2 Replies Latest reply on May 14, 2010 8:24 AM by tonyb99

    Detecting disabled McShield service

      Hi,

       

      Does anyone know of an easy way for ePO to detect and alert on managed devices that have the McShield service disabled. While the policy enforcement will ensure that the service is started on a workstation/server, it can't do so if someone has manually disabled the service ...

       

      Regards,

       

      Jon Duffy

        • 1. Re: Detecting disabled McShield service
          tonyb99

          make sure your are collecting data on the event: 1127: OAS Scanning Engine Disabled (Info) within event filtering

          stick this in a report

          bear in mind machines will have to collect the agent policies before they pull down changes to the event filtering.

          • 2. Re: Detecting disabled McShield service
            rackroyd

            Hi,

             

            If the user has the ability to disable the service they can do pretty much what they want already surely ?

            One way to make it more difficult perhaps is through a combination of using access protection ( the 'prevent users from stopping McAfee services' option) and then locking down the VirusScan console by password policy so AP cannot be modified by the user unless they know the password - which of course you do not share.

             

            Hth,

             

            Rob.