3 Replies Latest reply on Oct 31, 2011 4:09 AM by Attila Polinger

    SQL syntax for McSchield

    Trooper

      Hi,

       

      it's any  possibility to check if McShield Process run on every managed PC, but  with SQL syntax on EPO-DB.

       

      we use.

      EPO 4.5 (Patch4)

      VSE 8.7 (Patch4)

      Microsoft SQL Server 2005

       


       

      thanks in advance

       

      Tropper.

        • 1. Re: SQL syntax for McSchield
          Attila Polinger

          Hello,

           

          as far as I know the status of the McShield process is not registered/updated in the ePO DB. However, there are events like "the service was started" and "The service was stopped", possibly sent when during boot or a DAT update the Mcshield service stops or starts. These events have their event codes which you can query on if you do not incidentally or purposely filtered out them.

           

          Events and codes can be found in the McAfee KB for various product.

           

          I hope I could understand your request properly.

           

          Attila

          • 2. Re: SQL syntax for McSchield
            Trooper

            Hello,

             

            thanks Attila.

             

            I know  this opportunity with Events, but i think in some Table on EPO-DB you can find OnAccesScanner Value=1 if run, and Value=0 if not run.

            that wolud be same for McSchield check i think.

            the problem is i didn't find  until now this Table?

             

            regards

             

            Trooper

            • 3. Re: SQL syntax for McSchield
              Attila Polinger

              Hello,

               

              where exactly would be these two fields in ePO DB? I did not find them anywhere. In my opinion keeping track Mcshield or On Access Scanner running status might be a bit lagged since these statuses would be reported by the McAfee Agent which has a predefined interval for property communication and even if we considered this status a major event (where a diferent communication interval can be set), then - I guess -  1 minute would be the least interval that you can set before it is sent to the ePO server.

               

              I think the active / inactive status may be too dynamic for centrally keeping track of it...

               

              What do you think?

               

              Attila