UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.
Ensign
Ensign
573 views

McAfee ePO Connector Only Polls Windows Events From DB

Ever noticed that your McAfee connector never sees any events from the couple Mac users in your environment and thought, well, maybe Mac's dont get hit with malware...think again

The parser is not written to poll/pull Mac malware (virusscan) events from the McAfee ePO database. And to be clear, it is not a Windows vs *nix event format parsing issue, the SQL statement IS NOT WRITTEN TO RETRIEVE THOSE EVENTS FROM THE DATABASE AT ALL. 

Attached is the modified parser.  I have not done a diff of all the event types that Windows hosts are reporting vs those now reporting from Macs but at the very least some of the malware content from the Activate package is now firing for Mac clients. 

2 Replies
Vice Admiral Vice Admiral
Vice Admiral

Wow Mary,

Nice catch, and quite an eye opener.

We will also apply the parser override and run some tests.

On what version of the Smart is it applicable ?

Did you reported this to HPE [("support")] so that eventually (hopefully) we wont have to re-apply the patch ?

If so, do you have a ticket number you could share here ?

Thanks again!

Dany

0 Likes
Ensign
Ensign

  1. Smart Connector version 7.1.4
  2. Parser was the one attached to the Activate Wiki page for McAfee https://www.protect724.hpe.com/docs/DOC-12736#comment-15005
  3. I wanted a clean, original, unobfuscated parser for 7.1.4 from support but they would not give it to me.  I was a bit miffed because I thought it was procedure for them to give it to you if you asked for it and I have received parsers from support in the past.  Apparently there are new rules now. 
  4. I was told by the HP developer of this parser override for Activate that the one posted in the wiki was the original with only 2 minor file parsing modifications, so it was basically clean.  I have kept all the changes by myself and the original developer in the parser via comments.
  5. I have not told support about this in protest of above item #3...I guess I should go ahead and loop them in
  6. More work on this parser needs to be done, I cannot say for sure that my addition to the SQL statement is bringing in all the necessary events for Mac clients.  I need to run a dedup of the event types reported by Windows clients, diff that with a dedup of the Mac events, then track down in the ePO DB exactly how those events are referenced.  Its possible we are getting everything we need, I just dont know.  Right now I just know we are getting some of what the Activate package is looking for because we are now seeing rule fires on Mac clients. 
  7. Thanks for the compliment!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.