Client Management Suite

 View Only
  • 1.  Detection Rules - understanding

    Posted May 28, 2014 10:38 AM

    Ok so I dont usually use detection rules but think this would be very beneficial.

    I have been reading and searching and reading up but I guess the top question I need to ask is.

    1. Do you have to do a custom inventory to read in for detection rule?

     

    Example:

    I have McAfee EPO 4.6 to 4.8 upgrade
    I have McAfee Enterprise 8.8 w/Patch 2 to 8.8 w/Patch 4 upgrade
    I have McAfee HIPS 8.0 w/Patch 2 to HIPS 8.0 w/Patch 4 upgrade

    all in one policy. This works great but if I want to run this over again, overtop the current machines, how do I setup detection rules so it will just skip it and not install?

    DetectionRule1.jpg

     

    question 2.

    2. Is a custom inventory required for this MSI Product Code to be detected or does this get verified during install?

     

    so for now I guess I will see how this goes. Going to install overtop of my current test machine install...

    DetectionRule2.jpg

     



  • 2.  RE: Detection Rules - understanding
    Best Answer

    Posted May 28, 2014 10:44 AM

    hmm interesting.. so #2 is answered... I took that screenshot without hitting save.. now I hit save and tested on my test machine and yes it detected and skipped.. wow so cool!

    I then went to go to the next one on the list and work on it and noticed the change... NICE!

    DetectionRule3.jpg



  • 3.  RE: Detection Rules - understanding

    Posted May 28, 2014 10:54 AM

    ok so i figured this out myself.. hah... 

    well this is really nice and I like it.. this will be something I will be using a lot more going forward!

     

    DetectionRule4.jpg



  • 4.  RE: Detection Rules - understanding

    Posted May 28, 2014 12:04 PM

    I use detection rules for pretty much everything.

    In your example above you don't need the 'or' under the 'and'.

    Like me, you've used the Standard Rule for MSI Product Code, not the Smart Rule, I've found that the Smart Rule MSI Product Code can get wiped out if the MSI doesn't exist in your environment for a time - not usually a problem but I can't see any real advantage in using the Smart Rule for MSI Product Code.

    With file or registry versions particularly sometimes you need to put in a range of values, Patch Management 7.1 used to use the same rule types before SP1 with the Shavlik engine was released and could have some good examples.

    So if you have an executable that may get patched and change version you don't want the installation Policy saying Not Detected because the exex is now 5.0.1 instead of 5.0.0. So you might have >=5.0.0 AND <5.1.

    The Agent will show "Not Compliant" until the Detection check runs a second time after install, you need a Compliance Check schedule on the Policy for that.
     



  • 5.  RE: Detection Rules - understanding

    Posted May 28, 2014 01:14 PM

    ........The Agent will show "Not Compliant" until the Detection check runs a second time after install, you need a Compliance Check schedule on the Policy for that.

     

     

    how do you do the Compliance Check schedule? i gotta look at that...While this does work I broke my test machine trying different things so got to get that running again before I can test...



  • 6.  RE: Detection Rules - understanding

    Posted May 28, 2014 02:43 PM

    Its the main schedule for the Policy. You can set a seperate Remediation schedule but I've never needed to do that.

    I just have Policies set to run 00:00 No repeat (runs ASAP) then daily, "only when no user is logged in" if appropriate, but most times it's not needed.
     



  • 7.  RE: Detection Rules - understanding

    Posted May 29, 2014 03:44 PM

    had to add another piece.. and now it works too.. with no inventorying.. so detection runs and checks registry... viola... woot..

    DetectionRule5.jpg



  • 8.  RE: Detection Rules - understanding

    Posted May 29, 2014 06:15 PM

    You wouldn't normally need both MSI product code AND reg key.
     



  • 9.  RE: Detection Rules - understanding

    Posted May 30, 2014 09:00 AM

    i found that out... it actually hurt me but not sure why. The product code was there and it said detected even though the DisplayVersion was different.
    so now I only have DisplayVersion and working like a champ!

     



  • 10.  RE: Detection Rules - understanding

    Posted May 30, 2014 10:01 AM

    If you change detection rules and try and re run a Policy I think the old details can be cached. if i change a detection rule or command line I then disable the Policy, update the agent on the client so the Policy disappears, re enable it and update the agent ont he client again.

    MSI is usually better than DisplayVersion, the DisplayVersion may change with a patch and you wouldn't want the msi to run again.