5 Replies Latest reply on Dec 31, 2014 7:49 AM by andrep1

    Criteria for parsing log file

    susja


      Hello,

      I'm scanning a lot of PC's using scheduled jobs and batches. At the end of scan it copies all OnDemandLog.txt at one shared location.

      I'm planning to write a script which would parse those logs and in case find some malware send me email.

      I'm looking for 'keywords' or 'lines' that contains those keywords.

      I assume that I should check only lines 'Processes detected', 'Boot sectors detected', 'File detections', 'Keys detected'

      In other words I am going to check only lines with 'keyword' "detected". Normally the value of those is zero. I'm going to alert me whenever the value is not zero.

      Does it make sense to you?

      Thanks

        • 1. Re: Criteria for parsing log file
          andrep1

          Would be 100x simpler if you used ePO, if you have a lot of PC I would assume you are  running ePO. If you are not licensed for it, many suites include ePO.

          • 2. Re: Criteria for parsing log file
            susja

            - Andre,

            how ow could I check that I am running ePO?

            THanks

            • 3. Re: Criteria for parsing log file
              andrep1

              Hi,

               

              If all your devices are updating directly from the internet, that is a good indicator...

              If you start up the agent in c:\program files\mcafee\common framework\cmdagent -s, it will tell you if you those devices are connected to ePO. Look at the log or right click on the agent icon that will show in the icon tray.

               

              Value of running ePO: centralised reporting and configuration, centralized product deployment, single source of update.

              You can easily lock down the config locally with ePO and control everything centrally. In small setups, it can be a self contained server. With the new agent 5.0, there now is also peer to peer file replication.

              McAfee ePolicy Orchestrator | McAfee Products

               

              When you buy a mcafee product, you get a grant number (12345667-abc) and that allows you to download the software from the mcafee website.

              • 4. Re: Criteria for parsing log file
                susja

                TThanks for detaied information but I'd consider my case slightly different that you described above. My company definetely has grant number and etc but my team has a set of PC's that are located in vLAN and don't have access to Internet. It's solely our task to implement McAfee scan inside vLAN. Well that nitially I had to remove 'managed' mode from each agent because I wanted to have control on it. Then every night server which is located behind vLAN and connected to Internet grab latest version of data.exe file and put it on shared location. Then each PC grabs that file and execute it locally and after that it starts scanning. At the very end when scan completed on all machines logs get copied to one place and then I run my parser script. I do this procedure daily.

                Sure it's not as elegant as to use centralized ePO BUT it works for my team  

                • 5. Re: Criteria for parsing log file
                  andrep1

                  You could also consider a second ePO. Again much easier....