McAfee ePO Connector Only Polls Windows Events From DB
Ever noticed that your McAfee connector never sees any events from the couple Mac users in your environment and thought, well, maybe Mac's dont get hit with malware...think again
The parser is not written to poll/pull Mac malware (virusscan) events from the McAfee ePO database. And to be clear, it is not a Windows vs *nix event format parsing issue, the SQL statement IS NOT WRITTEN TO RETRIEVE THOSE EVENTS FROM THE DATABASE AT ALL.
Attached is the modified parser. I have not done a diff of all the event types that Windows hosts are reporting vs those now reporting from Macs but at the very least some of the malware content from the Activate package is now firing for Mac clients.
Nice catch, and quite an eye opener.
We will also apply the parser override and run some tests.
On what version of the Smart is it applicable ?
Did you reported this to HPE [("support")] so that eventually (hopefully) we wont have to re-apply the patch ?
If so, do you have a ticket number you could share here ?
- Smart Connector version 7.1.4
- Parser was the one attached to the Activate Wiki page for McAfee https://www.protect724.hpe.com/docs/DOC-12736#comment-15005
- I wanted a clean, original, unobfuscated parser for 7.1.4 from support but they would not give it to me. I was a bit miffed because I thought it was procedure for them to give it to you if you asked for it and I have received parsers from support in the past. Apparently there are new rules now.
- I was told by the HP developer of this parser override for Activate that the one posted in the wiki was the original with only 2 minor file parsing modifications, so it was basically clean. I have kept all the changes by myself and the original developer in the parser via comments.
- I have not told support about this in protest of above item #3...I guess I should go ahead and loop them in
- More work on this parser needs to be done, I cannot say for sure that my addition to the SQL statement is bringing in all the necessary events for Mac clients. I need to run a dedup of the event types reported by Windows clients, diff that with a dedup of the Mac events, then track down in the ePO DB exactly how those events are referenced. Its possible we are getting everything we need, I just dont know. Right now I just know we are getting some of what the Activate package is looking for because we are now seeing rule fires on Mac clients.
- Thanks for the compliment!