1 2 Previous Next 10 Replies Latest reply on May 26, 2010 1:50 PM by clbarnett

    Does ePo make registry changes - security scanner complaining

    araczek

      I have ePo 4.5 running on our network and we are using a security scanner to check desktop \

      security. It finds, just as an example:

       

      HKLM\Software\Network Associates\TVD\Shared Components\On Access Scanner\McShield\Configuration\Default

       

      Set value ScanArchives to 1

       

      HKLM\Software\Network Associates\TVD\Shared Components\On Access Scanner\McShield\Configuration\Default

       

      Set value ScanMime to 1

       

      I have this set in ePo correctly in On Access default processes policy. i check a client and I see that policies DO get applied. But the security scanner

      insists these registry keys need to be set. Can I assume ePo is working correctly and this is a "false positive" ?

       

      ...AR

        • 1. Re: Does ePo make registry changes - security scanner complaining

          That looks to me like maybe your security software is looking at an outdated registry key.  Things used to be stored under 'Network Associates', but now they're stored in 'McAfee'.  Do you have a registry key like this:

          HKLM\SOFTWARE\McAfee\VSCore\On Access Scanner\McShield\Configuration\Default\ScanArchives ?

          • 2. Re: Does ePo make registry changes - security scanner complaining
            araczek

            Well, yes now I see you are correct. The registry settings are in a different location. But in looking at the values they are wrong. ScanMime and ScanArchives are '0' and should be '1'. So even though

            the scanner is looking in the wrong place ePo is not setting these egistry keys. So what could be wrong? On the client the Agent_ComputerName.log file shows "enforcing policies" but that does not

            tell me much. There MUST be other logs I can look at to narrow this down.

             

            ...AR

            • 3. Re: Does ePo make registry changes - security scanner complaining

              Well, it's possible that the client is successfully enforcing policies but not the policies you think it should be enforcing.

              On the client, launch the VSE Console (Start/Programs/McAfee/Virus Scan Console)
              Right-click on 'On-Access Scanner' and choose 'Properties'

              Depending on how your client is installed you will either see 'All Processes' on the left or you will see 'Default Processes'.  Click on whichever one you have, then click on the 'Advanced' tab.  Is the box next to 'Scan inside archives' checked?  If it is blank, then the policy that is being enforced is what's setting ScanArchives to 0.  You can prove this by checking the box, then from the command prompt running 'cmdagent /e' and seeing that it is unchecked after policies are enforced.

               

              If the box next to 'Scan inside archives' is checked, then search your registry for 'ScanArchives'.  You should be able to find the registry key where the value is 1 and that's where your scanner software should be looking.

              • 4. Re: Does ePo make registry changes - security scanner complaining
                araczek

                Thank you for helping. I checked and the setting is getting cleared. I dug a little and remembered I am dealing with two versions of VSE, 8.5i and 8.7. So

                I checked the 8.7 policy and the mime and archive settings were not there _(On-Access Default Processes Policies). Even in 8.5 it gets reset. I two policies, one I had to create due to a problem when I upgraded from epo 4.0 to 4.5. I have all my settings in my new policy. What I THINK is happening is there is a McAfee Default policy

                that is resetting these settings. Possible? If I click on the policy I mentioned the McAfee default is grayed out but the two settings I described to you are

                unchecked (mime & archive).

                 

                Bottom line is where can this setting be coming from? I may not be looking in the right spot and I am getting frustrated. I am happy policies are applying

                but just can't find where the one I need is. Can I delete the default policy?

                • 5. Re: Does ePo make registry changes - security scanner complaining

                  I don't think you want to delete the default policy, since that may actually be the one that's getting enforced.

                  I don't have ePO 4.5, so I can't quite walk through the steps, but here's what I'd do in 4.0.

                   

                  From the dashboard, find your client system that you're working with in ePO. Make sure you have only one system with that name when you do the search - if you have more than one, stop troubleshooting the policy issue and start troubleshooting why you have more than one object with the same name.  If you don't have any system with that name, stop troubleshooting the policy issue and start troubleshooting why your system is not in ePO.  (If the system is not in ePO, the default out-of-the-box policy is going to be enforced every enforcement interval no matter what you do on the ePO server)

                   

                  Click on the client system name.  Make sure the 'Managed State' says 'Managed'.  Make sure the 'Last Update' time makes sense (has it checked in TODAY?)  If either of these details don't make sense, stop troubleshooting the policy issue and start troubleshooting why these are wrong.

                   

                  While still in the system details for your client system, look for 'Installed Products'.  What is the version of VSE on the client? 8.5 or 8.7?  Make a note of this. Also look for 'System Location'.  Make a note of the system location.

                   

                  Now, close out the System details for your client system and go to the Systems/System Tree view in ePO.  Find the system location that you wrote down, click on it, then click on 'Policies'  Change the product to either VSE 8.5 or VSE 8.7, depending on the version that you saw under 'Installed Products'.  The policy that is shown next to 'On-Access Default Processes Policy' is the one that is being enforced. Make a new policy, change to the correct policy, or edit the policy here, whichever makes most sense.


                  So, basically the troubleshooting steps are:
                  1. Make sure the client system is in ePO, it is being managed by ePO, and it's correctly checking in for new policies.

                  2. Figure out what version of VSE is installed on the client system and where it is in the ePO System Tree.

                  3. Based on what version of VSE is installed and where the system is, fix the policy.

                  • 6. Re: Does ePo make registry changes - security scanner complaining
                    araczek

                    Okay it is working! Thanks SO MUCH for your help. One of the last things I did before lunch was I noticed in the System Tree under 'Assigned Policies' On-Access Default Processes Policies'

                    setting was set for the default. Changed it to my new policy. Tried testing right away but it did not work. In thinking about it over lunch thought maybe I had to give it time. Checked what you suggested

                    above and all was fine, I was on the right track. So I checked the settings and they were changing to what I want.

                     

                    NOW

                    Best way to get the same policy over to my VirusScan 8.7 packages? I will poke around but just want to be sure.

                    • 7. Re: Does ePo make registry changes - security scanner complaining

                      Corporate KnowledgeBase ID:    KB53909
                      "How to migrate VirusScan Enterprise 8.5i and 8.0i policies to VirusScan 8.7i using ePO 4.0 and ePO 4.5"

                       

                      Find it at mysupport.mcafee.com
                      Basically, when upgrading VSE 8.5i policies and tasks in ePO 4.5, first check in the Extension, then execute the Policy Migration tool (ePOPolicyMigration.exe) on the server.  The policy migration tool should be in the .zip file that you got for VSE 8.7.  Be aware that you can only run this tool once, so make sure you have your policies for 8.5 set up exactly how you want them before running this tool.  If you've already run it once, then you have to manually edit your 8.7 policies, item by item.

                      • 8. Re: Does ePo make registry changes - security scanner complaining

                        P.S. if you don't want to wait for a new policy to get out to your environment, you can either:

                        1. from the client side, run cmdagent /c/e

                        2. from the ePO server, do an agent wakeup

                        • 9. Re: Does ePo make registry changes - security scanner complaining
                          araczek

                          Okay, I'm a dunce (and have a bad headache). Where do I find the extension? What about doing a policy export/import? Maybe the file can be modified to eliminate duplicates?

                          Plus to be clear I want 8.5 and 8.7 policies to co-exist until all users are upgraded to 8.7. The verbage in the KB alludes to coverting the present policies to 8.7.

                           

                          Thanks.

                          1 2 Previous Next