Cadet 3rd Class Cadet 3rd Class
Cadet 3rd Class

Logs on ePO which capture installed version on endpoints

Hi, We have a customer requirement to create an alert for all systems on which McAfee ePO is not updated or the DAT file installed is not the latest.

Currently, we are only getting virusscan module logs from ePO. Is it somehow possible to capture additional logs from McAfee ePO which might get the antivirus version installed on the endpoints and help in creating the required alert.

1 Reply
Cadet 1st Class
Cadet 1st Class

Within the ePO db connector you can add several different "Event Types" for the connector to pull from your ePO db.  We are currently pulling the following in our environment:  virusscan, hips, rsd, dlp, solidcore, endpointsecurity

If you are just interested in the DAT version then you will want to add "virusscan" to your Event Types on your connector.  Then you can search for these logs in your Logger or ESM using the following search: 

deviceVendor = "McAfee" AND deviceVersion = "virusscan*"

The field that contains the DAT number is deviceCustomString6



The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.