SMS and McAfee

[Mich]

Does anyone know of a way to use SMS2003 to see which computers do not have the latest McAfee update? I've looked everywhere and can't find an entry in a SQL table that records this information. I've looked for this information on the application level and the file level, but I'm sure I've overlooked something.

Thanks in advance,
Mick

 

[Mich]

To clarify - I want to see what dat they have.

 

[NoWittyName]

Thought this was quite useful for us to do too. So I had a look, as you said there appears to be nothing in SMS to denote the anti virus. I found a way around the problem, though. Each time the anti virus updates, the file SDATPACK.LST changes and so does the date modified (the contents include the virus definition number). If you configure Software Inventory Client Agent to collect this file and then create the following query

select SMS_R_System.NetbiosName, SMS_G_System_CollectedFile.FilePath, SMS_G_System_CollectedFile.ModifiedDate from SMS_R_System inner join SMS_G_System_CollectedFile on SMS_G_System_CollectedFile.ResourceID = SMS_R_System.ResourceId where SMS_G_System_CollectedFile.FilePath = "C:\\Program Files\\Network Associates\\VirusScan\\SDATPACK.LST" order by SMS_R_System.NetbiosName

Then you will be able to compare the date the file was modified. OK not exactly comparing the version of the DAT but each new version will have a new modified date, thus if some machines have an older date then they must have an older DAT version.

This is the only way I could see around the problem, and have already located a couple of PCs on our network which require updating.



Master of Disaster.....Recovery

 

[Mich]

I see what you're doing there. It's a shame that we have to back door this. There should be a much easier way to do this than have to refer to the mod date. Another file that can be collected is c:\Program Files\Common Files\Network Associates\Engine\clean.dat. For whatever reason (version 7.1?) I don't have the sdatpack.lst file.

Thanks a bunch,
Mick

 

[mnt25]

Quite curious as to what tool you use to update your .dat file on the outdate machines once they've been discovered. Was it SMS? Or is there an available option in the McAfee Admin console to push out the update .dat file to all machines running the McAfee utility?

Thanks,
Matt

 

[NoWittyName]

We have configured the machines to update the AV each time a user logs onto the machine. The guy I work with tried getting the AV Admin Console to work but he had loads of problems with it, from the query I ran through SMS, the solution he found worked quite well - as long as the PC is regularly used. Therefore to update the outdated machines I just logon to them

Master of Disaster.....Recovery

 

[Mich]

There is a value in HKEY_LOCAL_MACHINE\SOFTWARE\Network Associates\TVD\VirusScan Enterprise\CurrentVersion called szVirDefVer. How do I collect that information and report on it using SMS?

 

[mnt25]

Hey,
I think collected on a registry key, preferably a registry provider, would require you to edit the SMS_def.mof file. Depending on whether your using the advanced or standard client will dictate how easily that can be done. Unfortuntely the advanced client requires the sms_def.mof file to compiled locally on the machine. so you really just need to setup a script to compile it on the machines.

I would be interested to find out how exactly this is scripted. Thanks in advanced.

-Matt

 

[Mich]

Add the following to your sms_def.mof file to get the McAfee information into your WMI:

//-----------------------------
//McAfee definition files
//-----------------------------


#pragma namespace("\\\\.\\root\\cimv2&quot

#pragma deleteclass("McAfee", NOFAIL)

[DYNPROPS]
class McAfee
{
[key] string KeyName="";
string szProductVer;
string szVirDefVer;
string szEngineVer;
string szVirDefDate;
};

////////
// Declare the instance
////////

[DYNPROPS]
instance of McAfee
{
KeyName="McAfee";
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\VirusScan Enterprise\\CurrentVersion|szProductVer&quot,
Dynamic, Provider("RegPropProv&quot] szProductVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\Shared Components\\VirusScan Engine\\4.0.xx|szVirDefVer&quot,
Dynamic, Provider("RegPropProv&quot] szVirDefVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\Shared Components\\VirusScan Engine\\4.0.xx|szEngineVer&quot,
Dynamic, Provider("RegPropProv&quot] szEngineVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\Shared Components\\VirusScan Engine\\4.0.xx|szVirDefDate&quot,
Dynamic, Provider("RegPropProv&quot] szVirDefDate;
};


////////
// Change to the CIMV2\SMS Namespace and declare the Reporting Class
////////

#pragma namespace("\\\\.\\root\\cimv2\\SMS&quot

[SMS_Report(TRUE),
SMS_Group_Name("McAfee Virus Scan&quot,
SMS_Class_ID("MICROSOFT|McAfee|1.0&quot]
class McAfee : SMS_Class_Template
{
[SMS_Report(TRUE),key]
string KeyName;
[SMS_Report(TRUE)]
string szProductVer;
[SMS_Report(TRUE)]
string szVirDefVer;
[SMS_Report(TRUE)]
string szEngineVer;
[SMS_Report(TRUE)]
string szVirDefDate;
};


The keys may be different based on the version of McAfee you're running. You'll need to compile the MOF before verifying that data is on your WMI.

Now it's just a matter of getting the information from the WMI to the SQL table(s)...

 

[Karactur]

Has anyone succeeded in modifying the SMS_DEF.mof for the MCAfee Dat versions yet. The edit in this post is not correct for 2003. I believe it was first designed for 2.0. I keep receiving errors in the inventory logs that this "Query" fails.

I believe there is a step missing where we have to register the WMI object to inventory it properly.

Help here is greatly appreciated.

 

[Karactur]

C'Mon Gurus!!! Lets try to help out the crowd!.. This is of those things most admins need in SMS2003. We have to follow our clients and their dat versions clearly.

