cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 6
‎10-05-2010 02:01 PM

report on failed managed scan?

Jump to solution

Hello,

I was wondering if there is a way I can run a query on failed managed scans. I am able to run a query where epo 4.5 shows me a list of computers that were infected and/or show me a list of viruses etc but I do not see a way to see which computers failed completing managed scans.

Is there a way to run that kind of query? Is there a way I have to setup clients logs to be sent to the epo? I'm not sure...please help. Thank you in advance!

-Jae

0 Kudos
Reply
1 Solution

Accepted Solutions
Hem
Employee
Employee
Report Inappropriate Content
Message 2 of 6
‎10-07-2010 02:40 AM

Re: report on failed managed scan?

Jump to solution

Event ID 1203 is for ODS completed.

You can query with Event ID not equal to 1203.

Thanks

Hem

View solution in original post

0 Kudos
Reply
5 Replies
Hem
Employee
Employee
Report Inappropriate Content
Message 2 of 6
‎10-07-2010 02:40 AM

Re: report on failed managed scan?

Jump to solution

Event ID 1203 is for ODS completed.

You can query with Event ID not equal to 1203.

Thanks

Hem

0 Kudos
Reply
Sk1dMARK
Level 11
Report Inappropriate Content
Message 3 of 6
‎10-07-2010 12:27 PM

Re: report on failed managed scan?

Jump to solution

Event ID 1202 is OD scan started.  Look for machines with a 1202 event without a corresponding 1203 event.  My theory is that if something happened to the machine or McAfee subsystem to cause the scan to fail part of the way through, that you may not see a specific error event like Event ID 1086 or something to that effect.

Hope this helps.

Regards,

Mark

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 6
‎10-07-2010 01:18 PM

Re: report on failed managed scan?

Jump to solution

Awesome, thanks for the help.

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 5 of 6
‎10-07-2010 02:01 PM

Re: report on failed managed scan?

Jump to solution

Hmm..I ran a new query(client events) for any event ID equaling 1203 to just see if the client computers are returning with a completed demand scan and I get back 0 compliant.

I know my computer in specific has completed because I can see the OnDemandScanLog.txt from my computer. All I see are event IDs 2401-2413.

Am I doing something wrong?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 6
‎10-08-2010 07:27 AM

Re: report on failed managed scan?

Jump to solution

1202 and 1203 events are not enabled by default. You have to turn them on in the event filter, wait for all of your machines to get the new policy, then start your scan.

When you run the report, you'll also need to filter it by 'Analyzer Detection Method' in order to limit to just the managed scan you're looking for. Otherwise you'll receive data with on-demand scans other than the managed one you're trying to verify.

edit: Also, the 1203 event is sent even if the scan is canceled. All it means is that the scan completed; it doesn't care why the scan stopped. I think event 1035 indicates that it was canceled, but I found that event to be a little hit and miss on accuracy.I basically just started doing SQL queries directly in the DB that did a diff between the full list of machines that should have done a scan, and the list of machines that had a 1202 event for that scan name during the designated scan period. It's fairly painful and not 100% reliable, but it's the best I've been able to do.

Message was edited by: Slingo on 10/8/10 9:33:22 AM GMT-05:00
0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC