Solved

How do I use the ePolicy Orchestrator 4.6 to remediate outdated workstation's DAT file?

Posted on 2015-01-07
12
525 Views
Last Modified: 2015-01-20
I need to learn how to use the console to do this. I am a newbie to it. If anyone has instructions, please provide.
0
Comment
Question by:joukiejouk
  • 6
  • 6
12 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40537860
For a quick summary, you can check out the below resource although this is relating to Extra.DAT, it should be applicable for DAT as well as it share how to manually check in and deploy an Extra.DAT through ePolicy Orchestrator 5.x and 4.6.x
https://kc.mcafee.com/corporate/index?page=content&id=KB67602

In fact I suggest you see the guide on the "Update tasks" section (pg 203) which create and configure update client tasks to control when and how managed systems receive update packages. Also good to have compliance report query to maintain awareness of the client status (see pg 250)
http://www.mcafee.com/us/resources/misc/guides/ms-epo-product-guide.pdf

Separately, in case thi scome handy, to combine Extra.DAT files. You can use a tool from McAfee Lab to combine multiple Extra.DAT detection files from McAfee Labs into a single package that you can deploy to your endpoints. (need login) https://support.mcafee.com/extradat
0
 

Author Comment

by:joukiejouk
ID: 40541678
After doing a "Wake Agent" and deploying the DAT from EPO, some machines receive the latest DAT file, but still shows in the dashboard as non-compliant. How do I fix this?
0
 
LVL 62

Expert Comment

by:btan
ID: 40541914
also need to ensure the supported version of the client component for VirusScan Enterprise (VSE) in the Support Version, Patch/Hotfix and Extension Build, see table in below.  
https://kc.mcafee.com/corporate/index?page=content&id=KB69814

Some of them faced same issue due to lacking extension installed
https://community.mcafee.com/thread/34252?tstart=0

Besides that
to fix this at the moment is to delete the machine from ePO - do not select the "unistall agent" option - and then wait for the machine to communicate with ePO again. When it does, it will reappear with the correct values and should then show up as compliant.
https://community.mcafee.com/message/188325#188325
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 

Author Comment

by:joukiejouk
ID: 40544756
in the ePO, how do I check if machines have auto-update set daily to check in with ePO?
0
 
LVL 62

Expert Comment

by:btan
ID: 40545830
The autoupdate task that you can see in the VSE console is the default task created by VSE when it is installed. Also it is It's not possible to modify this task from ePO and all we can do is disable it.
I understand that even if we create update tasks in ePO which is sent down to the client machines as new, separate tasks, there is nothing we can see in the VSE console. Apparently, the way to see if they are running is to check the agent log. E.g. if the task created was called "Daily Update for VSE", then upon task running we should see an entry like "Invoking task 'Daily Update for VSE'" in the agent log. For client machine, the agent task folder is typically in C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Task by default.
0
 

Author Comment

by:joukiejouk
ID: 40552012
I removed machines that have the latest .DAT, in which were listed in the non-compliant list. However, they re-appeared as being non-compliant again after communicating back with the ePO server. How can we fix this? Should the dashboard be re-created or refreshed? If so, can you please provide instructions?
0
 
LVL 62

Expert Comment

by:btan
ID: 40552657
Maybe to verify following

- Check the extensions for VirusScan are installed in EPO (Menu=>Software=>Extensions=>install extensions).

- Check the DAT version running query, you can run saved queries on-demand. e.g. Click  Menu | Reporting | Queries & Reports, select VSE: DAT Deployment in the Queries list, then click Actions | Run.

- Check the query being used in the dashboard to display the compliance check, some query can be hard coded to specific version of releases. We can either change the query to see if it corrects or upgrade the machine accordingly to the query criteria stipulated. E.g. under the Criteria from The Compliance Report under Reporting

-  Dashboard monitors are refreshed automatically on a user-configured interval (five minutes by default). You should be able to Dashboards, and Edit its Dashboard Preferences from the Options drop-down list. The Dashboard page refresh interval is available and you can adjust as the number of minutes you want between refreshes.

Another to refurnish the client

- (can be tedious) Manually in each non-compliant station re-install the client package

- from EPO, create a schedule to do uninstall, then a re-install, then run an AD Sync. Some may go to extend of creating a server task to automate such that clients failing in certain areas like not checked in for 3 days to redeploy new agents, this force push can be option.

Admin guide - http://www.mcafee.com/us/resources/misc/guides/ms-epo-product-guide.pdf
0
 

Author Comment

by:joukiejouk
ID: 40553868
I removed a large number of machines from the non-compliant list, but did not remove the agents. Now, it appers they re-registered and still ended up on the non-compliant list, but with no info. Is this a problem? If so, how can i fix this? I just did a "wake-agent" and "update now." See screenshot attached.
ePO.png
0
 

Author Comment

by:joukiejouk
ID: 40553942
Just to add, we had a server that ended in the 'lost and found' container. It was a server that had been removed from the non-compliant list, but I did not remove the agent. We moved the server back to it's appropriate container. Now I am am tasked with finding a root cause, as to how it ended up in the lost and found container. How would I check the log for this? i had a feeling this happened when I deleted it from the non-compliant list.
0
 
LVL 62

Expert Comment

by:btan
ID: 40554672
wondering if we can query the sql on the state for those "empty" version workstation, see this
Use this Query to see machines which DO NOT have the update in SQL-Management Studio. Remember that the SQL Express on the EPO
Server has/is an instance. So you may have to connect to it:
 
YOU_SERVERNAME\EPOSERVER
 
Then new query:
 
SELECT     ln.NodeName AS Hostname, pp.ProductVersion AS Version, pp.Hotfix AS Patch, ps.Value AS Hotfix
FROM         EPOLeafNode AS ln INNER JOIN
                      EPOProductProperties AS pp ON ln.AutoID = pp.ParentID INNER JOIN
                      EPOProductSettings AS ps ON pp.AutoID = ps.ParentID
WHERE     (ps.SettingName = 'Fixes') AND (ps.Value NOT LIKE '%793640%')
ORDER BY hostname
in this example, it is listing the HF793640. I am suspecting if there is such "DAT Date     0/0/0"  OR  "DAT Version     0.0000"  OR  "Engine Version     0.0000" as empty in your image shared. It is odd and maybe also need to reinstall agent which I believe you did so already. https://kc.mcafee.com/corporate/index?page=content&id=KB67406

One suggested the below in reinstallation VSE steps
https://community.mcafee.com/message/252308#252308

As for those in Lost and Found, it is likely ePO cannot match the entry in the system tree with the machine in question. That is "intermediate though. Generally should be able to delete any "duplicate" entry (if any), and move the "interested" entry from Lost&Found to where you want it to be. Also run through L&F and purge all the empty groups...one shared the possibility of sorting and IP conflict as below
A machine connects with an IP address of 192.168.10.1: ePO can't find a matching group so it places it in L&F.
The machine then gets given 192.168.1.1, and updates its properties. You have a server task that resorts the tree: this now moves the machine to the "correct" location, leaving the empty group under L&F.
https://community.mcafee.com/thread/29619?start=0&tstart=0
0
 

Author Comment

by:joukiejouk
ID: 40555852
So with data not being shown, does that mean something is broken? Will they re-appear after a certain time? I don't know how to run queries. All I want to know is with data no longer appearing, what will happen?
0
 
LVL 62

Expert Comment

by:btan
ID: 40555898
should be if the (supposedly non-compliant) workstation is running the same VSE (as example) version similar to the other compliant workstations. It can be the ePO agent comms to EPO, the central server management configuration for polling info for reporting, the report details displayed in wrong criteria for polling, the systems are not updated due to hotfixes and patches, and etc. But mainly, running custom report hope to achieve aid in below "anomalies" fact finding where possible in the troubleshooting phases.
-Clients not communicated with the McAfee ePO server in a while
-Clients suspected not working properly when attempt wake up
-Clients requires a new agent deployed to them directly from EPO

..the T-SQL query above is to go to the SQL db (due to the query engine in 4.6 only uses a subset of the T-SQL command set) for EPO to really ascertain what is display on the server UI. This is already shared in the steps for the link in prev post
Copy and paste the following Microsoft SQL, and then run it on the Microsoft Query Analyzer or Microsoft SQL Server Management Studio.
(Ref - https://kc.mcafee.com/corporate/index?page=content&id=KB67406)

...if really that is not viable (because you have no access), I am thinking to retry with running a new (not in built) query from EPO. E.g. choose queries, new query, select managed systems, set it to a table, choose those columns to have your wanted version patches etc data to return for. This is just "duplicate" check to see the built in reporting accuracy (likely same state..).

Regardless, as long as the local manual means to keep client station is still viable or re-assign it to another EPO (if there is one) to manage it the even if this "misinformed" EPO is still getting the right info from those workstation. The key is the VSE is running fine and client can still get update and remain protected (but just with more effort)...

It maybe time to trigger the tech support since it should be supporting your company to better advice and log it down...
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Updating clients Trend Micro (OfficeScan) Console 5 89
vMware vShield Endpoint 6.0 4 83
Thin secure Windows 10 5 93
Tools to detect weak WiFi routers prior connecting to it 14 120
SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question