Has anyone succeeded here?

 

[Karactur]

THIS IS IT!!
I was able to successfully find enough documentation and suggestions to get this to finally work. I modified the SMS_DEF.MOF with the following. It will enumerate all versions of McAfee on your clients.

All advanced clients MUST compile this locally for it to work. It can be done by running the command mofcomp path\sms_def.mof on the advanced clients. This can be accomplished through a package.

This addition comes from the Monster.MOF. Insert it at the end of your SMS_DEF.mof file on your server. Remember to complile the sms_def.mof on your clients.

[blue]
//`'`*._.*`'`*-
// Note: This class uses the registry property provider, which requires the class to be
// "removed" via the deleteclass command prior to changing the class structure.
// Note: This class contains multiple instances. This allows data for legacy, 4.5, and
// NetShield McAfee versions to report in a single class.
//`'`*._.*`'`*-

//`'`*._.*`'`*-
// McAfee Data Class
//`'`*._.*`'`*-

#pragma namespace("\\\\.\\root\\cimv2")
#pragma deleteclass("McAfee", NOFAIL)

[DYNPROPS]
class McAfee
{
[key] string KeyName="";
string szCurrentVersionNumber;
string szDatVersion;
string szEngineVer;
string szDatDate;
};

//`'`*._.*`'`*-
// Instance of McAfee for Version 4.5
//`'`*._.*`'`*-

[DYNPROPS]
instance of McAfee
{
KeyName="McAfee 4.5";
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\VirusScan|szCurrentVersionNumber"),
Dynamic, Provider("RegPropProv")] szCurrentVersionNumber;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\Shared Components\\VirusScan Engine\\4.0.xx|szDatVersion"),
Dynamic, Provider("RegPropProv")] szDatVersion;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\Shared Components\\VirusScan Engine\\4.0.xx|szEngineVer"),
Dynamic, Provider("RegPropProv")] szEngineVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\Shared Components\\VirusScan Engine\\4.0.xx|szDatDate"),
Dynamic, Provider("RegPropProv")] szDatDate;
};

//`'`*._.*`'`*-
// Instance of McAfee for Version 4.03 and older...
//`'`*._.*`'`*-

[DYNPROPS]
instance of McAfee
{
KeyName="McAfee Legacy";
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\VirusScan|szProductVer"),
Dynamic, Provider("RegPropProv")] szCurrentVersionNumber;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\VirusScan|szVirDefVer"),
Dynamic, Provider("RegPropProv")] szDatVersion;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\VirusScan|szEngineVer"),
Dynamic, Provider("RegPropProv")] szEngineVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\McAfee\\VirusScan|szVirDefDate"),
Dynamic, Provider("RegPropProv")] szDatDate;
};

//`'`*._.*`'`*-
// Instance of McAfee for 4.5 Server (NetShield)
//`'`*._.*`'`*-

[DYNPROPS]
instance of McAfee
{
KeyName="McAfee Server (NetShield)";
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\NetShield NT\\CurrentVersion|szProductVer"),
Dynamic, Provider("RegPropProv")] szCurrentVersionNumber;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\NetShield NT\\CurrentVersion|szVirDefVer"),
Dynamic, Provider("RegPropProv")] szDatVersion;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\NetShield NT\\CurrentVersion|szEngineVer"),
Dynamic, Provider("RegPropProv")] szEngineVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\NetShield NT\\CurrentVersion|szVirDefDate"),
Dynamic, Provider("RegPropProv")] szDatDate;
};

//`'`*._.*`'`*-
// Instance of McAfee for Enterprise 7.0
//`'`*._.*`'`*-

[DYNPROPS]
instance of McAfee
{
KeyName="McAfee Enterprise 7.0";
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\VirusScan Enterprise\\CurrentVersion|szProductVer"),
Dynamic, Provider("RegPropProv")] szCurrentVersionNumber;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\VirusScan Enterprise\\CurrentVersion|szVirDefVer"),
Dynamic, Provider("RegPropProv")] szDatVersion;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\VirusScan Enterprise\\CurrentVersion|szEngineVer"),
Dynamic, Provider("RegPropProv")] szEngineVer;
[PropertyContext("local|HKEY_LOCAL_MACHINE\\SOFTWARE\\Network Associates\\TVD\\VirusScan Enterprise\\CurrentVersion|szVirDefDate"),
Dynamic, Provider("RegPropProv")] szDatDate;
};

//`'`*._.*`'`*-
// Reporting Class for McAfee
//`'`*._.*`'`*-

#pragma namespace("\\\\.\\root\\cimv2\\SMS")
#pragma deleteclass("McAfee", NOFAIL)

[SMS_Report(TRUE), SMS_Group_Name("McAfee Virus Scan"), SMS_Class_ID("MICROSOFT|McAfee|1.0")]
class McAfee : SMS_Class_Template
{
[SMS_Report(TRUE),key] string KeyName;
[SMS_Report(TRUE) ] string szCurrentVersionNumber;
[SMS_Report(TRUE) ] string szDatVersion;
[SMS_Report(TRUE) ] string szEngineVer;
[SMS_Report(TRUE) ] string szDatDate;
};

// <:[-<>>>>>>>>>>>>>>>>END>>-Network Associates/McAfee Anti-Virus-<<END<<<<<<<<<<<<<<>-]:>

[/blue]

Happy Days!

Karactur

 

[junyr]

I know I'm digging kinda deep here, but have any of you used the McAfee EPO server? Works great here for all our antivirus needs. It'll run just about any kind of report that you'd need to know about your network as far as antivirus goes.

J