1 2 Previous Next 15 Replies Latest reply on Sep 13, 2011 7:51 AM by lizforparis

    SDAT push - help required

      I need some assistance with a query.

      A colleague has been accused of forcing a SDAT file to be pushed out which affectively slowed down the system during that period. He has stated he would never do it and cannot understand why or how he would have. He does have all access to server etc but he was no longer working with the AV side of things at the time this occurred.

      \However log files have traced it back t o his user and his ip machine on that day and time.

      Quesiton is basically,  if he didnt actively seek to do this, is there a technical explanation as ot how the SDAT was forced out. The system is a month old and a replacement to a poorer one and also the machine he was working on that day has had issues which were being monitored.

      ie crashing and slow activity. He had at one stage been logged into the server when it crashed.

      I would appreciate and advice on this please

      Thank you

        • 1. Re: SDAT push - help required
          JoeBidgood

          Hi...

           

          I'm a bit confused as to what's happened here... what was this SDAT supposed to do?

          When you say forced out - do you mean deployed via ePO to client machines, or something else?

           

          Thanks -

           

          Joe

          • 2. Re: SDAT push - help required

            perhaps, global updating is enabled then pull and DAT deployment is scheduled to run daily AUTOMATICALLY??

             

            But if his username and ip address were in the logs then maybe he's just denying/hiding the fact that he did made a mistake(to save his a**), or another co-worker who knows his username and PWD logged into his system and made the changes..

            • 3. Re: SDAT push - help required

              Im supporting a colleague at work who deals with or used to deal with AV network.

              He has been accused of sending out the SDAT via the EPO which slowed down the network.It was logged back to his computer. However at the time he was working on a "High Path".

              His computer he was working on has had recent problems which was also being monitored to try and track the problem. The AV was 1 mnth in implementation.

              He insists he never did anything, and others in the room can confirm he hadnt, however the mystery remains as to how it would have occured.

              He had locked into his service account that day but had also crashed a number of times as well.

              From waht I have been told this all caused Unusual traffic path and was affecting a large network area and caused a slowing down.

              Any ideas as to how we can explain this on a technical level?

              • 4. Re: SDAT push - help required

                Well I do believe him as he has been open and honest with me and is clearly quite upset by it.He had nothing to gain by doing it and in fact more to lose by doing it. The fact he was working on another project and to deply the SDAT apparently requires a number of steps that you cant "accidently" do it?

                im no IT genius here by the way.Im just representing someone who  has been involved with the Mcafee AV previously for the company.

                He is happy to have a through investigation which suggests to me he believes he hasnt done this.

                I would like to find some technical explanation that I can pose to them to explore

                • 5. Re: SDAT push - help required

                  Dude, if there is any client or deployment tasks created intentionally/unintentionally you can check WHO made the task by checking the Server Tasks..If his account is indicated then maybe he's just saving his A** from his mistake by denying or another colleague used his account and PC to modifiy the client task or epo setting.

                   

                  And regarding your statement that:

                   

                  "He insists he never did anything, and others in the room can confirm he hadnt, however the mystery remains as to how it would have occured."

                   

                  I don't think it's a mystery since you can access the ePO server via web console wherever you are as long you have network connection to the epo server..And i don't think it has anything to do with the computer he was working on..

                   

                  Sorry for being so negative dude..but i hope this helps..

                  • 6. Re: SDAT push - help required

                    If you want a technical explanation, Go to your ePO Server and check the audit logs..it will show in details  who did what changes and when he did it..

                     

                    that will give you on the changes made to your server that caused the incident..

                    • 7. Re: SDAT push - help required

                      Thanks for your anwers.

                      • 8. Re: SDAT push - help required

                        Back to this chestnut.

                        Further update...the "evidence" produced is copy of the logs detailing the check in packages, they are yet to produce the logs of the server.

                        Will this make any difference?

                        • 9. Re: SDAT push - help required

                          I think the most important thing is the server task log which will take that pakcages you checked in and deploy it to all the machines

                          1 2 Previous Next