Disclaimer
Use this management pack at your own
risk. I accept no responsibility if it causes damage.
Intro
A simple little management pack to monitor Trellix infrastructure.
Products
Software versions used for testing:
| Product |
Version |
| Trellix ePolicy Orchestrator |
5.10.0 |
| Trellix Agent Handler |
5.10.0 |
| Trellix Agent |
5.7.8.262
5.7.6.251
5.6.3.157
5.5.0.447 |
Management pack components
| Type |
Name |
| Class |
Trellix.Class.ePolicyOrchestrator |
| Class |
Trellix.Class.AgentHandler |
| Class |
Trellix.Class.Agent |
| Discovery |
Trellix.Discovery.AgentHandlerRegistry |
| Discovery |
Trellix.Discovery.AgentRegistry |
| Discovery |
Trellix.Discovery.ePolicyOrchestratorRegistry |
| Discovery |
Trellix.Discovery.Service |
| Monitor |
Trellix.Monitor.AgentInstall |
| Monitor |
Trellix.Monitor.AgentVersion |
| Monitor |
Trellix.Monitor.LastAgentServerCommunication |
| Monitor |
Trellix.Monitor.LastUpdateCheck |
| Monitor |
Trellix.Monitor.ServiceHealth |
| Recovery |
Trellix.Recovery.StartWindowsService |
Classes
Trellix.Class.ePolicyOrchestrator
No monitoring is targeted at this class, it's for views only.
Trellix.Class.AgentHandler
No monitoring is targeted at this class, it's for views only.
Trellix.Class.Agent
Views and monitoring are targeted at this class.
Discoveries
Trellix.Discovery.AgentHandlerRegistry
This is a registry discovery that targets Microsoft.SystemCenter.HealthService. If the below value has the string Agent Handler in it, an instance is created:
HKLM:\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\InstallFolder.
Trellix.Discovery.AgentRegistry
This is a registry discovery that targets Microsoft.SystemCenter.HealthService. If the below key exists or not, an instance is created:
HKLM:\SOFTWARE\WOW6432Node\Network Associates\ePolicy Orchestrator\Agent.
An instance is created even if it doesn't exist because I want an alert if the agent isn't installed. EPO servers and Agent Handlers will have this key so they will also appear in the Agents view.
Trellix.Discovery.ePolicyOrchestratorRegistry
This is a registry discovery that targets Microsoft.SystemCenter.HealthService. If the below value has the string epolic in it, an instance is created:
HKLM:\SOFTWARE\Wow6432Node\Network Associates\ePolicy Orchestrator\InstallFolder.
Trellix.Discovery.Service
This is a WMI discovery that targets Microsoft.SystemCenter.HealthService. If the below query is true an instance of the service is created:
SELECT * FROM Win32_Service WHERE (displayname like '%mcafee%' or displayname like '%trellix%') and startmode='auto'
Monitors
Trellix.Monitor.AgentInstall
Checks if the Trellix agent is installed by querying a registry value and generates an alert if it doesn't exist.
Trellix.Monitor.AgentVersion
Checks the Trellix agent version and generates an alert if it isn't 5.7.9.139 (current at time of publication).
Trellix.Monitor.LastAgentServerCommunication
This matches the Last agent-to-server communication information on the Trellix systray icon.
Trellix.Monitor.LastUpdateCheck
This matches the Last security update check information on the Trellix systray icon.
Trellix.Monitor.ServiceHealth
Checks if McAfee or Trellix services with automatic start are running and generates an alert if they are not.
Recoveries
Trellix.Recovery.StartWindowsService
This will attempt to start McAfee or Trellix services with automatic start that are not running.
Views
Appendix
Download management packs
SQL Queries
This might be helpful for db queries (tables in red):
SELECT TOP (100) PERCENT dbo.EPOComputerProperties.DomainName AS [Domain Name], dbo.EPOLeafNode.NodeName AS [PC Name],
dbo.EPOComputerProperties.UserName AS [User ID],
dbo.EPOComputerProperties.Description AS [Computer Description],
dbo.EPOLeafNode.LastUpdate AS [Last System ASCI UTC],
dbo.EPOComputerProperties.IsPortable AS [Laptop?], dbo.EPOComputerProperties.OSBitMode AS [64 Bit?],
dbo.EPOLeafNode.Tags AS [Assigned Tags],
dbo.EPOComputerProperties.IPAddress AS [TCP/IP Address], dbo.EPOComputerProperties.NetAddress AS [MAC
Address],
dbo.EPOComputerProperties.OSOEMID AS [OS OEM ID],
dbo.EPOComputerProperties.OSType AS [O/S Type],
dbo.EPOComputerProperties.OSPlatform AS [O/S Platform],
dbo.EPOComputerProperties.OSVersion AS [O/S Version],
dbo.EPOComputerProperties.OSServicePackVer AS [O/S Service Pack],
dbo.EPOComputerProperties.TimeZone AS [Time Zone Setting],
dbo.EPOComputerProperties.CPUType AS [CPU Type],
dbo.EPOComputerProperties.NumOfCPU AS [# of CPU's'],
dbo.EPOComputerProperties.CPUSpeed AS [CPU Speed],
dbo.EPOComputerProperties.SysvolTotalSpace AS [System Volume Total DASD],
dbo.EPOComputerProperties.SysvolFreeSpace AS [System Volume Free DASD],
dbo.EPOComputerProperties.TotalDiskSpace AS [Total DASD],
dbo.EPOComputerProperties.FreeDiskSpace AS [Free DASD],
dbo.EPOComputerProperties.TotalPhysicalMemory AS [Total RAM],
dbo.EPOComputerProperties.FreeMemory AS [Free RAM], dbo.EPOProductProperties.ProductCode AS [McAfee Product Code],
dbo.EPOProductProperties.ProductVersion AS [McAfee Product Version],
dbo.EPOProductProperties.Hotfix AS [McAfee Product Hot Fix],
dbo.EPOProductProperties.EngineVer AS [Scan Engine Version],
dbo.EPOProductProperties.DATVer AS [DAT Version],
dbo.EPOProductProperties.DATDate AS [DAT Date],
dbo.EPOComputerProperties.UserProperty1 AS [Last Boot],
dbo.EPOComputerProperties.UserProperty2 AS [Local Administrators],
dbo.EPOComputerProperties.UserProperty3 AS [Manufacture / Serial Number info],
dbo.EPOComputerProperties.UserProperty4 AS [Information Last
Updated]
FROM dbo.EPOProductProperties INNER JOIN
dbo.EPOComputerProperties ON dbo.EPOProductProperties.ParentID =
dbo.EPOComputerProperties.ParentID INNER JOIN
dbo.EPOLeafNode ON dbo.EPOProductProperties.ParentID =
dbo.EPOLeafNode.AutoID AND dbo.EPOComputerProperties.ParentID = dbo.EPOLeafNode.AutoID
ORDER BY [PC Name], [McAfee Product Code]
Comments
Post a Comment