McAfee / EPO blocking Ghostcast server
Hi There,
I am having problems trying to create an image from a machine in ghostcast server. I know that McAfee 8.7 (Managed by EPO 4) is blocking the communication, I just dont know how to allow it through. I have added ghostsrv.exe to the IRC communications exceptions as this was what the log said it was blocking yet I still cannot create an image of the machine I want to.
Could anyone please advise how I might use Epo to ammend the policy on the ghostcast server to allow for communications without having to disable Mcafee on the machine every 1 minute.
Thank you for your help in advance.
I am having problems trying to create an image from a machine in ghostcast server. I know that McAfee 8.7 (Managed by EPO 4) is blocking the communication, I just dont know how to allow it through. I have added ghostsrv.exe to the IRC communications exceptions as this was what the log said it was blocking yet I still cannot create an image of the machine I want to.
Could anyone please advise how I might use Epo to ammend the policy on the ghostcast server to allow for communications without having to disable Mcafee on the machine every 1 minute.
Thank you for your help in advance.
dexIT
I had a similar issue creating an image a while back, but it was caused by Windows firewall. Is that off or on?
ASKER
The windows firewall is off, with no other firewall software installed. Just so you know I can trace it to McAfee as when I disbale everything I can locally it works for about a minute before the policy kicks in it re-enables protection.
I am unkeen to ammend the policy on the ghostcast server to allow it to be disabled and would rather find out a possible way to allow the process to run as an exception.
Interestingly enough when deploying images I have to disable the AV locally on the server but it seems to work for much longer and deployent of images can be done (Hopefully if a resolution is found this wont happen)
Thank you
I am unkeen to ammend the policy on the ghostcast server to allow it to be disabled and would rather find out a possible way to allow the process to run as an exception.
Interestingly enough when deploying images I have to disable the AV locally on the server but it seems to work for much longer and deployent of images can be done (Hopefully if a resolution is found this wont happen)
Thank you
dgi001
1. Don't recommend imaging a host machine with the McAfee Agent installed because you will duplicate the agent GUID (check McAfee KB for more information on this topic).
https://kc.mcafee.com/corporate/index?page=content&id=KB56086
Simple solution to this issue is to delete the GUID before imaging the master image, since SYSPREP won't catch this item. Now you can safely leave the agent alone.
2. I am going to assume your eliminating the McAfee EPO agent communications, so I will focus on the client side of the logs. Otherwise EPO policy will likely need exclusions created for whatever is being blocked. We can cross that bridge later, but the basic exclusion will be pretty well explained by whatever you find in your local logs.
On the bottom right of your taskbar you should see the McAfee shield, and hopefully it has a somewhat red looking ORB color around it. The RED color only occurs when significant events occur, so now need to proceed to view the local McAfee AV logs by right clicking on the McAfee Shield, and selecting each policy type.
What your looking for is any process that's being blocked. In your case the events are most likely in the Access Protection portion of the logs.
So start by reviewing the AV logs and look for a process being blocked. Once you find it you need to create a local exception.
Symantec also has an article that references what I mentioned as well, see http://service1.symantec.com/SUPPORT/on-technology.nsf/0437f27e11eaa7ef88256ebb0049cfe6/ae79d907756216db8825734e0059c0e1?OpenDocument
My personal view on system images is to keep things as flat as possible. We don't push client software, AV, or anything else that's non-essential into our Vista images.
Let me know if you need any more help.
p.s. For your EPO admin, you might find this post I made on the McAfee forums helpful with other general exclusions.
http://community.mcafee.com/showthread.php?t=229802
1. Don't recommend imaging a host machine with the McAfee Agent installed because you will duplicate the agent GUID (check McAfee KB for more information on this topic).
https://kc.mcafee.com/corporate/index?page=content&id=KB56086
Simple solution to this issue is to delete the GUID before imaging the master image, since SYSPREP won't catch this item. Now you can safely leave the agent alone.
2. I am going to assume your eliminating the McAfee EPO agent communications, so I will focus on the client side of the logs. Otherwise EPO policy will likely need exclusions created for whatever is being blocked. We can cross that bridge later, but the basic exclusion will be pretty well explained by whatever you find in your local logs.
On the bottom right of your taskbar you should see the McAfee shield, and hopefully it has a somewhat red looking ORB color around it. The RED color only occurs when significant events occur, so now need to proceed to view the local McAfee AV logs by right clicking on the McAfee Shield, and selecting each policy type.
What your looking for is any process that's being blocked. In your case the events are most likely in the Access Protection portion of the logs.
So start by reviewing the AV logs and look for a process being blocked. Once you find it you need to create a local exception.
Symantec also has an article that references what I mentioned as well, see http://service1.symantec.com/SUPPORT/on-technology.nsf/0437f27e11eaa7ef88256ebb0049cfe6/ae79d907756216db8825734e0059c0e1?OpenDocument
My personal view on system images is to keep things as flat as possible. We don't push client software, AV, or anything else that's non-essential into our Vista images.
Let me know if you need any more help.
p.s. For your EPO admin, you might find this post I made on the McAfee forums helpful with other general exclusions.
http://community.mcafee.com/showthread.php?t=229802
Keep in mind you really need to eliminate the EPO client server communications, otherwise your server policy will override any local policy changes, which is why I don't recommend the agent being installed. Keep it if you like, but eliminated the GUID and remove it from the EPO console, so the server does not talk to the host.
If you have syncronization turned on your EPO server might also start taking automatic control as well, but this all depends on your EPO server policy settings. The policy takes a top down approach, so keep in mind this will be a factor.
Bottom line, recommend you eliminate the client server communications, delete the computer object from EPO, delete the GUID, and then create your localized exclusions.
Have fun!
If you have syncronization turned on your EPO server might also start taking automatic control as well, but this all depends on your EPO server policy settings. The policy takes a top down approach, so keep in mind this will be a factor.
Bottom line, recommend you eliminate the client server communications, delete the computer object from EPO, delete the GUID, and then create your localized exclusions.
Have fun!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for your comments above, I ill go through them as soon as possible and post back :)
ASKER
Thank you very much for your help
WOW, the other guy gets the points and I already provided the same answer, what gives here?
Check the link to Symantec that I provided. All he did was repeat what was offered in the URL I researched and provided.
FOUL!
Check the link to Symantec that I provided. All he did was repeat what was offered in the URL I researched and provided.
FOUL!
Calm down. I'll give the point back to you. Not really a big deal coz all we want to do here is to offer our help.
Now any admin around. Could you please transfer the point I got for this question to Robert_IT.
By the way, I didn't get the answer from your link. I actualy ask the same question a few years ago.
:)
Now any admin around. Could you please transfer the point I got for this question to Robert_IT.
By the way, I didn't get the answer from your link. I actualy ask the same question a few years ago.
:)