Bart's Weblog

Just a blog…

Archive for the ‘McAfee’ Category

McAfee ePolicy Orchestrator 4.x backup and disaster recovery

Posted by bartvdw on 1111/0606/2011

Recently encountered some problems with a McAfee ePolicy Orchestrator installation. As a result, I’ve learned:
– Use default installation path, unless you have a very good reason no to
– If using a SQL Express database, install also in default path unless you have a very good reason not to, and then make sure you don’t install it in the same directory as ePolicy Orchestrator itself
– Take a backup of specific ePolicy Orchestrator folder before upgrades or anything
– Read the backup and disaster recovery documentation published by McAfee

In short:
– Backup DB (if SQL Express, I’ll update this post later with commands you need)
– Backup ePolicy Orchestrator directories "Server", "DB\Software", "DB\Keystore", "Apache2\Conf"


ePO 4.5 and 4.6 server backup and disaster recovery procedure


Posted in McAfee | Leave a Comment »

McAfee ePO 4.5: Blank screen when creating a VirusScan On-Demand Scan in ePO 4.5 (when using Internet Explorer 8 or Firefox 3.0/3.5)

Posted by bartvdw on 0909/0202/2010

Very usefull to know… Here’s the link to the original McAfee KB:

Posted in McAfee | Leave a Comment »

Antivirus software exclusions

Posted by bartvdw on 1313/0808/2008

When you configure antivirus software for servers, you need to take exclusions into account. And for MS products, they are fairly good documented. If you don’t add these exclusions, you could get trouble/errors. For applications not listed here (MS or third party), always verify if you need to exclude something to make sure your antivirus software does not affect your application!

Below a summary of such exclusions and references to MS articles describing these exclusions. I will update this post in case I have additional information.

Note: In the list below, default file locations are used. If you have change the location of the files (ex. Ntds.dit), you need to use the altered path obviously!!

General exclusions Windows Server 2003, Windows 2000, Windows XP, or Windows Vista:

  • %windir%\ntfrs
  • %windir%\SoftwareDistribution\Datastore\Datastore.edb
  • %windir%\SoftwareDistribution\Datastore\Logs\Edb*.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Res1.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Res2.log
  • %windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
  • %windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb
  • For Windows 2000 & 2003 DC’s
    • %windir%\ntds\Ntds.dit
    • %windir%\ntds\Ntds.pat
    • %windir%\ntds\EDB*.log
    • %windir%\ntds\Res1.log
    • %windir%\ntds\Res2.log
    • %windir%\ntds\Temp.edb
    • %windir%\ntds\Edb.chk
    • %systemroot%\sysvol (only this folder, not all subfolders!!!)
    • %systemroot%\sysvol\domain\DO_NOT_REMOVE_NtFrs_PreInstall_Directory
    • %systemroot%\sysvol\staging
    • %systemroot%\sysvol\staging areas
    • %systemroot%\sysvol\sysvol
  • Clusters:
    • %windir%\Cluster
    • Q:\ (quorum)
  • DHCP: %windir%\system32\dhcp
  • DNS: %windir%\system32\dns
  • WINS: %windir%\system32\wins

Exchange Server:

  • Cdb.exe
  • Cidaemon.exe
  • Store.exe
  • Emsmta.exe
  • Mad.exe
  • Mssearch.exe
  • Inetinfo.exe
  • W3wp.exe
  • Exchsrvr\Conndata
  • Exchsrvr\Mailroot
  • Exchsrvr\Mdbdata
  • Exchsrvr\Mtadata
  • Exchsrvr\server_name.log
  • Exchsrvr\Srsdata
  • %systemroot%\IIS Temporary Compressed Files
  • %SystemRoot%\System32\Inetsrv
  • All .edb; .stm (on Exchange 2000 Server); .log Exchange files
  • M: drive (on Exchange 2000 Server)
  • SBS:
    • C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Failed Mail
    • C:\Program Files\Microsoft Windows Small Business Server\Networking\POP3\Incoming Mail

SQL Server: SQL Server data files that have the .mdf extension, the .ldf extension, and the .ndf extension

WSUS: MSSQL$WSUS and WSUS content directory


Virus scanning recommendations for computers that are running Windows Server 2003, Windows 2000, Windows XP, or Windows Vista

Overview of Exchange Server 2003 and antivirus software

Guidelines for choosing antivirus software to run on the computers that are running SQL Server

Recommended Forefront Client Security file and folder exclusions for Microsoft products

Multiple symptoms occur if an antivirus scan occurs while the file or the file is copied

Posted in Exchange, McAfee, SBS, Security, SQL, Windows | 3 Comments »

Important fix for ePO 3.6.x

Posted by bartvdw on 3030/0303/2008

Recently we had an issue on our ePO 3.6.x servers. In the CMA logs we found “ePO Server reached the maximum download limit”.

After some investigation we found a KB on the McAfee website documenting this related to Apache included in ePO installation.

My advise: apply it if running ePO 3.6.x by default.

ERROR: ePO Server reached the maximum download limit (issue: Apache configuration)

Posted in McAfee | Leave a Comment »

McAfee ePO: Duplicate MAC addresses

Posted by bartvdw on 2828/0101/2008

1 thing is sure: duplicate MAC addresses are a problem for ePO. Why? Simple: it uses the MAC address as unique identifier!

In short: if the Agent GUID is not found, the server uses the MAC address of the machine to verify against the database. If the MAC address is found, the existing database entry is updated with the new machine information. If the MAC address is not found, a new database entry is created and populated with the new machine information.

Result: duplicate MAC addresses are something you don’t want in combination with ePO.

Therefor be careful with cloning processes (same for Agent GUID). However this is not the only source of duplicate MAC’s… For example NLB servers share their MAC address. OK, not everybody runs NLB servers (I for instance prefer HLB configuration), I know!

What to do if you run a lot of NLB servers? Reconfigure ePO to not use the MAC address as unique identifier after you have investigated that this is a real need and you can’t switch the NLB’s to HLB’s. Also make sure that this is what you have and not duplicate Agent GUID’s!! With other words: BE CAREFUL!

Below some references…

Understanding how the Agent GUID is used by the ePolicy Orchestrator server [8078252]

Unable to see both nodes of a cluster in the ePO directory because of duplicate MAC address issue [KB45372]

ePO agents do not appear in the directory after imaged computers are deployed

Posted in McAfee | Leave a Comment »