Fixlet to check for an ePO agent

(imported topic written by SystemAdmin)

Hi all,

I’m new to the relevance language and would like some help. I’m trying to write a fixlet that will check the systems on my network for the presence of an ePO agent. This can most easily be done by the check of a reg key, or the presence of a file (and it being the proper version) on the computer. Then I want to send a .exe to the systems that don’t have the agent at all or don’t have the proper version. Can anyone point me in the right direction with this?

Thanks in advance!

(imported comment written by BenKus)

Hi SeagateTony,

This is a pretty simple application of a Fixlet… I would recommend using the software distribution wizard and it will generate a Fixlet for you that can deploy your ePO agent… You can put in the service name or reg key or whatever you would like in the wizard.

If you would lke to do something more advanced, we can help build the relevance for you (and you can edit the Fixlet you created in the software distribution wizard).

Ben

(imported comment written by SystemAdmin)

Thanks Ben. I’ll try it with the wizard. I appreciate it.

TK

(imported comment written by SystemAdmin)

Heres a EPO analysis I put together, This may help

This Analysis pulls data from the "C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\ServerSiteList.xml" file

Server Name
EPO Server Name
Server Short Name
Server IP Address
EPO Type
EPO Enabled
HTTP Site name
Update Type
FTP Site List
Version of Running FrameworkService
Version of Running McShield Service

problem i see with this is the last 2 version info, if its not running it doesn’t get any data

I also have several tasks to push out EPO, uninstall old EPO and reinstall new…

let me know if you would like them

(imported comment written by SystemAdmin)

Mi Mark, yes that would be GREAT. I would love to have the the tasks you have for pushing, installing etc. Thanks!

(imported comment written by SystemAdmin)

I just take the files in the Install directory for McAfee 8.7 and zipped it up to VSE870LMLRP3.zip , I also added the EPO agent in the same zip file

Relevance :

(name of operating system as lowercase starts with 
"win" and (

if ((

if (exists key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry) then (value 
"szCurrentVersionNumber" of key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry as string) 

else 
"0.0.0") as version) < 
" then true else false))

Action1:

download http:
//software.bigfix.com/download/redist/unzip-5.52.exe 

continue 

if 
{(size of it = 167936 and sha1 of it = 
"e1652b058195db3f5f754b7ab430652ae04a50b8") of file 
"unzip-5.52.exe" of folder 
"__download"
}   prefetch VSE870LMLRP3.zip sha1:bf3df291769fe705b53b050495aa2b11d49c119b size:34173859 http:
//<SERVER>/shared/Component_Install/McAfee_Update/VSE870LMLRP3.zip dos mkdir 
{name of drive of windows folder
}\McAfee_Update wait __download\unzip-5.52.exe -o -j  __download\VSE870LMLRP3.zip -d 
{name of drive of windows folder
}\McAfee_Update   wait 
{name of drive of windows folder
}\McAfee_Update\SetupVSE.exe  ADDLOCAL=ALL REMOVE=LotusNotesScan REMOVE=EmailScan /qn wait 
{name of drive of windows folder
}\McAfee_Update\FramePkg.exe /INSTALL=AGENT /SILENT   dos rmdir /S /Q 
{name of drive of windows folder
}\McAfee_Update

Success Criteria:

(name of operating system as lowercase starts with 
"win" and (

if ((

if (exists key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry) then (value 
"szCurrentVersionNumber" of key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry as string) 

else 
"0.0.0") as version) < 
" then true else false))

Keep in mind that your sha1 and size will be different…

(imported comment written by silverlining91)

Hi Mark,

I have used some of your action codes and was able to deploy both McAfee 8.8 and EPO agent to all my clients.

The problem here is the “M” icon does not appear on the taskbar of all my clients. This mean the EPO agent is not able to report back to my EPO server.

