Do the non-compliant systems have VirusScan installed (and its version reported properly to ePO server) ?
As for the reinstalled host: I would say that the node in ePO remains until you delete it with Inactive Agent Cleanup task.
Please try extracting the agent installer (.exe) and run it on the host.
Also please check if the host's oprating system is supported by the agent.
Non compliant systems have the agent installed but not the engine and dat.
It seems the every machine which is restored/reimaged onto the system is then not being detected or picked up by McAfee.
For example I reimaged ICT03 last week, and it is now not showing in compliant or non compliant systems, but is showing in systems top level group as still being a managed system. I have attached screenshots to show this.
Does anyone have any ideas please? Is there a setting I am missing somewhere?
Would you please do the following for non-compliant hosts:
- show the compliancy criteria from the query
- extend the query (and all queries) so it shows last update time and VirusScan version and hotfix level of hosts in detail screen and post a new screenshot,
- confirm or deny that you run an inactive agent cleanup task and what is the inactivity criterion?
- check agent log and look for any sign of non-communication or other potential failure (policy enforcement, etc) that is obvious (like agent ASCI policy differs than ePO agent ASCI policy, tasks are not run in scheduled time, etc.)
- check node record and see if any sequence errors are present and if latest such error is recent.
You can also check server.log to make sure a non-compliant system is handled correctly and eventparser.log whether there is not any event processing error from hosts (preventing updating their properties).
I normally get that when the machine has the agent but no VS installed..
I did not realise you can set up an inactive agent cleanup task. How do I set this up?
By default there is an Inactive Agent Cleanup server task, but you can create one if that would be missing.
Generally this is a server task that runs a query and performs action on the result.
Query lists nodes that has a Last Update value of a given value (e.g. one week, ten days, etc.) and there is a subaction defined (Delete Systems).
You can change the query and subaction to your liking. If the server task would be missing, you must create the query and then create the server task and select the proper query you have created and then the subaction (one or more).
Schedule this task to run as you wish.
Thanks for your help, but please can you talk through me with this with step-by-step detail. I am not familiar with this software, and compared to other Anti Virus Server products I am finding this to be the most over complicated and difficult one I have ever used!
I have gone into Menu>Automation>Sever Tasks and found the task called Inactive Agent Cleanup Task 4.5. I have tried editing this but cannot find anywhere to definethe inactivity of the agent to be deleted. Therefore I have run it and it is showing as Completed: Deleted 0 Systems and is not doing anything.
Surely there is a better easier way than doing it this way? There are several off site laptops which sometimes do not get plugged into the system for weeks, so I fear doing it this way will delete them. It would also be good if machines picked up the Anti Virus immediately after being rebuilt/restored rather than having to wait a few weeks for the agent status to be deleted so it will reinstall it, which would leave them unprotected for all that time.
To conclude all I want to do is the machine to automatically pick up Agent and AV if they are restored to a clean state using WDS. Surely it cant be that hard?
Normally a client agent regularly reports to the ePO server. When the client is taken off-line or whatever else happens that prevents the agent from contacting the ePO server the node record stays in ePO forever. When next time the same client is taken online and contact ePO, ePO will find the dormant node record and updates its content.
Inactive node records do not get deleted by themselves only by running this task. As you can see the task is nothing more than an action and a subaction. The action is a query, you should edit this query to suit your need, that is, to reflect your criteria of what an inactive agent is.
A subaction can be anything, obviously for this task deletion or relocating the node record to a different group would be reasonable.
As for your questions:
- a client that is inactive for a short period might fall under the inactivity criteria of the above query. If you delete inactive agents from the system tree, the next time they "wake up" and report to ePO server their node record will be recreated (when you delete their record) or found and updated (provided the MAC address of theirs do no change).
- A newly restored client can receive the agent and AV via other autiomatisms. Automatic agent deployment could be via rogue system detection automatic response (or regular AD import - we do not use this latter so I do not have experience) and AV automatic deployment could be via client task.
I hope I could answer your questions. I think the above are pretty automatic and straigthforward mechanisms.
Feel free to PM me in any specific question later on.