I've got a query to detect (non)compliant computers.
Displays a boolean pie chart of managed systems in your environment which are compliant or non-compliant by version of VirusScan Enterprise (for Windows), McAfee Agent, and DAT files.
Agent At Least 3.6
VirusScanner At Least 8.5
Dat Files Within last 33 Versions
In the output of the querie for non compliant clients I see many clients multiple times.
(Bold = deleted)
|IP Address||Domain Name||OS Platform||Assignment Path||Product Version (Agent)||Engine Version (VirusScan Enterprise)||DAT Version (VirusScan Enterprise)||Last Communication||Last Agent Communication||Last Detected Time||First Detected Time||First Recorded Time||Last Detected Time||Last Recorded Time|
|XPD339||10.11.30.50||TAND||Professional||My Organization\TAND\Europe\Desktops\Workstations\||5400.1158||6043.0000||7/15/10 5:47:05 PM||7/15/10 5:47:05 PM||6/18/10 6:00:57 PM||10/22/09 2:27:50 PM||10/22/09 2:27:50 PM||6/18/10 6:00:57 PM||6/18/10 6:00:57 PM|
|XPD339||10.11.30.50||TAND||Professional||My Organization\TAND\Europe\Desktops\Workstations\||220.127.116.110||7/15/10 5:47:05 PM||7/15/10 5:47:05 PM||6/18/10 6:00:57 PM||10/22/09 2:27:50 PM||10/22/09 2:27:50 PM||6/18/10 6:00:57 PM||6/18/10 6:00:57 PM|
|XPD339||10.11.30.50||TAND||Professional||My Organization\TAND\Europe\Desktops\Workstations\||7/15/10 5:47:05 PM||7/15/10 5:47:05 PM||6/18/10 6:00:57 PM||10/22/09 2:27:50 PM||10/22/09 2:27:50 PM||6/18/10 6:00:57 PM||6/18/10 6:00:57 PM|
Now I've got a few questions:
Where do these duplicates lines come from when these clients don't have any duplicate objects in epo?
also weird is that most of these clients are up to date (following the query) as you can see in one of the output rows?
Is this a bug?
What exactly does the following fields mean (what are the differences)?
as you can see the example client still communicates but the detect & record time is far behind? What am I missing here? I don't get it.
are you using rogue system detection sensors? These sensors record system the way you saw it in a different table and this is not cleaned up by the duplicate agent cleanup task, nor do they appear as duplicates in the relevant ePO duplicates report. However this report you cited here might use the Detected Systems as the source thus counting nodes from two origins, appearing as "duplicates".
I think you can delete the "duplicates" safely leaving the node(s) that is(are) registered as communicating and up to date.
(what is the epo system version and patch level, by the way?)
We don't use rogue sensors.
But we do use Agent Handlers
Is it normal that these (duplicates) are detected as 1 same system?
(If I check one of the duplicates ALL of them are getting (un)marked.)
We're using epo 4.5 + Patch 1
would you check what source this report uses? Managed systems or Detected Systems? You may want to recreate the same report from Managed systems source (personally I see no reason why such report would use Detected Systems, which means "detected" and not "managed" so compliancy should not be based on detection rather on managedness).
Also I recommend deleting the duplicates via the console (I mean that which do not have ASCI time recorded).
I have learned from others that the ePO agent creates records in the Detected Systems table just like it would in the Managed Systems table, the delay for the latter is random within 10 minutes whereas the prior happens instantly. But Detected Systems record does have ASCI time filled with value so without value a record can be deleted if you do not use rogue system sensor (that would create records here, too with far less information).
So although others here might answer you more reasonably, I suggest you simply delete the unwanted duplicates and only bother yourself if they get recreated again. Also use the query on Managed Systems which seems more reasonable.