8 Replies Latest reply on Apr 21, 2015 6:55 AM by andrep1

    EPO Database Query

    blazerguns

      Hi Folks,

       

      I have a requirement to create central dash board for analytics in my organisation which has several antivirus products. One of such products is EPO with couple of VSE 8.x running. The IPO admin console has Db queries for various status of the nodes (agents) in the IPO. I want to build my own SQL queries to achieve the same. Surprisingly, I could not find much resource on DB schema or details about doing this without the console. The only relevant info I could gather is https://kc.mcafee.com/corporate/index?page=content&id=KB77262 . Is there any document out there that explains various tables of the database and how to go about acquiring the information?

       

      The precise information I am looking for are the following to be checked for each node I want to query.

                       "IsInstalled", //- Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsDefinitionsLatest", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "CurrentDefinitionsDate", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsRealtimeProtectionEnabled", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsConfigProtected", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsLoggingEnabled", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsLoggingToSIEM", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsEnabled", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsQuarantine", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsQuarantineEnabled", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)
      "IsImmediateRemovalEnabled", // - Malware-Protection Check via McAfee SQL DB (Minimum-Security-Controls)

       

      Can someone be able to shed some light on this? All I want is SQL query for a node for these settings.

       

      Regards,

      Varun

        • 1. Re: EPO Database Query
          blazerguns

          I understand this can be quite specific question which general users might not be aware of. Is it possible for anyone to point me to any other forum or means to contact mcafee developers who should be able to answer it?

           

          Regards,

          Varun

          • 2. Re: EPO Database Query
            jhall2

            Create the query containing the data you wish to pull in Queries and Reports and save it. After saving, find the query and check the check box next to the name. Click Actions | View SQL and the SQL query that is being run by ePO be returned.

            • 3. Re: EPO Database Query
              blazerguns

              Thanks a lot for reply @jhall2. I got most of what I wanted. Do you know how I can query "IsLoggingEnabled" and "IsQuarantineEnabled"

              I have not found query for that yet. Besides, is there some document out there explaining the tables? I mean a EPO admin might need such a doc right?

              • 4. Re: EPO Database Query
                andrep1

                Hi,

                there is no such thing. ePO is pretty good at managing the load on the db server so they do not provide tools to help you access the DB directly. They also have an API that can be used to query the DB through ePO but that wouldn't provide you the data you are looking for.

                The last two data elements you are looking for are a bit  complex. They are set by policy and you would have to find out for each system the configuration of the policy.

                Also, you data elements can map to multiple data element in ePO. For example, "IsLoggingEnabled" represents what ?, what are your trying to determine that it being logged

                For the quarantine, there are product properties for the quarantine but having a quarantine defined doesn't mean that specific files are being "quarantined."

                 

                Hopefully this helps a bit.

                • 5. Re: EPO Database Query
                  blazerguns

                  Thanks Andre,

                   

                  isLoggingEnabled is confirm if the agents are writing their logs to syslog(linux) and windows logging. This means anything and everything the Mcafee agents needs to log. Can we find this out?

                  The quarantine part is split into 2 parts. "IsQuarantineEnabled" is to just see product property if that property is set. Sure the engine decides if it wants to Quarantine or not based on the file. Can you point out where in Db can I find this value?

                   

                  The second part of Quarantine  is "IsQuarantine". I understand that Quarantine folder can be setup in remote machine instead of local. I want to find out if that is the case. How can we find that info?

                   

                  Regards,

                  Varun

                  • 6. Re: EPO Database Query
                    andrep1

                    Hi Varun,

                     

                    For the logs, there is a setting in the policy called "application logging" in the McAfee Agent policy, that is the one you want.

                    Natively, the quarantine folder cannot be setup to go to a remote machine that I know of but this is a property of the VSE quarantine policy. It sets the quarantine. There is no option to not send to quarantine.

                     

                    Once you find the settings name then it should be in dbo.EPOProductSettingLabels and dbo.EPOProductSettingValues.

                     

                    Andre

                    • 7. Re: EPO Database Query
                      blazerguns

                      Hi Andre,

                       

                      Sorry if I misunderstood you, but you mentioned setting in the policy called "application logging" . Is this in the database?? If so can you point out?

                      I understand the quarantine folder is to setup by VSE quarantine policy. This means the epo must have this settings somewhere in the database. Am I right?

                       

                      dbo.EPOProductSettingLabels and dbo.EPOProductSettingValues.

                      I looked at the above two tables and it looks they are generic and does not seem to be agent specific. Wouldn't that be the case? Correct me if I am wrong.

                       

                      Thanks a lot.

                      Regards,

                      Varun

                      • 8. Re: EPO Database Query
                        andrep1

                        Hi Varun,

                         

                        Since there is no available mapping between ePO and the DB, you have to identify them yourselves I rarely query the database directly except when ePO doesn't provide a functionality I'm looking for.

                        If you can find the setting in settingLabels then you can join the the values table and the leaf node table to map each system to the value you are looking for.

                        This is not an easy project you are involved with.