Fixlet to check for an ePO agent

system · April 15, 2010, 4:55pm

(imported comment written by SystemAdmin)

Mi Mark, yes that would be GREAT. I would love to have the the tasks you have for pushing, installing etc. Thanks!

system · July 7, 2010, 1:11am

(imported comment written by SystemAdmin)

I just take the files in the Install directory for McAfee 8.7 and zipped it up to VSE870LMLRP3.zip , I also added the EPO agent in the same zip file

Relevance :

(name of operating system as lowercase starts with 
"win" and (

if ((

if (exists key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry) then (value 
"szCurrentVersionNumber" of key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry as string) 

else 
"0.0.0") as version) < 
" then true else false))

Action1:

download http:
//software.bigfix.com/download/redist/unzip-5.52.exe 

continue 

if 
{(size of it = 167936 and sha1 of it = 
"e1652b058195db3f5f754b7ab430652ae04a50b8") of file 
"unzip-5.52.exe" of folder 
"__download"
}   prefetch VSE870LMLRP3.zip sha1:bf3df291769fe705b53b050495aa2b11d49c119b size:34173859 http:
//<SERVER>/shared/Component_Install/McAfee_Update/VSE870LMLRP3.zip dos mkdir 
{name of drive of windows folder
}\McAfee_Update wait __download\unzip-5.52.exe -o -j  __download\VSE870LMLRP3.zip -d 
{name of drive of windows folder
}\McAfee_Update   wait 
{name of drive of windows folder
}\McAfee_Update\SetupVSE.exe  ADDLOCAL=ALL REMOVE=LotusNotesScan REMOVE=EmailScan /qn wait 
{name of drive of windows folder
}\McAfee_Update\FramePkg.exe /INSTALL=AGENT /SILENT   dos rmdir /S /Q 
{name of drive of windows folder
}\McAfee_Update

Success Criteria:

(name of operating system as lowercase starts with 
"win" and (

if ((

if (exists key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry) then (value 
"szCurrentVersionNumber" of key 
"HKEY_LOCAL_MACHINE\Software\Network Associates\TVD\VirusScan" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion" of registry as string) 

else 

if (exists key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry) then (value 
"szProductVer" of key 
"HKEY_LOCAL_MACHINE\Software\McAfee\DesktopProtection" of registry as string) 

else 
"0.0.0") as version) < 
" then true else false))

Keep in mind that your sha1 and size will be different…

system · March 17, 2011, 4:32pm

(imported comment written by silverlining91)

Hi Mark,

I have used some of your action codes and was able to deploy both McAfee 8.8 and EPO agent to all my clients.

The problem here is the “M” icon does not appear on the taskbar of all my clients. This mean the EPO agent is not able to report back to my EPO server.

Action code :

download http://NIESFBF3:52311/Uploads/222742f79f7edf03da98003ee57cc5c85e8902f0/McafeeAntiVirusV88.tmp


continue if {(size of it = 87406894 AND sha1 of it = "222742f79f7edf03da98003ee57cc5c85e8902f0") of file "McafeeAntiVirusV88.tmp" of folder "__Download"}


extract McafeeAntiVirusV88.tmp


wait __Download\SetupVSE.exe ADDLOCAL=ALL REMOVE=LotusNotesScan REMOVE=EmailScan /qn


wait __Download\FramePkg4.5\FramePkg_UPD.exe /INSTALL=AGENT /SILENT

I have to push down the agent again from the EPO server again in order for clients to report back.

Is there something else I can do?

Thanks for your attention to this matter.

Hon Wai

system · March 17, 2011, 11:15pm

(imported comment written by amagewick91)

Have the agent do a “collect and send props”

This is what I use

-----------------ACTION-----------

if {exists file "C:\Program Files\McAfee\Common Framework\CmdAgent.exe"}


wait "C:\Program Files\McAfee\Common Framework\CmdAgent.exe" /P


endif


if {exists file "C:\Program Files\Network Associates\Common Framework\CmdAgent.exe"}


wait "C:\Program Files\Network Associates\Common Framework\CmdAgent.exe" /P


endif


if {exists file "C:\Program Files (x86)\McAfee\Common Framework\CmdAgent.exe"}


wait "C:\Program Files (x86)\McAfee\Common Framework\CmdAgent.exe" /P


endif


if {exists file "C:\Program Files (x86)\Network Associates\Common Framework\CmdAgent.exe"}


wait "C:\Program Files\Network Associates\Common Framework\CmdAgent.exe" /P


endif

We have ePO here, so if you need anything more advanced I may be able to help. Let me know!

system · March 21, 2011, 11:37am

(imported comment written by silverlining91)

Hi Amagewick,

Thanks for the advice. Added your actions to the existing codes. All my clients are still not reporting back to ePO server. I ran cmdagent.exe locally and the agent can connect to ePO server.

Can BigFix wake the installed McAfee ePO agent?

