Friday, May 16, 2014

McAfee Query Method

McAfee EPO 4.5 and 4.6 cannot easily create a report that shows a random list of computers.  I often get asked to report on a list of servers or workstations that have no relationship to one another for audit purposes.

You can create a direct SQL query to the backend database but I found this strange method work using VIM on Windows.  Note: I have taught myself how to use VIM. It was not easy and has a huge learning curve.  The hardest step was understanding how to change mode to exit the application.  There are a lot of tutorials on the Internet but don't be surprised to feel very uncomfortable for a long time.

Add this to the end of your _vimrc file.  (:e $HOME/_vimrc).  I keep the same vimrc file uploaded to a network share and backed up.

" Escape/unescape & ( ) McAfee query definition entities in range (default current line).
function! McAfeeEntities(line1, line2, action)
  let search = @/
  let range = 'silent ' . a:line1 . ',' . a:line2
  if a:action == 0  " must convert &amp; last
    execute range . 'sno/+/ /eg'
    execute range . 'sno/%22/"/eg'
    execute range . 'sno/%28/(/eg'
    execute range . 'sno/%29/)/eg'
  else              " must convert & first
    execute range . 'sno/ /+/eg'
    execute range . 'sno/"/%22/eg'
    execute range . 'sno/(/%28/eg'
    execute range . 'sno/)/%29/eg'
  let @/ = search
command! -range -nargs=1 MEntities call McAfeeEntities(<line1>, <line2>, <args>)
noremap <silent> \m :MEntities 0<CR>
noremap <silent> \M :MEntities 1<CR>

Steps to modify a McAfee report.

  1. Create a dummy report that does whatever you need and have it filter by system name matching 1-3 computers.
  2. Export report into xml format
  3. Edit in vim
    1. Around line 8
    2. Press keystroke from the original mode: \m
      1. That rewrites the line substituting %28 for (
    3. Insert a return on the part starting with: ( eq EPOLeafNode.NodeName
    4. Insert a return near the end of the line: ) )</property>
    5. Delete the line with all the computernames
    6. Insert and paste list of computers
    7. Search and replace to the end of the last computer in this example 589 is the last computer
      1. :8,589s/^/( eq EPOLeafNode.NodeName "/g
      2. :8,589s/\n/" ) /g
    8. Insert at the beginning of line 8 and merge with line 7 with a delete
    9. merge the end of the line with  ) )</property>
    10. I found out that McAfee can handle the file without the correct %28 syntax.  If necessary you can use \M to reset the line to the way it was before.  Caution with the <property name="conditionURI"> tag, it will get the wrong output like this ++<property+name=%22conditionURI%22> and will have to be fixed.
  4. Import into McAfee
  5. If you don't import that list of computernames into the system as empty records then your report will only show found items follow the next step to fix that.
  6. Copy the list of computers into EPO using "New Systems" with the "

Maybe McAfee EPO will fix their report system in the next iteration.

Thursday, May 15, 2014

SCCM Client Health

This looked very helpful.

I am currently working on trying to come up with a process and methodology for SCCM Client Health. It seems to start with a good Asset Management strategy which is not what SCCM 2007, at least, offers. CM12 should improve some Asset Management but Asset Management seems to be a big data solution for a problem of tracking information from multiple sources. First you need to include Financial data from the purchase of equipment, then you need to track heartbeats from the objects from multiple sources. We are trying to use LDAP/ Active Directory lastLogonTimestamp, McAfee Last Communication, and SCCM Heartbeats.

I'm just now starting to play with WMIDiag from Microsoft. I'm wondering if it would make sense to implement WMIDiag.vbs into a DCM to give a success, error, or warning.

    0 = SUCCESS

    1 = ERROR

    2 = WARNING

    3 = Command Line Parameter errors

    4 = User Declined (Clicked the Cancel button when getting a consent prompt)


Tracking resource usage of WMI

By default the core WMI service lives in the shared Network Services instance of scvhost.exe. This can make debugging or identifying resource issues a little challenging. As a general rule of thumb I run (and recommend to customers) that they keep WMI separated into its own instance of svchost.

On XP/Server 2003 this can be accomplished automatically via the following case sensitive command:

    RUNDLL32.EXE %Systemroot%\SYSTEM32\WBEM\WMISVC.DLL,MoveToAlone

For Vista and up this is done with

         winmgmt /standalonehost

WMI Troubleshooting Tips - System Center Configuration Manager Team Blog - Site Home - TechNet Blogs:

Wednesday, May 7, 2014

Using Netsh Commands Instead of Telnet to Test Firewall Connections

Every once in a while I need to validate that a firewall is either working or not working.  Prior to Win7 and Windows 2008 I would just use telnet to the name and port of the service I wanted to test.  Now I either need to create a change request to install on a server or give up.

I may have found a cool built-in tool to Windows 2008 that can accomplish the same result: netsh

I knew this was a very powerful tool that allows for network trace dumps without installing any 3rd party tools on a server.  I started looking for a way that netsh could be used to open a connection and report whether or not the connection was successful.

Next time try running this command:

netsh trace diagnose scenario=internetclient namedAttribute url=
You can also add report=yes to have the tool automatically generate some configuration details into an ETL and CAB file for use with Microsoft Message Analyzer but the information didn't seem especially helpful other than it does some network dump (capture=yes)

Successful response:

c:\>netsh trace diagnose scenario=internetclient namedAttribute url=
Diagnosing 'internetclient' ... done
Root causes found: 0

Failure response on a pingable device with http access blocked:

c:\>netsh trace diagnose scenario=internetclient namedAttribute url=
Diagnosing 'internetclient' ... done
Root causes found: 1

Root cause #1
 website ( is online but isn't responding to connection attempts.

The remote computer isn't responding to connections on port 80, possibly due to
firewall or security policy settings, or because it might be temporarily unavail
able. Windows couldn't find any problems with the firewall on your computer.
Repairs available: 1

    Repair #1
    Contact the service provider or owner of the remote system for further assis
tance, or try again later

I did find one locked down server that failed with this error:

C:\>netsh trace diagnose scenario=internetclient namedAttribute url=
Diagnosing 'internetclient' ... done
 Network Diagnostics failed (error=0x80070511).

Netsh Commands for Network Trace in Windows Server 2008 R2 and Windows 7:

P.S. Possibly much easier:
try this powershell command it work for me.
(new-object Net.Sockets.TcpClient).Connect("", 80)