Logs on ePO which capture installed version on endpoints
Hi, We have a customer requirement to create an alert for all systems on which McAfee ePO is not updated or the DAT file installed is not the latest.
Currently, we are only getting virusscan module logs from ePO. Is it somehow possible to capture additional logs from McAfee ePO which might get the antivirus version installed on the endpoints and help in creating the required alert.
Within the ePO db connector you can add several different "Event Types" for the connector to pull from your ePO db. We are currently pulling the following in our environment: virusscan, hips, rsd, dlp, solidcore, endpointsecurity
If you are just interested in the DAT version then you will want to add "virusscan" to your Event Types on your connector. Then you can search for these logs in your Logger or ESM using the following search:
deviceVendor = "McAfee" AND deviceVersion = "virusscan*"
The field that contains the DAT number is deviceCustomString6