Tuesday, 26 April 2011

Deploying McAfee ePO agents v4.5 and VSE clients v8.7

Here are some useful tips for those who might need to deploy McAfee AV clients in an enterprise.

Note 1: On client side, the McAfee AV software is divided into 2 parts:

1. ePO agent is a management agent that talks to the ePO server and receives all configuration and updates from it.
2. VSE client is an AV scanner

Note 2: McAfee policies are not cumulative, so whatever you configure in a parent policy, you will need to configure again in every child policy as they break inheritance. Keep this in mind when setting file and process exclusions.


Deploying AV clients:

Active Directory computer discovery task discovers new computers by scanning Active Directory, mirrors the structure of AD containers as in ADUC, and populates it with newly detected systems. It then deploys the ePO agent on newly discovered systems (Push agents to new systems when they are discovered), configures the agent in accordance with the policies and then installs the VSE client.

The problem with this is that the server attempts to install ePO agent only at the initial discovery of a host in AD. If a newly discovered host is not online (available) at the time of discovery, the agent will not be installed and the server will not attempt to install it ever again. This behaviour causes many PCs and servers to run without AV protection.

There are several ways to ensure that all the PCs and servers are protected by McAfee AV client and here is one that works:

1. In the ePO console, under server tasks, create a new task
2. For the 1st action choose: Run Query
3. Click on the browse button and under “Select a query from the list”, switch to “Shared Groups”, scroll down to “System Management” and choose “Unmanaged Systems”.
This query will create a list of all unmanaged systems
4. Create a sub action and choose “Deploy McAfee Agent”, choose the version you want, enable “Force installation over existing version”
If a system already has an agent installed but it’s still showing as an unmanaged system, than something is wrong with that agent and you want to reinstall it
5. Set the installation path and credentials that will be used for installation (it should be an admin account)
6. In “Number of Attempts” type 15, “Retry Interval” leave at 30 seconds, in “Abort After” enter 15 minutes
I tested agent deployment using the default values for “Number of Attempts” (0) and “Abort After” (5) and it turned out that the agent failed to install on some hosts. After increasing these values and rerunning the job on hosts where an installation previously failed, the agent installed successfully. This behaviour is probably conditioned by the number of selected clients, that is, the larger the number of clients the server is trying to serve the more time/attempts it takes.
7. Add another sub action, choose “Wake up Agents” and “Agent Wake-Up Call”, for “Number of Attempts” enter 5, for “Abort After” enter 10, enable “Get full product properties…” and “Force complete policy and task update”.
8. Schedule a test run and see how it performs under Server Task Log
It will tell you how long the task took to complete, how many systems it detected and it will provide a summary of completed/failed installations
9. Schedule the task to run once a day or as you wish


VSE client not receiving configuration:

After you deployed the ePO agent and VSE client to a host, you might find that the client has not been configured. This could be very unpleasant, especially if you need to exclude critical files from scanning.

To confirm which policy is applied to a specific hosts, go to System Tree and search for the host, put a tick mark next to the host and click on Actions > Directory Management > View Effective Policy

A good practice is to deploy the agent, wait for 24 hours or so, and then deploy the VSE client. This way, the agent should be able to contact the server and pull configuration.

If you install the VSE client and then you find it hasn't been configured, run the cmdAgent.exe tool locally on the affected host. Open CMD prompt under admin credentials: navigate to (the default path) “C:\Program Files\McAfee\Common Framework” and type cmdagent.exe /s and hit enter.

Click on these buttons to force communication with the server:
- Collect and send props
- Check new policies
- Enforce policies


If this did not help, you might want to check for updates. In my case, we had to install a patch v4, including:

Name: VirusScan Enterprise 8.7
Version: 8.7.0.195

Name: VirusScan Enterprise Reports
Version: 1.1.0.154

The patch finally fixed the issue and all the clients were configured properly.

No comments:

Post a Comment