Thanks.

system · March 25, 2011, 10:51pm

(imported comment written by amagewick91)

That is what the cmdagent.exe /P does.

I would personally create a fresh FramePkg.exe file out of ePO WITHOUT using credentials, and then push it through BigFix. See if your computers check back in!

Here are a few properties that you might like. They may not be the most optimal way of doing it… or maybe they are.

Services Mcafee Framework Disabled

exists service "McAfeeFramework" whose (start type of it = "disabled")

Services Mcafee Framework Service Running?

Exists running service "McAfeeFramework"

Installed McAfee VS87 Hotfix 517265?

if (exists value "Hotfix_517265" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\DesktopProtection\" of registry) then ("Yes" as string) else if not(exists value "Hotfix_517265" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\DesktopProtection\" of registry) then ("No" as string) else "N/A"

Version of McAfee ePO Agent

If exists file "c:\program files\mcafee\common framework\frminst.exe" then version of file "c:\program files\mcafee\common framework\frminst.exe" as string else if exists file "c:\program files\network associates\common framework\frminst.exe" then version of file "c:\program files\network associates\common framework\frminst.exe" as string else if exists file "c:\program files (x86)\mcafee\common framework\frminst.exe" then version of file "c:\program files (x86)\mcafee\common framework\frminst.exe" as string else if exists file "c:\program files (x86)\network associates\common framework\frminst.exe" then version of file "c:\program files (x86)\network associates\common framework\frminst.exe" as string else "N/I"

Version of MAS “McAfee Antispyware for VS87i”

if exists value "Version" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\ePolicy Orchestrator\Application Plugins\VSEMAS870000\" of registry then value "Version" of keys "HKEY_LOCAL_MACHINE\Software\Mcafee\ePolicy Orchestrator\Application Plugins\VSEMAS870000\" of registry as string else "N/I"

Version of SAE “Site Advisory Enterprise”

if exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus" of registry AND exists value "CurrentVersion" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry AND exists value "HotFixVersions" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry then ((value "CurrentVersion" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry) as string & " HF" & value "HotFixVersions" of keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus\" of registry as string) else if not exists keys "HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\SiteAdvisor Enterprise Plus" of registry then "N/I" else "Error"

Version of VirusScan

if (exists file "c:\program files\mcafee\virusscan enterprise\scan32.exe") then (version of file "c:\program files\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "c:\program files\network associates\virusscan enterprise\scan32.exe") then (version of file "c:\program files\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "c:\program files (x86)\mcafee\virusscan enterprise\scan32.exe") then (version of file "c:\program files (x86)\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "c:\program files (x86)\network associates\virusscan enterprise\scan32.exe") then (version of file "c:\program files (x86)\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "d:\program files\mcafee\virusscan enterprise\scan32.exe") then (version of file "d:\program files\mcafee\virusscan enterprise\scan32.exe" as string)else if (exists file "d:\program files\network associates\virusscan enterprise\scan32.exe") then (version of file "d:\program files\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "d:\program files (x86)\mcafee\virusscan enterprise\scan32.exe") then (version of file "d:\program files (x86)\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "d:\program files (x86)\network associates\virusscan enterprise\scan32.exe") then (version of file "d:\program files (x86)\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "e:\program files\mcafee\virusscan enterprise\scan32.exe") then (version of file "e:\program files\mcafee\virusscan enterprise\scan32.exe" as string)else if (exists file "e:\program files\network associates\virusscan enterprise\scan32.exe") then (version of file "e:\program files\network associates\virusscan enterprise\scan32.exe" as string) else if (exists file "e:\program files (x86)\mcafee\virusscan enterprise\scan32.exe") then (version of file "e:\program files (x86)\mcafee\virusscan enterprise\scan32.exe" as string) else if (exists file "e:\program files (x86)\network associates\virusscan enterprise\scan32.exe") then (version of file "e:\program files (x86)\network associates\virusscan enterprise\scan32.exe" as string) else "N/I"

system · December 8, 2011, 9:15pm

(imported comment written by SystemAdmin)

Mark Macherey

Heres a EPO analysis I put together, This may help
This Analysis pulls data from the "C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\ServerSiteList.xml file

Server Name
EPO Server Name
Server Short Name
Server IP Address
EPO Type
EPO Enabled
HTTP Site name
Update Type
FTP Site List
Version of Running FrameworkService
Version of Running McShield Service

problem i see with this is the last 2 version info, if its not running it doesn’t get any data

I also have several tasks to push out EPO, uninstall old EPO and reinstall new…

let me know if you would like them

Here is a new updated working link to the “McAfee EPO Analysis.bes”, I updated several fields and added some new ones…

I have 2 GUID fields to do some trouble shooting… you can remove any fields you like

system · March 28, 2011, 7:28pm

(imported comment written by amagewick91)

Thanks for the repost

system · May 4, 2011, 7:07am

(imported comment written by silverlining91)

Thank you Mark and Amagewick for the solutions! I was away attending to some family matters.

