Friday, May 16, 2014

McAfee Query Method

McAfee EPO 4.5 and 4.6 cannot easily create a report that shows a random list of computers.  I often get asked to report on a list of servers or workstations that have no relationship to one another for audit purposes.

You can create a direct SQL query to the backend database but I found this strange method work using VIM on Windows.  Note: I have taught myself how to use VIM. It was not easy and has a huge learning curve.  The hardest step was understanding how to change mode to exit the application.  There are a lot of tutorials on the Internet but don't be surprised to feel very uncomfortable for a long time.

Add this to the end of your _vimrc file.  (:e $HOME/_vimrc).  I keep the same vimrc file uploaded to a network share and backed up.

<quote>
" Escape/unescape & ( ) McAfee query definition entities in range (default current line).
function! McAfeeEntities(line1, line2, action)
  let search = @/
  let range = 'silent ' . a:line1 . ',' . a:line2
  if a:action == 0  " must convert &amp; last
    execute range . 'sno/+/ /eg'
    execute range . 'sno/%22/"/eg'
    execute range . 'sno/%28/(/eg'
    execute range . 'sno/%29/)/eg'
  else              " must convert & first
    execute range . 'sno/ /+/eg'
    execute range . 'sno/"/%22/eg'
    execute range . 'sno/(/%28/eg'
    execute range . 'sno/)/%29/eg'
  endif
  nohl
  let @/ = search
endfunction
command! -range -nargs=1 MEntities call McAfeeEntities(<line1>, <line2>, <args>)
noremap <silent> \m :MEntities 0<CR>
noremap <silent> \M :MEntities 1<CR>
</quote>

Steps to modify a McAfee report.

  1. Create a dummy report that does whatever you need and have it filter by system name matching 1-3 computers.
  2. Export report into xml format
  3. Edit in vim
    1. Around line 8
    2. Press keystroke from the original mode: \m
      1. That rewrites the line substituting %28 for (
    3. Insert a return on the part starting with: ( eq EPOLeafNode.NodeName
    4. Insert a return near the end of the line: ) )</property>
    5. Delete the line with all the computernames
    6. Insert and paste list of computers
    7. Search and replace to the end of the last computer in this example 589 is the last computer
      1. :8,589s/^/( eq EPOLeafNode.NodeName "/g
      2. :8,589s/\n/" ) /g
    8. Insert at the beginning of line 8 and merge with line 7 with a delete
    9. merge the end of the line with  ) )</property>
    10. I found out that McAfee can handle the file without the correct %28 syntax.  If necessary you can use \M to reset the line to the way it was before.  Caution with the <property name="conditionURI"> tag, it will get the wrong output like this ++<property+name=%22conditionURI%22> and will have to be fixed.
  4. Import into McAfee
  5. If you don't import that list of computernames into the system as empty records then your report will only show found items follow the next step to fix that.
  6. Copy the list of computers into EPO using "New Systems" with the "

Maybe McAfee EPO will fix their report system in the next iteration.