It does indeed do that. Appropriate events will be sent back to ePO from the agents that you can make queries on.
Please see for example McAfee support article:
KB52417 - Complete list of Event IDs for VirusScan Enterprise
Bear in mind that the data in ePO is historical, it will tell you the service was stopped at the time of the event, not that it is stopped *now*.
For that you would need McAfee Real-time.
Thanks Rackroyd, I will look into that.
Now is McAfee Real-time in 5.x epo? I remember reading something about it, lol
There are KB articles for product compatibilty too
KB76736 - ePO 5.0 supported products
KB79169 - ePO 5.1 Supported Products
I don't think getting the event ID works. I have a machine that has McAfee uninstalled, yet the agent doesn't send anything stating it is not running. Yes, it shows that it is not installed looking at the machine info, but I don't get an event on this. Can't have an automated response sent to me in an email if nothing gets generated. I can see it under Real-Time Questions but that is almost worthless if you have to manually operate it. and it doesn't alert me automatically.
What I was looking for is an automated response sent to me stating what machine doesn't have it installed or turned on.
1 of 1 people found this helpful
I've wanted this type of information for some time. (i.e. Machine model / Serial # / Mcafee Product status ) and ePO does not give it (out of the box). The above discussion talks about adding your own code to modify CustomProps. then letting the Agent push these props up to ePO at ASCI. One person, Dvanmeter, posted a script that will also report if the McShiled is running.
Once the custom prop is reporting the status of McSchield, it becomes trivial to build an ePO query that looks for "Not Running" in the custom prop. Then a server task to email me a report of "Not Running" systems.
Again, I heavn't deployed this just yet, it's an idea that looks real promsing.
Thanks Phil, thats some good info. I did however get the system to email me PC's that are not running McAfee. Then, I added this script and see the samething. But it is still good info. dowside of this is it will only send you a report, not just a plain email. I would like to get notice as soon as it is on the network, like when the sensor sees it. If McShield is not running it should be an event that gets triggered. I would think it woudl be as bad as a threat....