McAfee Agent Custom Properties

The McAfee EPO agent reports back quite a few system details out of the box, however you may run into a situation where a piece of data is not being collected that may be critical to your system management. For example you wish to obtain the service tag or hardware serial number using WMI. If your in a large organization that is not coherently managed or you manage a bunch of distributed locations, EPO agents maybe able help you gather this information.

I provide managed EPO services to multiple businesses and I also have dealt with large EPO installs. For me one big data point that I would find useful in EPO is to know the public IP of NAT’d devices, whether users are hiding behind a router on a large network or at a remote site, this information would help locate to some degree a device for sorting or investigation. One feature McAfee has provided within the agent is the ability to add custom properties (up to 4, why would you need more?) which can be set on the client and then periodically sent to the EPO server.

To update these custom properties you have a few options:

FrmInst.exe – Agent installer

Intiates the agent installer to reconfigure the agent, causes the agent to stop and would be noticeable by the user, however this is the recommended method by McAfee for Windows.

Example: FrmInst.exe /CustomProps1=”Property 1″

msaconfig.exe – McAfee agent configuration

Accomplishes the same as the agent installer without disrupting the agent and is transparent to the user, my choice the setting custom properties.

Example: msaconfig -CustomProps1 “Property 1″

Registry modification

You can also create the registry keys necessary using your script and directly add the data required.

Varies based on OS/Agent version:

Create HKLM\SOFTWARE\Network Associates\ePolicy Orchestrator\Agent\CustomProps\

Add a string value with name CustomProps1 and set the value to whatever is needed

Regardless of method, once the value is set and the agent communicates back to the EPO server, you should see the value your script provided,

Custom Props

So, we now have the ability to use a script to update these custom property values but what next? Well if you have no easy way to deploy your script to update this value then this is all really pointless, luckily EPO has a couple easy ways to run your script remote on any system with an agent. Both ways require an executable, in my case I wrote some quick code and built it with visual studio as an executable. To get the public IP I called out to an external service such as whatismyIP or checkip.dyndns.com, converted the value they returned to a string and then used msaconfig to set one of the custom properties to this value.

Once you have the executable you can either register it with the EPO server and use a server task to deploy, or you can actually use agent policy to run an executable after updates occur on the client system. I prefer the later as I find this policy method easier to manage, I just reference a UNC path where the executable is located. The executable runs, updates the value and now I got the IP of the device a computer is hiding behind.

This is a very primitive method of finding this data however using the agent custom properties was the least painful method for the environments I deal with. Based on this example you can easily go and create other custom property values.