I have seen the following scenario in a production environment running ePO 5.1 with McAfee Agent 4.8 and VirusScan Enterprise 8.8. However I have not been able to reproduce it successfully. Please leave your advice on the steps I have taken and what steps you would recommend to result in the scenario outlined below.
There are three different types of scans with differing schedules assigned as client tasks. When these scans are scheduled (task added to the scheduler list on the endpoint) they have a tag applied.
ODS: Memory Scan Scheduled.
When the scan starts, completes or is cancelled the previous tag is removed and the appropriate tag is applied (I assume this is done using automatic responses).
Queries are then used to report back how many endpoints are at each stage of each scan.
My attempt to reproduce:
I have configured 3 Client Task Assignments for different On-Demand Scan tasks, these are scheduled as stated below:
Full System Scan - scheduled monthly for the first Friday of every month: 10am with 5 hour randomization window.
Targeted Scan – scheduled weekly every Thursday: 10am with 5 hour randomization window.
Memory Scan – scheduled daily: 9am with a 6 hour randomization window.
I have then configured four tags for each scan task:
ODS: Memory Scan Scheduled
ODS: Memory Scan Started
ODS: Memory Scan Completed
ODS: Memory Scan Cancelled
ODS: Targeted Scan Scheduled
ODS: Targeted Scan Started
ODS: Targeted Scan Completed
ODS: Targeted Scan Cancelled
ODS: Full System Scan Scheduled
ODS: Full System Scan Started
ODS: Full System Scan Completed
ODS: Full System Scan Cancelled
Where I am stuck!
How can I use Automatic Responses to apply the tags to machines as they step through the stages of the assigned client tasks? I’m assuming this also correlate to Event ID somehow?
Event ID: 1202 – ODS started
Event ID: 1203 – ODS completed
However I have not found the Event ID’s for scheduled and cancelled.
My other concern with using Event ID’s is how can they differentiate between the 3 different types of ODS scan that are scheduled? Surely if I use just Event ID’s a query could return the results:
Full Scan Completed in 30 seconds when actually it was a Memory Scan?
Once I have the automatic responses configured to apply the tags, I can use queries to report on systems that have these tags and therefore what stage of each scheduled client task they have reached and if any have failed.
Thanks in advance for any help!