Action code :

download http://NIESFBF3:52311/Uploads/222742f79f7edf03da98003ee57cc5c85e8902f0/McafeeAntiVirusV88.tmp


continue if {(size of it = 87406894 AND sha1 of it = "222742f79f7edf03da98003ee57cc5c85e8902f0") of file "McafeeAntiVirusV88.tmp" of folder "__Download"}


extract McafeeAntiVirusV88.tmp


wait __Download\SetupVSE.exe ADDLOCAL=ALL REMOVE=LotusNotesScan REMOVE=EmailScan /qn


wait __Download\FramePkg4.5\FramePkg_UPD.exe /INSTALL=AGENT /SILENT

I have to push down the agent again from the EPO server again in order for clients to report back.

Is there something else I can do?

Thanks for your attention to this matter.

Hon Wai

(imported comment written by amagewick91)

Have the agent do a “collect and send props”

This is what I use

-----------------ACTION-----------

if {exists file "C:\Program Files\McAfee\Common Framework\CmdAgent.exe"}


wait "C:\Program Files\McAfee\Common Framework\CmdAgent.exe" /P


endif


if {exists file "C:\Program Files\Network Associates\Common Framework\CmdAgent.exe"}


wait "C:\Program Files\Network Associates\Common Framework\CmdAgent.exe" /P


endif


if {exists file "C:\Program Files (x86)\McAfee\Common Framework\CmdAgent.exe"}


wait "C:\Program Files (x86)\McAfee\Common Framework\CmdAgent.exe" /P


endif


if {exists file "C:\Program Files (x86)\Network Associates\Common Framework\CmdAgent.exe"}


wait "C:\Program Files\Network Associates\Common Framework\CmdAgent.exe" /P


endif

We have ePO here, so if you need anything more advanced I may be able to help. Let me know!

(imported comment written by silverlining91)

Hi Amagewick,

Thanks for the advice. Added your actions to the existing codes. All my clients are still not reporting back to ePO server. I ran cmdagent.exe locally and the agent can connect to ePO server.

Can BigFix wake the installed McAfee ePO agent?

Thanks.

(imported comment written by amagewick91)

That is what the cmdagent.exe /P does.

I would personally create a fresh FramePkg.exe file out of ePO WITHOUT using credentials, and then push it through BigFix. See if your computers check back in!

Here are a few properties that you might like. They may not be the most optimal way of doing it… or maybe they are.


Services Mcafee Framework Disabled

exists service "McAfeeFramework" whose (start type of it = "disabled")

Services Mcafee Framework Service Running?

Exists running service "McAfeeFramework"

Installed McAfee VS87 Hotfix 517265?

if (exists value "Hotfix_517265" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\DesktopProtection\" of registry) then ("Yes" as string) else if not(exists value "Hotfix_517265" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\DesktopProtection\" of registry) then ("No" as string) else "N/A"

Version of McAfee ePO Agent

If exists file "c:\program files\mcafee\common framework\frminst.exe" then version of file "c:\program files\mcafee\common framework\frminst.exe" as string else if exists file "c:\program files\network associates\common framework\frminst.exe" then version of file "c:\program files\network associates\common framework\frminst.exe" as string else if exists file "c:\program files (x86)\mcafee\common framework\frminst.exe" then version of file "c:\program files (x86)\mcafee\common framework\frminst.exe" as string else if exists file "c:\program files (x86)\network associates\common framework\frminst.exe" then version of file "c:\program files (x86)\network associates\common framework\frminst.exe" as string else "N/I"

Version of MAS “McAfee Antispyware for VS87i”

if exists value "Version" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\ePolicy Orchestrator\Application Plugins\VSEMAS870000\" of registry then value "Version" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\ePolicy Orchestrator\Application Plugins\VSEMAS870000\" of registry as string else "N/I"

Version of SAE “Site Advisory Enterprise”

if exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus" of registry AND exists value "CurrentVersion" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry AND exists value "HotFixVersions" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry then ((value "CurrentVersion" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry) as string & " HF" & value "HotFixVersions" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry as string) else if not exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus" of registry then "N/I" else "Error"

