Over the last couple of months, I've been helping one of my clients to gain some control over their anti-virus infrastructure using McAfee VirusScan Enterprise and ePolicy Orchestrator (ePO).
I'm more used to Symantec AntiVirus Corporate Edition with its Symantec System Center Console, but ePO was easy enough to install (the installation wizard will install MDAC 2.7 if required as well as MSDE if there is no SQL Server available) and although it seems a bit complex to start with, once you get your head around how the ePO directory works (and how it can integrate with Active Directory) as well as the terminology (distributed repositories, rogue system detection sensors, notification rules, etc.) then it actually seems like quite a good product (although the HTTP-based administration console can be a bit flaky at times and ePO maintains its own set of security principals). The reporting capabilities seem pretty good too.
For anyone trying to get to grips with ePO, there is a whole heap of high-quality product documentation, but as a starting point, I recommend a look at the ePO quick reference card. Unfortunately I can't link all of the documentation here as you need to have purchased the product to access that part of the McAfee/Network Associates website but it is available for download if you have a valid grant number (having said that, some quick googling has turned up a copy of the English version of the quick reference card on the Danish McAfee site).
One thing that I found particularly confusing was the change in where the McAfee AntiVirus Enterprise product writes its log files, once the ePO agent is enabled. Ordinarily, McAfee AntiVirus Enterprise writes log files to %allusersprofile%\Application Data\Network Associates\VirusScan\ with the main files of interest being onaccessscan.txt (used by the VirusScan On-Access Scan), ondemandscan.txt (used by the VirusScan On-Demand Scan) and updatelog.txt (used for updates via the VirusScan console). Depending on the configuration, and the version of McAfee Enterprise in use there may also be other log files in existence (e.g. accessprotectionlog.txt, bufferoverflowprotectionlog.txt and emailondeliverylog.txt).
This all changes once the ePO agent is activated as ePO stores its logs under %allusersprofile%\Application Data\Network Associates\Common Framework\. This folder actually contains a number of useful XML files, as well as mcscript.txt (which details script engine actions, such as processing updates), updatehistory.ini (which includes details of configuration items such as the site last used for updates); but even more useful is a file in the \Db subfolder which is named agent_%computername%.xml. Formatted using frameworklog.xsl, this is the McAfee Agent Activity log, which shows policy enforcement actions along with links to four more files in the same directory - the current and previous framework service logs (agent_%computername%.log and agent_%computername%_backup.log) and the current and previous Networks Associates product manager logs (prdmgr_%computername%.log and prdmgr_%computername%_backup.log).
Together, these logs are really useful for troubleshooting, like when a really out of date client wouldn't update because the latest anti-virus signature (.DAT) file didn't work with the version of the engine that was installed. One of my colleagues found a superDAT to solve that problem, but it was these logs which confirmed where the issue was.
Whilst on the subject of ePO, a few months back I blogged about adding policy pages to ePO.
So that's it, a few tips and tricks for anybody implementing a McAfee-based anti-virus management solution.