I'm a bit confused as to what's happened here... what was this SDAT supposed to do?
When you say forced out - do you mean deployed via ePO to client machines, or something else?
perhaps, global updating is enabled then pull and DAT deployment is scheduled to run daily AUTOMATICALLY??
But if his username and ip address were in the logs then maybe he's just denying/hiding the fact that he did made a mistake(to save his a**), or another co-worker who knows his username and PWD logged into his system and made the changes..
Im supporting a colleague at work who deals with or used to deal with AV network.
He has been accused of sending out the SDAT via the EPO which slowed down the network.It was logged back to his computer. However at the time he was working on a "High Path".
His computer he was working on has had recent problems which was also being monitored to try and track the problem. The AV was 1 mnth in implementation.
He insists he never did anything, and others in the room can confirm he hadnt, however the mystery remains as to how it would have occured.
He had locked into his service account that day but had also crashed a number of times as well.
From waht I have been told this all caused Unusual traffic path and was affecting a large network area and caused a slowing down.
Any ideas as to how we can explain this on a technical level?
Well I do believe him as he has been open and honest with me and is clearly quite upset by it.He had nothing to gain by doing it and in fact more to lose by doing it. The fact he was working on another project and to deply the SDAT apparently requires a number of steps that you cant "accidently" do it?
im no IT genius here by the way.Im just representing someone who has been involved with the Mcafee AV previously for the company.
He is happy to have a through investigation which suggests to me he believes he hasnt done this.
I would like to find some technical explanation that I can pose to them to explore
Dude, if there is any client or deployment tasks created intentionally/unintentionally you can check WHO made the task by checking the Server Tasks..If his account is indicated then maybe he's just saving his A** from his mistake by denying or another colleague used his account and PC to modifiy the client task or epo setting.
And regarding your statement that:
"He insists he never did anything, and others in the room can confirm he hadnt, however the mystery remains as to how it would have occured."
I don't think it's a mystery since you can access the ePO server via web console wherever you are as long you have network connection to the epo server..And i don't think it has anything to do with the computer he was working on..
Sorry for being so negative dude..but i hope this helps..
If you want a technical explanation, Go to your ePO Server and check the audit logs..it will show in details who did what changes and when he did it..
that will give you on the changes made to your server that caused the incident..
Thanks for your anwers.
Back to this chestnut.
Further update...the "evidence" produced is copy of the logs detailing the check in packages, they are yet to produce the logs of the server.
Will this make any difference?
I think the most important thing is the server task log which will take that pakcages you checked in and deploy it to all the machines