cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

RunNow Task for: On-Demand Scan - Full scan dashboard

I would like to create a dashboard to monitor the specific server task that happen after creating a "run client task now" "ENS: Threat prevention, policy based on-demand scan. Attached is the event i would like a dashboard / query for, and i'd like to narrow it down to "last hour" or "last day" etc
9 Replies
Highlighted

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

This is the server task I'd like to see in a dashboard / query

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 10

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

Hi User47189237,

Am not sure what exactly are you trying to achieve here. You can monitor specific action based on Event not by task. If you would like to monitor event for On-Demand Scan start and stop, yes it is achievable. Correct me if my understanding is wrong.

 

Highlighted

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

Yes, sorry if i was not more specific. I would like to monitor when we Start / stop or when this specific task has finished in one place. And not trying to dig through the Server task log for the specific event. I would ideally like a dashboard to be able to give to my analysts for this specific server task

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 10

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

Okay. First enable below event id's from Eventfiltering ePO--> server settings. Then send a wakeup to all machines to get these event ID updated on client.

1202 On-demand scan started Informational
1203 On Demand scan complete Informational

 

Perform a test task on single machine and confirm if you are able to see the Start ID (1202)under Threat event log. If yes, then follow the below article to create a queries and reports.

https://kc.mcafee.com/corporate/index?page=content&id=KB69428

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

Highlighted

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

I've looked at my host and when I kick off a "run client now" task for Policy based on-demand scan in ENS: Threat Prevention, nothing shows up in threat event log as 1202 or 1203. The only log of this shows up in server task log as the attached log I have on this thread.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 10

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

Check if the event's are selected under Event filtering. Then go to the client machine and verify if the selected ID's applied in EvtFilter file from"<programdata/mcafee/agent/agentdata/". The selected ID's should not be listed. 

Also you have to enable these ID's in ENS policy. Goto policy catalog-->common-->edit the policy-->show advanced-->look for the Event logging-->you have to select "ALL" under On-Demand Scan.

 scan.PNG

Once done, apply the policy to the test machine and reproduce once again. It should work.

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 10

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

You can't include 'server task' in Dashboard.

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!
Highlighted

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

Could i create a query for this? I used kb82149 - but did not see my on-demand scan that I created in "run client task now" nor did i find a way to sort by "Start time" etc

Highlighted
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 10

Re: RunNow Task for: On-Demand Scan - Full scan dashboard

How often are you running scans using a run client task now?  Honestly, that is not a very good idea to do and here is why.  Run client task now (rctn) is designed for small number of clients and tasks that aren't of a long duration.  What happens with a rctn is that epo sends this task to an agent and all the while waiting on the return status of that task for its completion.  This will keep that datachannel session open the whole time a scan is running, which can make the server busy if you are running too many at a time for long periods of time.  An on demand scan is much better suited as an assigned client task.  If you do that, you can query based on the event id's that were mentioned by others.

That being said, you can go to queries, new query, choose logging as the feature group, then choose task log entries.  From there you can filter based on the available options, such as name contains.... whatever you choose as well as filter on other available options.

The only way you can sort the output is after you actually run the query.  In mine, it sorted it by start date automatically from oldest to newest.  That may vary depending on parameters that you use.  

Also, some query types are not suitable as a dashboard monitor, especially if it is one that would contain a bunch of rows of data. If it isn't a supported query type, you won't see it as an available query to add as a monitor in the dashboard.  You might need to use a pie chart of something, but try it out first the way you want it to look.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community