McAfee EPO Analysis indicate those clients enabled or disabled epo agent.

I would love to have those tasks to push out, uninstall and reinstall epo agent.

thanks in advanced!

system · May 6, 2011, 5:41pm

(imported comment written by SystemAdmin)

Hi Tony!

system · December 8, 2011, 9:15pm

(imported comment written by SystemAdmin)

I thought I’d share our McAfee Versions (Windows) analysis. They’re simple one liners that retrieve info from the registry. We don’t have legacy versions to contend with so they may be too simple for some to use but here they are in any case anyone is interested.

VirusScan DAT Date
VirusScan DAT Version
VirusScan Engine Version
HIP Version
HIP Content Version
HIP Patch Version
McAfee Agent
VirusScan Patch Version
VirusScan AntiSpyware Version
Has extra.dat
McAfee Running

system · August 22, 2011, 4:55pm

(imported comment written by SystemAdmin)

rames, thanks for the analysis. It’s been helpful! Just thought I’d let you know… have a good week.

sureshhan · October 20, 2015, 11:12am

Dear Team

I am Unable to Open Forum .bes Attachment file
We are receiving below Error

XML parsing error comment or processing instruction expected line

Pls check link

https://www.ibm.com/developerworks/community/forums/html/threadTopic?id=77777777-0000-0000-0000-000014753933

Kindly Help

gearoid · October 20, 2015, 1:25pm

That’s a 4 year old post - not sure we can help you there.

nicksberger · November 25, 2015, 6:39pm

a longshot as this is an old post, can you post the analysis pls ?

jgstew · November 25, 2015, 8:45pm

Here is the original post with some files attached: https://www.ibm.com/developerworks/community/forums/html/threadTopic?id=77777777-0000-0000-0000-000014753933

Also see this related post: McAfee AV/Encryption Detetction

thomasdietrich · October 26, 2016, 6:48pm

We run multiple versions of the McAfee Agent. Our current property to gather “Agent Version” checks multiple registry locations, but McAfee seems to change the location with each new version of the Agent. I’m wondering if there is a more universal way to get this information. I’ve got the idea below, but it needs tweaking to return the correct information:

if (exists key whose (value “DisplayName” of it as string as lowercase contains “mcafee agent”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry) then (value “DisplayVersion” of (name of key whose (value “DisplayName” of it as string as lowercase contains “mcafee agent”) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry) else (“N/A”)

We use some similar session relevance for a “universal Symantec uninstaller”, and that works like this:

if {exists key whose (value “DisplayName” of it as string as lowercase contains “symantec endpoint protection”) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry}
waithidden “{pathname of system folder}\msiexec.exe” /qn REBOOT=ReallySuppress /x {name of key whose (value “DisplayName” of it as string as lowercase contains “symantec endpoint protection”) of key “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall” of registry}

However, the McAfee Agent Property isn’t returning anything other than “N/A” for all my machines.

I looked at the other analysis linked in this thread and in the original post, but those are targeting specific file locations which McAfee tends to change frequently. I’d like a longer term solution that will continue to work no matter where McAfee stores files and no matter what key name they use in the registry.

Any help debugging would be appreciated!

ctan · October 27, 2016, 12:39pm

Are you looking for just the ePO Agent, or are you looking for a specific product like Anti-Virus or HIPS?

thomasdietrich · October 27, 2016, 1:52pm

Our other properties can identify DAT version, VSE engine version, etc. reliably.

Right now I’m only looking for help with a “universal” way to identify the McAfee ePO Agent version without having to update my property with every new Agent that they release. We currently capture the data with a long string of “if exists…else if…else if…” looking at many file locations and registry locations. It would be my preference to simplify the property such that it will capture the Agent version without regard to file location or registry location of any version.

Thanks!

strawgate · October 27, 2016, 2:32pm

I use the following relevance:

if (windows of operating system) then ((value "DisplayVersion" of it as string) of keys whose (value "DisplayName" of it as string is "McAfee Agent") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" of (x32 registries; x64 registries)) else ((substring after "<Version>"of substring before "</Version>" of it as string) of lines containing "<Version>" of file "config.xml" of folder whose (name of it starts with "EPOAGENT") of folders "/private/etc/cma.d")

For Mac and PC.

It looks like the issue in your relevance here:

if (exists key whose (value "DisplayName" of it as string as lowercase contains "mcafee agent") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry) then (value "DisplayVersion" of (name of key whose (value "DisplayName" of it as string as lowercase contains "mcafee agent") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" of registry) else ("N/A")

Is that you’re doing value "DisplayVersion" of (name of key you’re getting value “DisplayVersion” of the name of the key instead of of the key and you’re only checking one registry (not both x86 and x64).

Give just the windows side of my analysis a shot:

(value "DisplayVersion" of it as string) of keys whose (value "DisplayName" of it as string is "McAfee Agent") of keys "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\" of (x32 registries; x64 registries)