8 Replies Latest reply on Apr 13, 2010 6:08 AM by MartinB

    ePO 4.0 showing wrong DAT version for stations

    MartinB

      Hi,

      To me this is a strange issue, and have yet to hear back from the McAfee Support, even after several call/emails to the tech. Here's hoping you guys can help me.

       

      I have a large number of stations that shows up with the wrong DAT file in the ePO.  The station has the latest DAT, but ePO shows a few DATS behind.


      I've tested with a few of them, and removed it from the ePO.  And the stations reconnected properly without with the proper information.

      BUT after a few hours, the ePO shows the DAT go down to an earlier version.

       

      in other words.  my station had DAT 5924, it updated just fine from the ePO, but the ePO shows DAT 5921.

      even if i put it back, up to date by removing/re-adding the system, after a few hours it will go back down.

      only the ePO shows it going down, the station still has the latest DAT.

       

      most stations have VirusScan 8.5, some 8.7.  all with the latest Agent.

       

      Not all the systems are going to the same DAT file, some goes down to 5922, 5921, some down to 5911.

      now the non-compliant reports for the groups are completly inacurate.

       

      any ideas?! i'm stomped.

       

      Also, while i have you here,

      reffering to the attached picture,  any ideas why the "Lastest Available" is lower then the "My Repositary" DATs?

        • 1. Re: ePO 4.0 showing wrong DAT version for stations
          rmetzger

          MartinB wrote:

           

          Hi,

          To me this is a strange issue, and have yet to hear back from the McAfee Support, even after several call/emails to the tech. Here's hoping you guys can help me.

           

          I have a large number of stations that shows up with the wrong DAT file in the ePO.  The station has the latest DAT, but ePO shows a few DATS behind.


          I've tested with a few of them, and removed it from the ePO.  And the stations reconnected properly without with the proper information.

          BUT after a few hours, the ePO shows the DAT go down to an earlier version.

           

          in other words.  my station had DAT 5924, it updated just fine from the ePO, but the ePO shows DAT 5921.

          even if i put it back, up to date by removing/re-adding the system, after a few hours it will go back down.

          only the ePO shows it going down, the station still has the latest DAT.

           

          most stations have VirusScan 8.5, some 8.7.  all with the latest Agent.

           

          Not all the systems are going to the same DAT file, some goes down to 5922, 5921, some down to 5911.

          now the non-compliant reports for the groups are completly inacurate.

           

          any ideas?! i'm stomped.

           

          Also, while i have you here,

          reffering to the attached picture,  any ideas why the "Lastest Available" is lower then the "My Repositary" DATs?

          Hi Martin,

           

          Well, a couple of things could be going on here. A few questions first:

          1) How did you deploy the workstations (OS), were these done through Imaging?

          2) Are any of these systems connecting via a VPN connection?

           

          My first thought is that the MACaddress and AgentGUID are replicated across several PCs. ePO is using the last one to communicate and reporting it's version. So, newer versions on other PCs using the same AgentGUID have information over-written by other PCs using the same AgentGUID. Thus the mis-reported values.

           

          Below is a batch file I use to reset the AgentGUID and MACaddress of each PC. It's interactive (somewhat) and can be used to prepare for upcoming imaging of a base system, or to simply reset the AgentGUID and MACaddress on a live system.

          @echo off
          title  McAfee AgentGUID and MacAddress Removal Tool - by Ron Metzger

              echo.
              echo  The McAfee Agent communicates with ePO, Protection Pilot, or McAfee's
              echo  update services, using registry values of AgentGUID and MacAddress, to
              echo  uniquely identify each system. Imaging or duplicating a system breaks
              echo  these unique identifiers. Clearing these values, followed by a reboot or
              echo  services restart, repopulates these values with new and unique entries.
              echo.
              echo  Prior to duplication, clear these registry entries and create the image
              echo  before restarting services or rebooting.
              echo.
              echo  Otherwise,
              echo.
              echo  After duplication, clear these values, then reboot or restart the services.
              echo.
              echo  VSE v8.7i (or above) by default, self-protects against certain changes.
              echo  In order to make either registry change, temporarily disable the
              echo  self-protection settings within VSE v8.7i (or above).
              echo.
              echo  From the VirusScan Console:
              echo  Access Protection > Properties
              echo    Uncheck 'Prevent McAfee services from being stopped'
              echo    Common Standard Protection
              echo      Uncheck (un)Block 'Prevent modification of McAfee files and settings'
              echo      Uncheck (un)Block 'Prevent modification of McAfee Common Management Agent'
              echo.
              Choice.exe /C:YN /N " Press  Y  to continue,  N  to skip . . . ?"
              if ErrorLevel 2 goto Exit

              echo  Stopping services . . .
              net stop McAfeeFramework /yes
              net stop McShield /yes
              net stop McTaskManager /yes
              echo  Stopping services, done.

