McAfee ePO: PowerShell scripts in McAfee ePO

Leveraging PowerShell scripts in McAfee ePO Server Tasks

For past clients I have been tasked to automate responses to queries and reports. In most cases you would be able to leverage the “Automatic Responses” feature in ePO, but in those few scenarios where the Automatic Responses just isn’t dynamic enough you can invoke PowerShell to pick up the slack. Combining ePO’s reporting with the versatility of PowerShell provides you with the additional ability act upon collected knowledge in a way that very well could be your end all solution.

I have used this method to review reports generated from ePO and determin if there is a threat outbreak break. The script would then email different IT groups depending on the time of day that the threat was found and raise or lower its severity level based on the trending data collected.

The below procedure is to setup a server task to export VSE policies and then use a PowerShell script to parse the data and provide a more legible report to a distribution list or individual users for review. This standard task may be modified to meet other needs and is merely a jump off point to demonstrate the ability to expand on ePO server tasks and meet any additional smart processing needs you may have.

Register the script in ePO

This enables you to include the ability execute PowerShell scripts within your server tasks or expand further on automated responses.

1. Log on to the ePO server. (As a safety measure you must log on to the ePO server to by means of RDC or the console to register an application.)

2. Log on to the ePO console. (Typically there is a shortcut on the desktop)

3. Navigate to Menu>Configuration> Registered Executables

4. Click New Registered Executable

a. Name: PowerShell

b. Path: “C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe” OR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”
(Be sure to adjusts the execution policy in the shell you plan to use. If you don’t have the ability to sign a script you may want to change it to Unrestricted.)

c. Run As: ID and PW of an account that has access to run the script and authenticate to the exchange server you will relay emails through.

d. Test Executable:

I. Arguments:-command "c:\reports\Get-Exclusions.ps1 -xmlpath "c:\reports\vse.xml" -quiet"

II. Once you hit Run, Save it then check the Audit Log to confirm that the account used to run the script authenticated properly. (Menu>User Management>Audit Log)

If the HTML file populated the “c:\reports” folder then it worked. Moving on…

Create the Server task

This task will be used to run scheduled reports and then use a registered executable to then act on that data or additionally process the information retrieved.

1. Name your report accordingly. And hit next.

2. Action 1.a. Select Export Policiesb. Select VirusScan Enterprise 8.8.0c. Name the XML VSE (No need for the extension just enter the first part of the filename)d. Hit the + symbol on the right at the end of the Action 1. Bar.

3. Action 2.a. Run External Command

i. Registered executables: PowerShell

ii. Arguments: -command "c:\reports\Get-Exclusions.ps1 -xmlpath "c:\reports\vse.xml" –quiet -email -EmailTo User@YourCompany.com - SMTP smtp.exchange.com -From EpoAdmin@epo.com -Subject "Monthly ePO VirusScan Exclusion List"”

4. Hit Next

5. Schedule Type: Yearly

6. Start Date: Today's date

7. End date: No end date

8. Schedule 1^st of January

a. Hit the + symbol to add an additional date

9. Schedule 1^st of July

10. Hit Save.

Now you can run this manually as needed to test the functionality as that is what I would recommend to ensure it will render the results you are looking for.

Thank You!!! :)

McAfee ePO

Friday, July 18, 2014

PowerShell scripts in McAfee ePO

1 comment: