Hello All,
Please, Could you help me with this?
McAfee has been implemented over 2000 servers which also have bigfix client.The Security Department applied the BigFix AV Exclusion (%programfiles%\BigFix Enterprise) through EPO console to all servers (Windows, Linux, AIX and Solaris). However, they can not verify is this exclusion was implemented correctly.
I found that McAfee Exclusion are saved in HKLM\SOFTWARE\Wow6432Node\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default for Windows Servers. However, there is a record per every exclusion that has a prefix of ExcludedItem_* which has the value of one exclusion.
Is there a way to look for the string %programfiles%\BigFix Enterprise in each record and then output true if exist?
Regards
jO
1 Like
I don’t have McAfee to test, but try this:
exists keys "HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default" whose (not exists values whose (it as string as lowercase contains "%25programfiles%25\bigfix enterprise" or it as string as lowercase contains "%25progamfiles(x86)%25\bigfix enterprise") of it) of registry
Should return True if there’s a McAfee registry path and the BigFix Exclusion is missing from it (system needs to be corrected).
Or …
exists keys "HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\Default" whose (exists values whose (it as string as lowercase contains "%25programfiles%25\bigfix enterprise" or it as string as lowercase contains "%25pgoramfiles(x86)%25\bigfix enterprise") of it) of registry
should return True if there’s a McAfee registry path, and the BigFix Exclusion is present
2 Likes