2 Replies Latest reply on Jan 5, 2011 2:35 PM by Regis

    Best way to initiate an on-demand scan immediately for ~20 workstations?


      Suppose you've been handed a list of about 20 IP addresses for workstations that should be full-scanned immediately.

      • What's the most efficient way to initiate an immediate scan on all them?
      • Where in ePO can you find indication that scans finished successfully?


      Right now, for one-off issues, I'd going machine by machine and do "modify tasks on a single system", breaking inheritance and doing all the clicking necessary to enable a normally disabled full scan task that I've set up in their policy group, and then doing wake up agent  to ensure the new task is launched quickly.  This isn't too bad for one or two machines, but the number of clicks necessary gets old in a hurry.


      Anyone have a better approach?   Would this be a good use of a new "scan immediate" subgroup of their current system tree group where  that scan immediate task could live and be enabled, and systems simply be moved into for scanning, and the entire group have "wake up agent" done to them? 


      Finally, does VSE report back to ePO in any way when a full scan is finished?


      Thanks again for the shared experiences.


      VSE 8.7, ePO 4.5, Agent 4.0

        • 1. Re: Best way to initiate an on-demand scan immediately for ~20 workstations?

          I keep a group at top level of the organisation with scan immediate set and all other tasks disabled, drop them in there and then wake up that group.

          Assuming you are collecting that event ID and reporting that level of event to epo you can throw up a report on whether its completed or not.

          Check your event filtering for the event and the agent policy for the events reported level to make sure you can see it.

          • 2. Re: Best way to initiate an on-demand scan immediately for ~20 workstations?

            Thanks Tony -- took a call to McAfee to fully assimilate your answer (I wasn't aware of the event filtering page -- turns out events 1202 and 1203 aren't enabled by default, and that's what I needed.


            I have adopted a "scan after hours" subgroup off each of my mains and a scan immediate subgroup off the top level and put a full scan task in there, and that really works a treat -- thanks for pointing me in that direction.


            The only followon question I have is for an immediate task,  how is that evaluated by the agent?  

            -For instance, how would it behave if I drop a host into the group with a scan immediate and I don't wake it up explicitly? Would that scan start the next time that host happens to check in based on its agent to server communication interval?

            - Also, if an immediate scan is started and in progress on a host,  and it's awakened again while in a scan immediate group, I assume it's smart enough not to start another scan until the original is finished?

            - If you move a box out of a group with a scan immediate task in it, does that task get cancelled (I'm guessing no).

            - If the box is shut down during a scan immediate, what happens next time it's power up?  Will that scan run again from the beginning if run missed task is checked?


            I haven't been able to find where this behavior is documented.