4 Replies Latest reply on Apr 15, 2009 9:52 AM by epo_user_00

    McAfee Agent not reporting correctly

    epo_user_00
      ePO 3.6.1, McAfee Agent 4.0

      Hopefully, this is something obvious I'm just missing. I have this problem on machines at a couple of remote sites where I've just set up a Super Agent and begun installing the McAfee Agent on client machines. Everything looks fine on the install.

      However, on the client machines, the MA activity log seems to be missing some information, and I'm unable to confirm the client machines are pulling from the correct repository. I've tried several options in the agent policy to point it to the correct repository, but it doesn't make any difference.

      Below is a typical agent log as we would see it on our normally-functioning machines, followed by a log as it would appear on our problem machines. Notice the first column lists the component that initiates the action. The components include Management, Agent Subsystem, Scheduler, and Updater.

      On the problem machines, we are seeing no events from the Updater component at all. The Updater component is what tells us which repository the agent is pulling from. So I'm unable to tell which repository it's using, or if it's even connecting to a repository at all.

      Am I missing something?

      -----sample log (normal machine)-------
      Management 03/11/2009 1:55:44 PM Info Enforcing Policies for EPOAGENT3000
      Management 03/11/2009 1:54:07 PM Info Enforcing Policies for EPOAGENT3000META
      Agent Subsystem 03/11/2009 1:52:21 PM Info Agent is looking for events to upload
      Management 03/11/2009 1:51:04 PM Info Enforcing Policies for HOSTIPS_7000
      Management 03/11/2009 1:49:43 PM Info Enforcing Policies for PATCH___1100
      Management 03/11/2009 1:48:15 PM Info Enforcing Policies for VIRUSCAN8600
      Agent Subsystem 03/11/2009 1:48:15 PM Info Agent Started Enforcing policies
      Agent Subsystem 03/11/2009 1:47:20 PM Info Agent is looking for events to upload
      Updater 03/11/2009 1:43:18 PM Info Update Finished
      Updater 03/11/2009 1:43:18 PM Info Verifying MAS850det.mcs.
      Updater 03/11/2009 1:43:18 PM Info Verifying MAS850det.mcs.
      Updater 03/11/2009 1:43:18 PM Info Verifying VSE850Det.mcs.
      Updater 03/11/2009 1:43:18 PM Info Verifying VSE850Det.mcs.
      Updater 03/11/2009 1:43:18 PM Info Verifying PatchDet.McS.
      Updater 03/11/2009 1:43:18 PM Info Verifying PatchDet.McS.
      Updater 03/11/2009 1:43:18 PM Info Verifying HIP_ClientDetect.mcs.
      Updater 03/11/2009 1:43:18 PM Info Verifying HIP_ClientDetect.mcs.
      Updater 03/11/2009 1:43:18 PM Info Verifying AIDet.McS.
      Updater 03/11/2009 1:43:18 PM Info Verifying AIDet.McS.
      Updater 03/11/2009 1:43:17 PM Info Checking for software conflicts.
      Updater 03/11/2009 1:43:16 PM Info Loading update configuration from: catalog.xml
      Updater 03/11/2009 1:43:16 PM Info Extracting catalog.z.
      Updater 03/11/2009 1:43:16 PM Info Verifying catalog.z.
      Updater 03/11/2009 1:43:16 PM Info Initializing update...
      Updater 03/11/2009 1:43:16 PM Info Checking update packages from repository [Super Agent].
      Scheduler 03/11/2009 1:43:16 PM Info Scheduler: Invoking task [Deployment]...
      Agent Subsystem 03/11/2009 1:43:15 PM Info Next policy enforcement in 5 minutes
      Agent Subsystem 03/11/2009 1:43:15 PM Info Agent finished Enforcing policies
      Scheduler 03/11/2009 1:43:15 PM Info Added a new task Deployment to Scheduler's task list
      Management 03/11/2009 1:43:15 PM Info Enforcing Policies for McAfee Agent
      Management 03/11/2009 1:43:14 PM Info Enforcing Policies for ASSETS__2500
      Management 03/11/2009 1:43:14 PM Info Enforcing Policies for EPOAGENT3000
      Management 03/11/2009 1:43:14 PM Info Enforcing Policies for EPOAGENT3000META
      Management 03/11/2009 1:43:07 PM Info Enforcing Policies for HOSTIPS_7000
      Management 03/11/2009 1:43:07 PM Info Enforcing Policies for PATCH___1100
      Management 03/11/2009 1:43:07 PM Info Enforcing Policies for VIRUSCAN8600
      Agent Subsystem 03/11/2009 1:43:07 PM Info Agent Started Enforcing policies
      Agent Subsystem 03/11/2009 1:42:20 PM Info Agent is looking for events to upload


