1 and Step 2 because they happen so fast that Step 2 fails. I also need to allow a few seconds for Step 1 to actually complete before running Step 2.
I have tried a couple things to create a delay, such as creating a registered executable (c:\windows\system32\ping.exe) and running "ping -n 30 127.0.0.1 > NUL 2>&1" which basically forces a slient ping to localhost which runs for about 30 seconds. It seems the response mechanism in epO 4.5 does not wait for each step to complete before proceeding to the next step.
Can anyone offer aything to try and resolve this for me?
I have opened a ticket with (cough) Gold support and after I convinced them that they don't need to remote in to understand that my request is not a problem, they advised the would email me with the case to which I should reply with my questoins. Not sure why I should call and explain it, then have to email it, but if I ever receive the email I will send them the above info. I looked at the mail gateway log just now and see that the Tier 1 sent the email to an invalid email addy so I never got it. Way to go Tier 1...can always count on you!
Sorry to vent...just gets frustrating
Anyway, any info would be great...
Thanks in avance.
Unfortunately, I don't know of a way off hand to accomplish what you are trying to do within the scope of ePO, perhaps I'm not creative enough
One question I do have is, if a user delays the scan, you move them in a group where you force the scan, why not simply *NOT* allow the users to postpone the scan? I'm sure there's a reason, just trying to understand.
thanks for the reply...
This is not a problem with users delaying a scan. My users are not permitted to kill scans via vse console or task manager but they can kill them by rebooting. The reboot situation is what triggers this response. I do allow laptop users to delay and that's not my issue. It's the ones that manage to stop a scan from completing that I want to hit.
My automatic response is creative as it is pretty tricky to filter out the machines in question through the whole process. I can accomplish my task by scheduling the 2nd part of the response, however, for completeness and accuracy, it really needs to occur as part of the response.
Well, after resposne from 2 different sources at McAfee, it was deemed that adding a delay definitely cannot be done in an Automatic Response. Automatic Responses are performed in parallel and not in series so each task does not wait for the previous to complete.
I did, however, solve my problem with some creative thinking
What I ended up doing was enabling forwarding of event 1202 (On Demand Scan started) and created a 2nd automatic response. Basically, and without getting into all the details and variables I am accounting for, if the "Scan Now" scan kicks in, the agent policy in the "Scan Now" group forces all events to forward immediately, including the 1202 and I then use this to trigger my 2nd action.
All good now!
Guess I can take the rest of the day off