See title. I can't seem to find any way to detect a client who deleted the McAfee Agent from the ePo server.
By the way, the easiest way I found to remove the Agent (even if protected by password), is trying to install the Kaspersky free antivirus, this thing is able to remove the managed and password protected Agent no questions asked. Maybe there are other ways, that's why I would like to know how to detect it.
The agent doesnt have a password against it, VSE has one to lock the console; but the agent just doesnt allow the uninstall, with normal permissions, when in a managed state. Using the switch /forceuninstall will also remove the agent from a managed machine. (https://kc.mcafee.com/corporate/index?page=content&id=kb65863).
ePO utilize the classic client to server communication mode. Meaning ePO doesnt actually keep track of the agents until they report back; by default every one hour. The last communication time will be the only way to see if client machine is currently managed or unmanaged. If the time stamp stops updating, then either the agent is non functional, the computer is off, or the agent has been removed. ePO will hold a record of the system indefinitely as it doesnt know the state of the machine.
Utilizing a query would be the best way to see this information. Something like "Machines that have not communicated in the past 48 hours" or something similar to know if there are issues with communication.
Hopefully this helps.
There is also a query in epo that might show some attempts.
Agent Uninstalls Attempted in the Last 7 Days
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Check the EPO Audit Logs which records all the activities on the EPO. Use the find function to search for DELETE event. You will find the culprit who deleted the mcafee agent.