Showing results for 
Search instead for 
Did you mean: 
Level 7
Report Inappropriate Content
Message 1 of 4

How to find out if someone has removed the McAfee Agent?

See title. I can't seem to find any way to detect a client who deleted the McAfee Agent from the ePo server.


By the way, the easiest way I found to remove the Agent (even if protected by password), is trying to install the Kaspersky free antivirus, this thing is able to remove the managed and password protected Agent no questions asked. Maybe there are other ways, that's why I would like to know how to detect it.

3 Replies
McAfee Employee austin_o
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: How to find out if someone has removed the McAfee Agent?

The agent doesnt have a password against it, VSE has one to lock the console; but the agent just doesnt allow the uninstall, with normal permissions, when in a managed state.  Using the switch /forceuninstall will also remove the agent from a managed machine. ( 



ePO utilize the classic client to server communication mode. Meaning ePO doesnt actually keep track of the agents until they report back; by default every one hour. The last communication time will be the only way to see if  client machine is currently managed or unmanaged.  If the time stamp stops updating, then either the agent is non functional, the computer is off, or the agent has been removed.  ePO will hold a record of the system indefinitely as it doesnt know the state of the machine. 

Utilizing a query would be the best way to see this information. Something like "Machines that have not communicated in the past 48 hours" or something similar to know if there are issues with communication.  


Hopefully this helps.   

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 3 of 4

Re: How to find out if someone has removed the McAfee Agent?

There is also a query in epo that might show some attempts.

Agent Uninstalls Attempted in the Last 7 Days


Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Reliable Contributor bodysoda
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: How to find out if someone has removed the McAfee Agent?

Check the EPO Audit Logs which records all the activities on the EPO. Use the find function to search for DELETE event. You will find the culprit who deleted the mcafee agent. Smiley Happy

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.