1 Reply Latest reply on Nov 6, 2015 6:24 AM by Peter M

    Automated Responses for progress reporting of On-Demand Scan tasks




      I have seen the following scenario in a production environment running ePO 5.1 with McAfee Agent 4.8 and VirusScan Enterprise 8.8. However I have not been able to reproduce it successfully. Please leave your advice on the steps I have taken and what steps you would recommend to result in the scenario outlined below.



      There are three different types of scans with differing schedules assigned as client tasks. When these scans are scheduled (task added to the scheduler list on the endpoint) they have a tag applied.


      ODS: Memory Scan Scheduled.

      When the scan starts, completes or is cancelled the previous tag is removed and the appropriate tag is applied (I assume this is done using automatic responses).
      Queries are then used to report back how many endpoints are at each stage of each scan.


      My attempt to reproduce:

      I have configured 3 Client Task Assignments for different On-Demand Scan tasks, these are scheduled as stated below:


      Full System Scan - scheduled monthly for the first Friday of every month: 10am with 5 hour randomization window.

      Targeted Scan – scheduled weekly every Thursday: 10am with 5 hour randomization window.

      Memory Scan – scheduled daily: 9am with a 6 hour randomization window.


      I have then configured four tags for each scan task:


      ODS: Memory Scan Scheduled
      ODS: Memory Scan Started
      ODS: Memory Scan Completed
      ODS: Memory Scan Cancelled

      ODS: Targeted Scan Scheduled
      ODS: Targeted Scan Started
      ODS: Targeted Scan Completed
      ODS: Targeted Scan Cancelled

      ODS: Full System Scan Scheduled
      ODS: Full System Scan Started
      ODS: Full System Scan Completed
      ODS: Full System Scan Cancelled

      Where I am stuck!

      How can I use Automatic Responses to apply the tags to machines as they step through the stages of the assigned client tasks? I’m assuming this also correlate to Event ID somehow?


      Event ID: 1202 – ODS started
      Event ID: 1203 – ODS completed

      However I have not found the Event ID’s for scheduled and cancelled.
      My other concern with using Event ID’s is how can they differentiate between the 3 different types of ODS scan that are scheduled? Surely if I use just Event ID’s a query could return the results:

      Full Scan Completed in 30 seconds when actually it was a Memory Scan?


      Once I have the automatic responses configured to apply the tags, I can use queries to report on systems that have these tags and therefore what stage of each scheduled client task they have reached and if any have failed.


      Thanks in advance for any help!