Mcafee

I have created 3 scripts to monitor, update and stop/start services of mcafee. I hope they help

The first script is to look if all desktops are up-to-date

$erroractionpreference = "SilentlyContinue"

$a = New-Object -comobject Excel.Application
$a.visible = $True 

$b = $a.Workbooks.Add()
$c = $b.Worksheets.Item(1)

$c.Cells.Item(1,1) = "Server Name"
$c.Cells.Item(1,2) = "AV Product"
$c.Cells.Item(1,3) = "Version"
$c.Cells.Item(1,4) = "Scan Engine"
$c.Cells.Item(1,5) = "Virus Definition"
$c.Cells.Item(1,6) = "Virus Definition Date"
$c.Cells.Item(1,7) = "Repository Server"
$c.Cells.Item(1,8) = "Report Time Stamp"

$d = $c.UsedRange
$d.Interior.ColorIndex = 19
$d.Font.ColorIndex = 11
$d.Font.Bold = $True

$intRow = 2

$colComputers = get-content \\server\homedrive\name\scripts\computers.txt

foreach ($strComputer in $colComputers)
{
$c.Cells.Item($intRow,1) = $strComputer

Function GetRegInfo
{
$key1="SOFTWARE\McAfee\AVEngine"
$regkey1 = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $strComputer) 
$regKey1 = $regKey1.OpenSubKey($key1)
$key2="SOFTWARE\McAfee\DesktopProtection"
$regkey2 = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $strComputer) 
$regKey2 = $regKey2.OpenSubKey($key2)
$key3="SOFTWARE\McAfee\AVEngine"
$regkey3 = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $strComputer) 
$regKey3 = $regKey3.OpenSubKey($key3)

$Product = $regKey2.GetValue("Product")
$c.Cells.Item($intRow,2) = $Product

$productver = $regKey2.GetValue("szProductVer")
$c.Cells.Item($intRow,3) = $Productver

$ScanEngine = $regKey3.GetValue("szEngineVer")
$c.Cells.Item($intRow,4) = $ScanEngine

$VirDefVer = $regKey3.GetValue("AVDatVersion")
$c.Cells.Item($intRow,5) = $VirDefVer

$virDefDate = $regKey3.GetValue("AVDatDate")
$c.Cells.Item($intRow,6) = $virDefDate
}

GetRegInfo

Function GetSiteInfo
{
$x = Test-path "\\$strcomputer\c$\Documents and Settings\All Users\Application Data\McAfee\Common Framework\UpdateHistory.ini"
if($x -eq "True")
{
$y = get-content "\\$strcomputer\c$\Documents and Settings\All Users\Application Data\McAfee\Common Framework\UpdateHistory.ini"
$z = $y[3]
$SiteServer = $z.substring(19,($z.length-19))
}
$c.Cells.Item($intRow,7) = $SiteServer.ToUpper()
}

GetSiteInfo

$c.Cells.Item($intRow,8) = Get-date

$intRow = $intRow + 1

}
$d.EntireColumn.AutoFit()
cls

The second script is to update the mcafee via sysinternals psexec

cd f:\ps # or where ever your psexec is located
.\psexec.exe -s \\computer_who_needs_update "C:\Program Files\McAfee\VirusScan Enterprise\mcupdate" /update /quiet

The third script is to stop and start mcafee services remotely with psexec

.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" STOP MCSHIELD
.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" STOP MCAfeeEngineService
.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" STOP MCAfeeFramework
.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" STOP MCTaskManager

get-service -computername "computername" | where {$_.name -eq "Mcshield"}
get-service -computername "computername" | where {$_.name -eq "MCAfeeEngineService"}
get-service -computername "computername" | where {$_.name -eq "MCAfeeFramework"}
get-service -computername "computername" | where {$_.name -eq "MCTaskManager"}

.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" START MCSHIELD
.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" START MCAfeeEngineService
.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" START MCAfeeFramework
.\psexec.exe -s \\computername "c:\windows\system32\SC.exe" START MCTaskManager

get-service -computername "computername" | where {$_.name -eq "Mcshield"
get-service -computername "computername" | where {$_.name -eq "MCAfeeEngineService"}
get-service -computername "computername" | where {$_.name -eq "MCAfeeFramework"}
get-service -computername "computername" | where {$_.name -eq "MCTaskManager"}

What I also found very usefull after searching the web for troubleshooting mcafee was:

  • Where are the log files on the client

They are located in \\computername\c$\Documents and Settings\All Users\Application Data\McAfee\Common Framework\DB
Here is important the Agent_Computername.log file to find where errors are comming from

  • Sometimes the sitecache.bin gets corrupted or outdated so you will need to stop the mcafee framework service and delete the sitecache.bin file
  • Also check if the computers use a proxy server and if the agents that are not communicating are logged in by the user or not. I have seen issues with the proxy server because nobody was logged in so it wouldn't go passed the proxy. Result epo would report that they were not up-to-date

on me

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License