We've been just installing 4.6.6 internally for a new network and are trying to make things as automated as possible. We've got Tags/Policies setup to determine OS eg "Microsoft Server 2008 R2", "Microsoft Windows 8", "Microsoft SQL Server 2008 R2" and if its a VM or not "VMWare Tools" (checks on MAC address).
I had been hoping to assign mutiple tags & associated policies to a client but I've been told that the policies will only apply the top priority one.
ServerABC is runnign Server 2008 R2, SQL Server 2008 R2 and is a virtual machine in my development network.
So lets take exclusions,
"Microsoft Server 2008 R2" excludes C:\Windows\*.*
"Microsoft SQL Server 2008 R2" excludes E:\Databases\*.* F:\Logs\*.*
"VMWare Tools" excludes C:\Program Files\VMWare\*.*
I wanted to some way have the resulting policy on the ServerABC to have a merged copy of the exclusions applied to "Microsoft Server 2008 R2", "Microsoft SQL Server 2008 R2" and "VMWare Tools"
i.e an exclusion list of -
But I've been told that only 1 category can be applied at one time, so in this instance my exclusions would only show C:\Windows\*.* as it was the higest priority. Is there any way to do what I want to achieve which is essentially have a Policy based on Product so that if I need to change an exclusion for a certain product I only have to change it in one place rather than multiple policies?
I hope this makes sense to anyone reading it.
Any help much appreciated.
You can only apply one policy of the same type to a machine at a time, so policy 'merging' like this is not possible - sorry.
You would need to make a policy object with all the exclusions you want and then maybe you can use tagging to assign that to appropriate machines.
Thats disappointing, I'd assumed such a simple feature would have been included by default. So essentially you need to make a policy object for each unique combination?
Would love this to be raised as a feature request!!
I'm afraid sometimes what appears simple to design is not in fact so simple to code.
Please feel free to log a feature request, anyone can do so through the McAfee PER process.
Steps on how to do log a PER are detailed in McAfee support article: KB60021 - How to submit a Product Enhancement Request (PER)
Let me point out a couple of things just in case...
This exclusion ("c:\Windows\*.*") has two issues with it:
1. The syntax is wrong. It should stop at the last slash ("C:\Windows\").
2. This is insanely dangerous. Viruses love to live in the Windows and System 32 directory. You should never ever exclude them.
Thanks Peter, these were just for illustrative purposes to try and keep things simple to get my point across. I'd never consider excluding these folders!
So simple, so obvious and yet missing for VSE. This is my biggest beef with the product, specially considering it is supported in many other products from McAfee
A product enhancement request form is the way to go.
Yep, I (wrongly) assumed it was a standard implementation. Totally gutted would massively reduce administration (for us at least).
2 PER's already raised.
1) Allow multiple policies to be applied (merged)
2) Inventory locally installed software and have a field called "Locally Installed Software" so you can create a tag based on this field.
You should look into McAfee Risk Advisor, with it you get the Application Inventory Agent which performs a complete software inventory of a system. You can then create a query with your filter on a specific piece of software, and through a Server Task run the query and apply a tag based on your requirements. You can also apply policy within the same Server task based on your query.on 12/3/13 3:29:52 PM GMT-05:00
Nice one thanks, could be a good work around for my 2nd PER! Still really need the 1st one implemented before the combination of the two will really start to reduce the admin work!!