1 2 3 Previous Next 46 Replies Latest reply on Feb 25, 2014 9:03 AM by save
      • 1. Re: GetSusp deployment via ePO

        Looking good in my environment. Have trialled deployment to several machines without issues.

         

        I know that the FMR for the switch to individually name directories is turning up in the next version - that will make things even simpler.

        1 of 1 people found this helpful
        • 2. Re: GetSusp deployment via ePO
          HBullock

          Step #4 e:

           

          In the Command line field, provide your email ID and the .ZIP file path where the ZIP file created by GetSusp is to be placed, then click Next.

          NOTE: Ensure that the file path where GetSusp will be placed has Read/Write access.

          Example
          --email=myemail@example.com –zippath=C:\

           

          An ePO admin in the U.S. would have no knowledge of local drive and folder designations or permissions in remote locations. Since the program is being executed by the McAfee Agent, why isn't the program automatically using any temporary storage that the agent already has access to use? Better yet, why is the program not automatically using C:\ProgramData\McAfee\Getsusp (Windows 7)?

          • 3. Re: GetSusp deployment via ePO

            HBullock wrote:

             

            An ePO admin in the U.S. would have no knowledge of local drive and folder designations or permissions in remote locations. Since the program is being executed by the McAfee Agent, why isn't the program automatically using any temporary storage that the agent already has access to use? Better yet, why is the program not automatically using C:\ProgramData\McAfee\Getsusp (Windows 7)?

             

            I have a use for the --zippath variable, as I save the files to a network share (Hence why I'm eagerly waiting for the next version which can create different directories for different machines so that I can run Getsusp on multiple machines at once when required). I don't submit many of my scans - most I examine and where relevant submit malware directly to McAfee Labs, and then discard.

             

            I haven't tried this, but if you leave out the --zippath, shouldn't it create the files on the local machine in the EPO deployment directory (I believe C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\GETSUSPC3118\Install for the current version -- note the GETSUSPC3118 will most likely change with future versions)

             

            Also, although I've tried, I can't seem to use something like %TEMP% as part of zippath. I think this is a limitation of EPO, but not sure. I did raise this in the EPO forum : https://community.mcafee.com/thread/29962?tstart=0, but there are no responses yet.

             

             

            Message was edited by: mjmurra on 24/11/10 11:11:36 AM
            • 4. Re: GetSusp deployment via ePO
              HBullock

              I successfully used %temp% for Zippath. On my system the file was created in c:\windows\temp since the Agent is running as system. The proxy also worked for me and the remote client submitted the suspicious files to McAfee directly.

               

              After getting a UNC to work back to a netwrok share, I would not care to use a local drive to store the file. On the local computer I would have no access to review it unless the file could be accessed via the McAfee Agent like the agent log via HTTP to the Agent's wakeuip port.

              • 5. Re: GetSusp deployment via ePO

                HBullock wrote:

                 

                I successfully used %temp% for Zippath. On my system the file was created in c:\windows\temp since the Agent is running as system. The proxy also worked for me and the remote client submitted the suspicious files to McAfee directly.

                 

                 

                Interesting. I didn't try %TEMP% by itself - I was trying to build a compound directory using the UNC (eg \\myserver\directory\%COMPUTERNAME% ) and that didn't work for me

                 

                2010-11-22 11:47:27    I    #4424    ScrptExe    Running "C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\GETSUSPC3118\Install\0000\getsuspc.bat" --ZIPPATH=\\<MYPATH>\GetSusp\%COMPUTERNAME%

                • 6. Re: GetSusp deployment via ePO
                  HBullock
                  1. I specified a non-existent directory \\server\share\mydirectory\samples. Getsusp seemed to hang on the computer where it was running. I eventually killed the process.  The program could have created the required directory structure. The directory \\server\share\mydirectory did exist.
                  2. I reran Getsusp with the directory samples existing. Getsusp ran correctly and deposited the zip file in \\server\share\mydirectory\samples.

                   

                  Given the above test results. I can see possibly why your attempt to use %computername% may have failed if the directory did not already exist.  I would think that \\myserver\directory\%COMPUTERNAME% should work if the directory already existed. I will have to try that in the morning.

                  • 7. Re: GetSusp deployment via ePO

                    HBullock wrote:

                     

                    1. I specified a non-existent directory \\server\share\mydirectory\samples. Getsusp seemed to hang on the computer where it was running. I eventually killed the process.  The program could have created the required directory structure. The directory \\server\share\mydirectory did exist.

                     

                    This is caused by a pop-up window that occurs when Getsusp can't find the directory specified. As it's running as SYSTEM when deployed via EPO, you'll never see that window (Try manually running Getsusp with the silent switch and a non-existant path to see what I mean).

                     

                     

                    HBullock wrote:

                     

                    Given the above test results. I can see possibly why your attempt to use %computername% may have failed if the directory did not already exist.  I would think that \\myserver\directory\%COMPUTERNAME% should work if the directory already existed. I will have to try that in the morning.

                     

                    Yeah, that does make sense - and is something I should have realised (as I already knew about the issue above when a non-existant directory existed). It's basically a workaround I want so I can run GETSUSP on several machines at once.

                    • 8. Re: GetSusp deployment via ePO
                      dbusby3

                      We have a modified version of Getsusp plus other tools that get deployed to a users machine.  Typically all the files go to an internal server not directly to McAfee.  All the files have the name YYYYMMDD_%COMPUTERNAME%***.zip

                       

                      That way we can run the tool serveral times per day per machine with no file collision and we know what day and what computer everything was run on.

                      • 9. Re: GetSusp deployment via ePO

                        dbusby3 wrote:

                         

                        We have a modified version of Getsusp plus other tools that get deployed to a users machine.  Typically all the files go to an internal server not directly to McAfee.  All the files have the name YYYYMMDD_%COMPUTERNAME%***.zip

                         

                        That way we can run the tool serveral times per day per machine with no file collision and we know what day and what computer everything was run on.

                         

                        Interesting. You must have a pretty close relationship with your TAM/SAM to get all sorts of good tools!

                         

                        Your post gave me an idea though. There are ways to modify EPO packages and regenerate the package. I'm not going to go into details, but it is possible. So I've done a slight modification to the BATCH file that runs getsusp to meet my customisation requirements and re-uploaded the package. Workaround works for me!

                        1 2 3 Previous Next