8 Replies Latest reply on Feb 25, 2010 8:19 PM by rmetzger

    Agent issues on VMWare cloned machines...

      Hi,

       

      I have an issue with the McAfee agents on some new W2k3 and W2k8 boxes.  I recently learned that we have been building servers, installing and tweaking multiple applications and then cloning them in VMWare.  Somewhere in this process we use a tool called NewSID.exe to give the machine a new SID.  While the process seems to work for many of the installed applications, it appears that at least the McAfee Agent does not like it.

       

      I just found out about this practice last night.  I am doing some testing to see if simply forcing a new install works - but wanted to get this issue out there to see if anyone else has run into this issue.  Please let me know if you have insight on how to resolve the issue - or an alternate way to proceed.

       

      Thanks,

       

      Tim

        • 1. Re: Agent issues on VMWare cloned machines...
          rackroyd

          ePO & the Agent hs their own equivalent if the Windows SID. We use the term 'GUID' instead.

          It sounds like you may have a common issue with images, which is the use of duplicate GUIDs.

           

          You don't mention which version of ePO and agent you are using, but assuming it's the latest and greatest then the ePO 4.5 Product guide has two pages of infomation regarding GUID management you'll find useful.

           

          From the guide:

          -------------------------------------------------------------------------------- --------------------------------------------------------

          Including the agent on an image
          When you include the McAfee Agent on an image, you must remove its GUID from the registry.
          This allows subsequently installed agent images to generate their own GUID at their first agent-server communication.

           

          CAUTION: If you don't follow this step, all deployed agent images have the same GUID, and must be changed manually. In a large organization, this is impractical. Although you can configure the ePO server to identify replicated GUIDs and assign a new GUID at the next agent-server communication, the action consumes considerable processing bandwidth. For information, see Identifying and correcting a duplicate GUID.


          Task
          On the imaged system, locate the registry key for the agent and remove it. The registry keys are located at:
          HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

           

          Identifying and correcting a duplicate GUID
          If you deployed the agent on an image without first removing its GUID from the registry, multiple systems in your environment will have duplicate GUIDs. When these systems fail to communicate with the Agent Handler, they generate sequencing errors, which indicate a GUID problem. The Managed Systems query result type tracks the following information about these errors:

           

          • The number of sequence errors for each system in the Managed Systems Sequence Errors property.
          • The date and time of the last sequence error in the Managed Systems Last Sequence Error property.

           

          The tracked information is incorporated into one or the other of the available pre-defined queries:
          • Systems with High Sequence Errors
          • Systems with no Recent Sequence Errors

           

          Two predefined tasks help manage GUID problems.

          • Duplicate Agent GUID - remove systems with potentially duplicated GUIDs
          This task deletes the systems that have a large number of sequencing errors and classifies the agent GUID as problematic. As a result, the agent is forced to generate a new GUID.
          The threshold number of sequencing errors is set in the query Systems with High Sequence Errors.

           

          • Duplicate Agent GUID - Clear error count
          Sequencing errors can occur occasionally for inconsequential reasons. This task clears thecount of sequencing errors in systems that have not had any recent sequencing errors. This Distributing Agents to Manage Systems cleanup task does not remove any problematic GUIDs. The threshold value for defining recent is set in the query Systems with no Recent Sequence Errors

           

          Use this task to identify computers with GUID problems and take corrective action.

           

           

           

           

          hth,

           

          Rob

          • 2. Re: Agent issues on VMWare cloned machines...

            Rob,

             

            Thanks for the fast response.  I am running ePO 4.0 with McAfee agent 4 patch 3.  Sorry for not adding this info initially.

             

            Do you know what if any of the info you provided for 4.5 is applicable to 4.0?  I am going to investigate as well - not asking you to do all the heavy lifting ;-)

             

            Thanks,

             

            Tim

            • 3. Re: Agent issues on VMWare cloned machines...
              rackroyd

              Hi,

               

              This still applies:

               

              Including the agent on an image
              When you include the McAfee Agent on an image, you must remove its GUID from the registry.
              This allows subsequently installed agent images to generate their own GUID at their first agent-server communication.

               

              CAUTION: If you don't follow this step, all deployed agent images have the same GUID, and must be changed manually. In a large organization, this is impractical. Although you can configure the ePO server to identify replicated GUIDs and assign a new GUID at the next agent-server communication, the action consumes considerable processing bandwidth. For information, see Identifying and correcting a duplicate GUID.