Version of VirusScan

if (exists file "c:\program files\mcafee\virusscan enterprise\scan32.exe") then (version of file "c:\program files\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "c:\program files\network associates\virusscan enterprise\scan32.exe") then (version of file "c:\program files\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "c:\program files (x86)\mcafee\virusscan enterprise\scan32.exe") then (version of file "c:\program files (x86)\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "c:\program files (x86)\network associates\virusscan enterprise\scan32.exe") then (version of file "c:\program files (x86)\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "d:\program files\mcafee\virusscan enterprise\scan32.exe") then (version of file "d:\program files\mcafee\virusscan enterprise\scan32.exe" as string)else if (exists file "d:\program files\network associates\virusscan enterprise\scan32.exe") then (version of file "d:\program files\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "d:\program files (x86)\mcafee\virusscan enterprise\scan32.exe") then (version of file "d:\program files (x86)\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "d:\program files (x86)\network associates\virusscan enterprise\scan32.exe") then (version of file "d:\program files (x86)\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "e:\program files\mcafee\virusscan enterprise\scan32.exe") then (version of file "e:\program files\mcafee\virusscan enterprise\scan32.exe" as string)else if (exists file "e:\program files\network associates\virusscan enterprise\scan32.exe") then (version of file "e:\program files\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "e:\program files (x86)\mcafee\virusscan enterprise\scan32.exe") then (version of file "e:\program files (x86)\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "e:\program files (x86)\network associates\virusscan enterprise\scan32.exe") then (version of file "e:\program files (x86)\network associates\virusscan enterprise\scan32.exe" as string) else "N/I"

(imported comment written by SystemAdmin)

Mark Macherey

Heres a EPO analysis I put together, This may help
This Analysis pulls data from the "C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\ServerSiteList.xml file

Server Name
EPO Server Name
Server Short Name
Server IP Address
EPO Type
EPO Enabled
HTTP Site name
Update Type
FTP Site List
Version of Running FrameworkService
Version of Running McShield Service

problem i see with this is the last 2 version info, if its not running it doesn’t get any data

I also have several tasks to push out EPO, uninstall old EPO and reinstall new…

let me know if you would like them

Here is a new updated working link to the “McAfee EPO Analysis.bes”, I updated several fields and added some new ones…

I have 2 GUID fields to do some trouble shooting… you can remove any fields you like

(imported comment written by amagewick91)

Thanks for the repost :slight_smile:

(imported comment written by silverlining91)

Thank you Mark and Amagewick for the solutions! I was away attending to some family matters.

McAfee EPO Analysis indicate those clients enabled or disabled epo agent.

I would love to have those tasks to push out, uninstall and reinstall epo agent.

thanks in advanced!

(imported comment written by SystemAdmin)

Hi Tony!

(imported comment written by SystemAdmin)

I thought I’d share our McAfee Versions (Windows) analysis. They’re simple one liners that retrieve info from the registry. We don’t have legacy versions to contend with so they may be too simple for some to use but here they are in any case anyone is interested.

  • VirusScan DAT Date
  • VirusScan DAT Version
  • VirusScan Engine Version
  • HIP Version
  • HIP Content Version
  • HIP Patch Version
  • McAfee Agent
  • VirusScan Patch Version
  • VirusScan AntiSpyware Version
  • Has extra.dat
  • McAfee Running

(imported comment written by SystemAdmin)

rames, thanks for the analysis. It’s been helpful! Just thought I’d let you know… have a good week.

Dear Team

I am Unable to Open Forum .bes Attachment file
We are receiving below Error

XML parsing error comment or processing instruction expected line

Pls check link

https://www.ibm.com/developerworks/community/forums/html/threadTopic?id=77777777-0000-0000-0000-000014753933

Kindly Help

That’s a 4 year old post - not sure we can help you there.

a longshot as this is an old post, can you post the analysis pls ?

Here is the original post with some files attached: https://www.ibm.com/developerworks/community/forums/html/threadTopic?id=77777777-0000-0000-0000-000014753933

Also see this related post: McAfee AV/Encryption Detetction