      ----sample log (problem machines)-----
      Management 03/11/2009 1:55:44 PM Info Enforcing Policies for EPOAGENT3000
      Management 03/11/2009 1:54:07 PM Info Enforcing Policies for EPOAGENT3000META
      Agent Subsystem 03/11/2009 1:52:21 PM Info Agent is looking for events to upload
      Management 03/11/2009 1:51:04 PM Info Enforcing Policies for HOSTIPS_7000
      Management 03/11/2009 1:49:43 PM Info Enforcing Policies for PATCH___1100
      Management 03/11/2009 1:48:15 PM Info Enforcing Policies for VIRUSCAN8600
      Agent Subsystem 03/11/2009 1:48:15 PM Info Agent Started Enforcing policies
      Agent Subsystem 03/11/2009 1:47:20 PM Info Agent is looking for events to upload
      Scheduler 03/11/2009 1:43:16 PM Info Scheduler: Invoking task [Deployment]...
      Agent Subsystem 03/11/2009 1:43:15 PM Info Next policy enforcement in 5 minutes
      Agent Subsystem 03/11/2009 1:43:15 PM Info Agent finished Enforcing policies
      Scheduler 03/11/2009 1:43:15 PM Info Added a new task Deployment to Scheduler's task list
      Management 03/11/2009 1:43:15 PM Info Enforcing Policies for McAfee Agent
      Management 03/11/2009 1:43:14 PM Info Enforcing Policies for ASSETS__2500
      Management 03/11/2009 1:43:14 PM Info Enforcing Policies for EPOAGENT3000
      Management 03/11/2009 1:43:14 PM Info Enforcing Policies for EPOAGENT3000META
      Management 03/11/2009 1:43:07 PM Info Enforcing Policies for HOSTIPS_7000
      Management 03/11/2009 1:43:07 PM Info Enforcing Policies for PATCH___1100
      Management 03/11/2009 1:43:07 PM Info Enforcing Policies for VIRUSCAN8600
      Agent Subsystem 03/11/2009 1:43:07 PM Info Agent Started Enforcing policies
      Agent Subsystem 03/11/2009 1:42:20 PM Info Agent is looking for events to upload
        • 1. RE: McAfee Agent not reporting correctly
          jmaxwell
          Looks to me as if your Deployment task is not running properly.

          Have you tried an "update now" from a clinet machine to see what repository it goes to ?

          Jim
          • 2. RE: McAfee Agent not reporting correctly
            epo_user_00
            Unfortunately, the machine is in another city. It's on a network I don't normally work with, I'm doing some consulting there. Any other way we can force an update remotely? The agent activity log is the only way I know of to see what repository an agent is pulling from. Are there other places to find this?
            • 3. RE: McAfee Agent not reporting correctly
              jmaxwell
              Arrange to remote connect to the PC perhaps ?

              Jim
              • 4. RE: McAfee Agent not reporting correctly
                epo_user_00
                Problem fixed. Not sure I understand how, but...

                I wasn't aware that the Deployment Task had anything to do with the Updates component. But I started looking at the Deployment Task. What I did was a couple of things:

                1. I changed the ePO Agent policy that all the Super Agents use, to have them point only to the ePO server for updates. Don't know if that had anything to do with anything.

                2. I edited the Deployment Task for the client machines to change McAfee Agent from "Ignore" to "Install" (the agent was already installed anyway) and ticked the box that says "run task at every policy enforcement interval".

                Did an agent wakeup call, and badda bing, the agent log showed the Updater pointing to the correct SA repository.

                Something else I noticed that was weird--some of the clients at the remote site showed up with the MA installed, even before any Deployment Task was enabled. I thought maybe it was a vestige of some McAfee product that had been installed in the past, but I'm told no McAfee products of any kind had ever been installed. So I'm not sure how these machines got the agent installed, but that might have possibly had something to do with it.

                Thanks again! On to the next problem...