none
Detection of McAfee VirusScan 8.8 RRS feed

  • Question

  • Hi,

    it seems that the latest version of the McAfee VirusScan (8.8) is not correctly detected by the UAG endpoint detection. Will it be supported in one of the next updates?

    Best regards

    Thomas

    Tuesday, March 22, 2011 10:43 PM

Answers

  • Hi,

    o.k., problem is fixed after activating the Win XP Security Center through Domain Policies.

    Best regards

    Thomas

    Wednesday, April 6, 2011 8:23 AM

All replies

  • Hi Thomas. In the meantime you could use WMI detection. That should work even though there is no specific detection for that product.

    P.S: Could you take a look at http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/69ad0f78-c4a6-43a0-ac3b-829f48aec089

    Thanks and regards


    // Raúl - I love this game
    Wednesday, March 23, 2011 12:59 PM
  • Hi Raul,

    hm, I have also thought about this as this should work for all kind of AV software. Obviously it is not in conjunction with McAfee 8.8. We also need to detect specifically McAfee in one case (I also have another customer who also has McAfee and he could live with Any_WMI_Antivirus but this seems not to work either, maybe there is no clean Security Center integration, I have not had a deeper look into it yet).

    Best regards,

    Thomas

    Wednesday, March 23, 2011 4:27 PM
  • Hi Again. I can hardly remember now how I did it (it was with IAG some versions ago) but as well as the Any_WMI there were some variables called like AV_WMI_Name2, AV_WMI_Name2... that could be used in case you are looking for a specfic AV Vendor. These variables can be used in a policy/expression created "as script" Obviously, the security center must recognize the antivirus for thios to work. P.S: I asked to take a look as another post that has nothing to do with AV but with LDAP queries for certificate management with special characters in the DistinguishedName. I am figthing against that now. Regards
    // Raúl - I love this game
    • Edited by RMoros Wednesday, March 23, 2011 4:56 PM typo
    Wednesday, March 23, 2011 4:55 PM
  • Funny, after removing the client from the domain the security center detected McAfee 8.8 correctly and UAG also could detect it.

    Best regards

    Thomas 

    Monday, March 28, 2011 2:44 PM
  • Hi,

    o.k., problem is fixed after activating the Win XP Security Center through Domain Policies.

    Best regards

    Thomas

    Wednesday, April 6, 2011 8:23 AM
  • Hi,

    This is ok for the UAG but its not working within IAG.

    Any suggestions for IAG ( worked fine with VSE8.7 )?

    Update: The IAG Policy Parameter 'AV_McAfee_LastUpdate' which is included in our policy is set to '0' within VSE 8.8.0 and has the actual value '40683 ' when VSE 8.70 is installed. This causes the policy to fail.

    Regards,

    Chris

     


    Friday, May 20, 2011 8:42 AM
  • Contrary to Chris-HH's statement above, I find that enabling the Windows XP Security Center does allow endpoint detection to work with McAfee Virus Scan Enterprise v8.8.  (This works for both IAG and UAG - both patched to latest versions as of today's date)

    We rather want to leave the security center switched off though so I may have to write a custom detection script for VScan 8.8 instead *sigh*

    Friday, September 2, 2011 3:59 PM
  • Hi Amig@. That is true. The endpoint detection is not an universal "sofware seeker" component. For every single component it is able to detect, there is a routine that checks the existence of certain files, registry keys, installation paths, processes running in memory...So, the detection of McAfee 8.3 is specific for McAfee 8.3 and is not valid for McAfee 8.8. This is generally true unless the developer of the application follows a common standar for "installing" the applications (if there is a regitry key that holds the version that could be valid for any version of the product, but that is not the case for McAfee). WMI detection is more "universal" in that sense as the software developer configures the product to register itself under a certain branch of the WMI namespace so there is no need to check the individual product, just launch a WMI query. Obviously, it is up to the sofwtare vendor ro register the product in WMI so it appears in the Security Center

    Hope it helps


    // Raúl - I love this game
    Monday, September 5, 2011 8:53 AM
  • Thanks Raul I am aware of that.  It appears that querying the WMI only works if the Windows Security Centre is switched on.  This doesn't sound right to me, why should WMI integration rely on the security centre?

    It appears that in order to get it working without the security centre I must write my own script to query the registry etc to get this specific version recognised by endpoint detection.

    Monday, September 5, 2011 9:20 AM
  • Hi again. I think (and from that point on this is my personal point of view) that at some point in time the registration of the security products changed and it is not allowed anymore to write directly to the WMI namespace and it has to be done through an API. I guess this has to do with security requirements so that not everyone can register a "fake" security product. As far as I know this API is not public and it is only provided to software vendors that comply with certain criteria. For the registration to succeed the security center must be up and running and that would explain why UAG cannot retrieve the information from the security center if it is not running. Anyway, this has nothing to do with UAG itself, it is a restriction imposed by the operating system.

    Regards


    // Raúl - I love this game
    Monday, September 5, 2011 9:37 AM
  • Thank you Raul, that does make sense.  I may just get the Security Centre re-enabled in our environment, it'll save me time!
    Monday, September 5, 2011 9:51 AM
  • Glad to help
    // Raúl - I love this game
    Monday, September 5, 2011 10:08 AM
  • Hi Erin and Raul,

     

    enabling the Security Center is what we did as well. In Addition we changed the policy settings from checking 'AV_McAfee_LastUpdate' to : 'AV_McAfee_UpToDate'

    So everything is workin fine and should continue working unless ... ;-)

    Tuesday, September 6, 2011 11:22 AM
  • Thanks for that Chris, I'll probably end up using that too.

    For anyone else coming new to this thread, the following links at McAfee are relevant too;
    KB72585 - https://kc.mcafee.com/corporate/index?page=content&id=KB72585 - Microsoft Intelligent Application Gateway 2007 reports No Antivirus Installed even when VirusScan is present
    KB55215 - https://kc.mcafee.com/corporate/index?page=content&id=KB55215 - Windows Security Center reports No Antivirus Installed (after installing VSE 8.x)

    Tuesday, September 6, 2011 11:34 AM
  • Thanks for the update. It confirms our thoughts.


    // Raúl - I love this game
    Tuesday, September 6, 2011 4:11 PM