6 Replies Latest reply on Nov 26, 2013 12:42 PM by scoutt

    ePO detection of OnAccess of clients


      It would seem to me that ePO should detect if a client machine has had it's OnAccess turned off or disabled. I must have missed it as I can't seem to find anything in ePO 4.6.6 that shows this.

      Does anybody know where this is located or if this is possible?

        • 1. Re: ePO detection of OnAccess of clients

          It does indeed do that. Appropriate events will be sent back to ePO from the agents that you can make queries on.


          Please see for example McAfee support article:

          KB52417 - Complete list of Event IDs for VirusScan Enterprise


          Bear in mind that the data in ePO is historical, it will tell you the service was stopped at the time of the event, not that it is stopped *now*.

          For that you would need McAfee Real-time.

          • 2. Re: ePO detection of OnAccess of clients

            Thanks Rackroyd, I will look into that.


            Now is McAfee Real-time in 5.x epo? I remember reading something about it, lol

            • 3. Re: ePO detection of OnAccess of clients

              There are KB articles for product compatibilty too


              KB76736 - ePO 5.0 supported products

              KB79169 - ePO 5.1 Supported Products

              • 4. Re: ePO detection of OnAccess of clients

                I don't think getting the event ID works. I have a machine that has McAfee uninstalled, yet the agent doesn't send anything stating it is not running. Yes, it shows that it is not installed looking at the machine info, but I don't get an event on this. Can't have an automated response sent to me in an email if nothing gets generated. I can see it under Real-Time Questions but that is almost worthless if you have to manually operate it. and it doesn't alert me automatically.


                What I was looking for is an automated response sent to me stating what machine doesn't have it installed or turned on.


                Any Ideas?

                • 5. Re: ePO detection of OnAccess of clients




                  I've wanted this type of information for some time.  (i.e. Machine model / Serial # / Mcafee Product status ) and ePO does not give it (out of the box). The above discussion talks about adding your own code to modify CustomProps. then letting the Agent push these props up to ePO at ASCI.   One person, Dvanmeter, posted a script that will also report if the McShiled is running.


                  Once the custom prop is reporting the status of McSchield, it becomes trivial to build an ePO query that looks for "Not Running" in the custom prop. Then a server task to email me a report of "Not Running" systems.


                  Again, I heavn't deployed this just yet, it's an idea that looks real promsing.

                  1 of 1 people found this helpful
                  • 6. Re: ePO detection of OnAccess of clients

                    Thanks Phil, thats some good info. I did however get the system to email me PC's that are not running McAfee. Then, I added this script and see the samething. But it is still good info. dowside of this is it will only send you a report, not just a plain email. I would like to get notice as soon as it is on the network, like when the sensor sees it. If McShield is not running it should be an event that gets triggered. I would think it woudl be as bad as a threat....