6 Replies Latest reply on Nov 5, 2010 7:27 AM by metalhead

    Trying to understand rogue sensors

    pschmehl

      We're using rogue sensors for the first time, and I'm finding the behavior a bit wonky.

       

      Why do some sensors get uninstalled?  What causes that?

       

      Is there somewhere in ePO (4.5) that you can see pending rogue sensor installs?  They seem to drop into a blackhole.  I'm assuming that when I try to install one on a host and it refuses to run the installer, it's because there'a a pending install job.  It would be nice to see those somewhere.

       

      Is there a way to wake up rogue sensors?

        • 1. Re: Trying to understand rogue sensors
          metalhead

          Hi again ,

           

          the RSD sensor is installed via a special clienttask created when you go through the "Sensor install" action (so it is actually installed/uninstalled by the McAfee Agent).

          If you select a system with a deployed sensor in the system tree and goto "Action" -> "Show/Edit Task on single system" you should see this task and its settings.

           

          As long as someone does not edit this task there is no automated uninstall feature I know.

           

          You can check the install/uninstall/running of the sensor on the client via two logfiles:

           

          C:\documents and settings\all users\appliacation data\mcafee\common framework\DB\Agent_%computername%.log (install/uninstall -> search for the task name)

          C:\program files\mcafee\Roue System Sensor\rssensor_out.log (if I remember the filename correctly -> running log of the sensor)

           

          AFAIK a sensor can not be "forced" to communicate with the epo server. The "timing" is controlled via the sensors policies.

          • 2. Re: Trying to understand rogue sensors
            pschmehl

            metalhead wrote:

             

            Hi again ,

             

            the RSD sensor is installed via a special clienttask created when you go through the "Sensor install" action (so it is actually installed/uninstalled by the McAfee Agent).

            If you select a system with a deployed sensor in the system tree and goto "Action" -> "Show/Edit Task on single system" you should see this task and its settings.

             

            As long as someone does not edit this task there is no automated uninstall feature I know.

             

            You can check the install/uninstall/running of the sensor on the client via two logfiles:

             

            C:\documents and settings\all users\appliacation data\mcafee\common framework\DB\Agent_%computername%.log (install/uninstall -> search for the task name)

            C:\program files\mcafee\Roue System Sensor\rssensor_out.log (if I remember the filename correctly -> running log of the sensor)

             

            AFAIK a sensor can not be "forced" to communicate with the epo server. The "timing" is controlled via the sensors policies.

            the

            I looked at these tasks.  On an uninstalled sensor, the task looks exactly the same as on an installed one.  I have no idea what is uninstalling these things, but the detected systems query lists 106 uninstalled.  That's a bit misleading, because some hosts are listed multiple times.  For example, one host is listed three times with a last communication time of 11/2/2010 11:08:13AM, 11/2/2010 12:00:50PM and 11/4/2010 10:51:53AM.  The status of every host is unknown.

             

            Very odd.

             

            I also looked at the logfiles, but there was nothing remarkable that I noticed - no lines with uninstall sensor in them.  I checked this particular machine (the one listed three times), and the Rogue System Sensor service is installed and running.

             

            Not sure what's going on here, but it's definitely weird.

            • 3. Re: Trying to understand rogue sensors
              Tristan

              What happens if you delete the install task once it's installed?

               

              Could it be that if the task is still there it's repeatedly installing the sensor.

               

              In which case the install process would uninstall and then re-install, Thus triggering all the uninstall reports.

              • 4. Re: Trying to understand rogue sensors
                metalhead

                Nope - the install task will only run once. Even if "Run at every policy enforcement" is checked or planning is rescheduled to run e.g. "daily" the task will only check if the sensor is still installed.

                • 5. Re: Trying to understand rogue sensors
                  pschmehl

                  I haven't tried deleting the task once the sensor is installed, but these tasks are created by ePO, not by me.  I would think that they were not designed to uninstall and reinstall a product.  Normal ePO deployment tasks are either an install or an uninstall.  If the product is already installed, the install job will "fail".  You can actually see these come across in the monitor, and they are simply ignored because the task has already been completed.

                  • 6. Re: Trying to understand rogue sensors
                    metalhead

                    There are only two times when ePO deinstalls a sensor:

                     

                    1) You configure the created clienttask to "uninstall"

                    2) When you update the sensor version on the client

                     

                    Perhaps you can get a clue on this by looking into your Windows eventlogs - the RSD install package is an MSI file, so install/deinstall should be logged there ...