              Task
              On the imaged system, locate the registry key for the agent and remove it. The registry keys are located at:
              HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\AgentGUID

               

              I'd take a look at ePO 4.5 when you can - lots of helpful changes with the new version.

              • 4. Re: Agent issues on VMWare cloned machines...

                Rob,

                 

                I will notify the folks that are doing the imaging of the steps that need to occur BEFORE they image the box.  This issue has cropped up during a very fast development cycle - so we have 4 or 5 projects doing the same thing.  So there are 4 or 5 GUIDs that are replicated to several boxes each.

                 

                I am assuming that reinstall of the agent (w/ the /force switch) is the way to remedy the boxes that are already deployed?

                 

                Lastly - I am signed up for 1 week of training in (hopefully) sunny Dallas at the end of March.  Going to IQVelocity bootcamp.  Been a McAfee admin since 1998 and this will be my first course.  Here's hoping that the 4.5 depoyment will go faster than previous upgrades.

                 

                Thanks,

                 

                Tim

                • 5. Re: Agent issues on VMWare cloned machines...
                  rmetzger

                  TimHerman wrote:

                   

                  Rob,

                   

                  I will notify the folks that are doing the imaging of the steps that need to occur BEFORE they image the box.

                   

                  Another Value that can cause problems besides AgentGUID is the MacAddress.

                   

                  In order to make either registry change, you/they will have to temporarily change settings within VSE to allow the changes to occur.

                  From the VirusScan Console

                  Access Protection > Properties

                  Uncheck (unblock) 'Prevent McAfee services from being stopped'

                  Common Standard Protection

                  Uncheck 'Prevent modification of McAfee files and settings'

                  Uncheck 'Prevent modification of McAfee Common Management Agent'

                   

                  Then run the batch file below, or manually make the changes.

                  @echo off
                  net stop McAfeeFramework /yes
                  net stop McShield /yes
                  net stop McTaskManager /yes

                  REG delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /F
                  REG delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /F

                  REG delete "HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /f

                  REG delete "HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /f

                   

                  Then restore the values in the VirusScan Console temporarily made above:

                  From the VirusScan Console

                  Access  Protection > Properties

                  Check  (block) 'Prevent McAfee services from being stopped'

                  Common Standard Protection

                  Check 'Prevent modification of McAfee  files and settings'

                  Check 'Prevent  modification of McAfee Common Management Agent'

                   

                  Now, they/you can create the image. Note that the services were stopped and not restarted as restarting them could cause the new GUID and the MacAddress values to repopulate prior to image creation. Clearly, during this time, VSE will not be running. So, consider the security issues while the OS image is being created.

                   

                  Good luck.

                  Ron Metzger

                   

                   

                  Message was edited by: rmetzger (Added 64 bit OS registry changes) on 2/26/10 4:10:23 AM GMT-05:00
                  • 6. Re: Agent issues on VMWare cloned machines...
                    rackroyd

                    Hi,

                     

                    Assuming it's easier you can still do the registry change after agent deployment and it should still work.

                    You would need to stop the Agent service first, naturally.

                     

                    Otherwise, yes. forced redeployment would otherwise do it.

                     

                    Good luck with the course !

                     

                    Hth,

                     

                    Rob

                    • 7. Re: Agent issues on VMWare cloned machines...

                      Ron/Rob,

                       

                      Thank you both very much.  We are on our way to resolving the issue.  There are over 40 machines that were cloned.  The script to stop services and delete reg keys worked well.  I have some 64 bit macines so I added the following lines.

                       

                      REG delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /f
                      REG delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /f

                       

                      Issue resolved.

                       

                      Thanks,

                       

                      Tim

                      • 8. Re: Agent issues on VMWare cloned machines...
                        rmetzger

                        Hi Tim,

                         

                        TimHerman wrote:

                         

                        Ron/Rob,

                         

                        Thank you both very much.  We are on our way to resolving the issue.  There are over 40 machines that were cloned.  The script to stop services and delete reg keys worked well.  I have some 64 bit macines so I added the following lines.

                         

                        REG delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /f
                        REG delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /f

                         

                        Issue resolved.

                        Excellent!

                         

                        Glad to help.

                        Thanks for letting us know.

                        Ron Metzger