              echo  Deleting registry entries . . .
              REG delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /F
              REG delete "HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /F

              REG delete "HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v AgentGUID /f
              REG delete "HKLM\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\Agent" /v MacAddress /f
              echo  Deleting registry entries, done.

              echo.
              echo  Please re-enable the self-protection settings within
              echo  VSE v8.7i (or above) to there original values.
              echo.
              echo  From the VirusScan Console:
              echo  Access Protection > Properties
              echo    Check 'Prevent McAfee services from being stopped'
              echo    Common Standard Protection
              echo      Check Block 'Prevent modification of McAfee files and settings'
              echo      Check Block 'Prevent modification of McAfee Common Management Agent'
              echo.
              Choice.exe /C:YN /N " Press  YN  to continue . . . ?"
              echo.
              echo  About to restart McAfee services.
              echo  This will repopulate AgentGUID and MacAddress values.
              echo.
              echo  Please do Not start these services if Imaging this system Now. (Choose Skip.)
              echo.
              Choice.exe /c:YN /T:N,15 /N " Restart Services?  Y  to continue,  N [or wait 15 seconds]  to skip . . .á ◘
              if ErrorLevel 2 goto Exit

              echo  Starting services . . .
              net start McAfeeFramework /yes
              net start McShield /yes
              net start McTaskManager /yes
              echo  Starting services, done.

              Choice /c:YN /T:Y,15 /N " Press  YN [or wait 15 seconds]  to continue . . .á ◘

          :Exit

          Post back if this helps, or with questions.

          Ron Metzger

          • 2. Re: ePO 4.0 showing wrong DAT version for stations
            MartinB

            1) Yes, i beleive most systems were images, it depends on the Business Units.

               However these are systems that were working properly for a long time now.

              We have over 40'000 stations, and suddenly started seeing a large spike in the number of non-compliant systems. That's how we noticed the problem.

             

            My own laptop, which i know has been working properly, started getting the same problem, even if i force a connection to the ePO with cmdagent.exe /p /e /c

            the "last update" field shows the current time, but the DAT doesn't update.

             

            Also we tried to remove a co-worker's station, resseting the GUID and re-connected it to the ePO, afterward it did show the latest DAT

            However later, it went back to 5921.

             

            2)  No, they`re not connecting via a VPN, They simply need to be on the compagnie's intranet or we have a public server which let`s them connect from the internet for the different offices and/or home.

            • 3. Re: ePO 4.0 showing wrong DAT version for stations
              rmetzger

              Interesting.

               

              Have you tried resetting both the AgentGUID AND the MacAddress?

               

              If that doesn't work, then the problem could be in the ePO database. If so, I am not the person who would be best able to help. Maybe a call to tech support would be in order. Open an Incident and let us know how things are going.

               

              Ron Metzger

              • 4. Re: ePO 4.0 showing wrong DAT version for stations
                MartinB

                Yea, i'll try that on Monday, however i don't think i want to run a script on a few thousand machines.

                i already have a ticket open, and escalated it with our service manager, but haven't heard any updates from them yet. Moday will be the third day...

                • 5. Re: ePO 4.0 showing wrong DAT version for stations
                  MartinB

                  When i came in this morning,  the ePO seems to be working properly.

                  however i received more information about the problem.

                   

                  Last Friday(the 12th) , the same problem occured, but it was fixed on the Monday the 15th when they came in.

                   

                  then I had the problem starting on Thursday(the 18th) and appears fixed today.

                   

                  It looks like whatever the problem it, it gets fixed during the weekend.  and i assume gets worst over the course of the week. the starts over on the weekend.

                  Anyone know what would cause something like this?

                  • 6. Re: ePO 4.0 showing wrong DAT version for stations

                    Do you have any scheduled event purges or SQL database maintenance taking place over the weekend?

                    • 7. Re: ePO 4.0 showing wrong DAT version for stations

                      Hello,

                       

                      At the end of this thread you mention that the problem seems to work itself out over the weekend. With that being said it makes me want to ask a couple of questions.

                       

                      When the dat information is not being reported as up to date. Are there files queing up on the ePO_Server at the following location? <install files>\McAfee\epolicy orchestrator\db\events .

                       

                      Events can be dropped off during ASCI or after an update task etc. I am just wondering if the when the systems are not under as heavy load it is able to process a back log of events?

                       

                      Just a thought.

                       

                       

                      thanks

                      William

                      • 8. Re: ePO 4.0 showing wrong DAT version for stations
                        MartinB

                        Hi,

                        Sorry I forgot about this thread.

                         

                        The problem was fixed when I came in on Monday.  and it appears to have been working fine since.

                        We were deploying a group to 8.7, the working theory is it was causing slow performance, and since there's less employees connecting on weekend it was able to correct the problems.

                        Mcafee wasn't able to come up with an answer, but suggested the server's hardware may need upgrading.

                         

                        Thanks for all your help