Loading...

Knowledge Center


How to create an ePolicy Orchestrator report for the event: 1203 (On-Demand Scan Completed)
Technical Articles ID:   KB69428
Last Modified:  6/11/2019
Rated:


Environment

McAfee Endpoint Security (ENS) Threat Prevention 10.x
McAfee ePolicy Orchestrator (ePO) 5.x (on-premises)
McAfee VirusScan Enterprise (VSE) 8.x

Summary

IMPORTANT: There are two other conditions that can also lead to an on-demand scan generating the event 1203:
  • When the on-demand scan is terminated unexpectedly
  • When the on-demand scan is canceled
NOTE: When an on-demand scan is canceled, an accompanying 34855 (ENS) or 1035 (VSE) event is generated.

There is no pre-existing report for on-demand scan compliance. There are multiple ways to obtain event information from ePO. The following steps show an example of how to craft a custom report. In this report, compliance is shown as systems having completed an on-demand scan (Last Scan Completed), and noncompliance is shown as systems having either Not Scanned/Scan Cancelled.

To submit ideas for product improvement, see the following:
If you require a change to product functionality, submit a new product idea at:

https://community.mcafee.com/t5/Enterprise-Product-Ideas/idb-p/business-ideas

The Ideas forum is accessible only to McAfee business and enterprise customers. Click Sign In and enter your McAfee ServicePortal (https://support.mcafee.com) User ID and password. If you do not yet have a McAfee ServicePortal or McAfee Community account, click Register to register for a new account on either website.

For more information about product ideas, see KB60021.

NOTE: The Ideas forum replaces the previous Product Enhancement Request system.

Solution

Use the following procedure to create a Last Scan Completed report in ePO:

  1. Enable reporting for on-demand scan events:
    1. Log on to the ePO console.
    2. (For ENS) Edit the Endpoint Security Common policy and under Client Logging, Threat Prevention events to log, set the On-Demand Scan value to All.
    3. Click MenuConfiguration, Server Settings.
    4. Select Event Filtering and click Edit.
    5. Select event 1203: On-Demand Scan complete (Info).
    6. Select event 34855: On-Demand Scan Cancelled or Stopped (Medium) (ENS) or 1035: Scan was cancelled. (Info) (VSE).
    7.  Click Save.
       
  2. Create a Scan Completed and Scan Cancelled tag:
    1. Click Menu, Systems, Tag Catalog.
    2. Click New Tag.
    3. Name the tag Scan Completed and click Next.
    4. On the Criteria page, click Next without specifying any criteria.
    5. Click Next on the Evaluation page.
    6. Click Save.
    7. Click New Tag.
    8. Name the tag Scan Cancelled and click Next.
    9. On the Criteria page, click Next without specifying any criteria.
    10. Click Next on the Evaluation page.
    11. Click Save.
       
  3. Create a report that pulls all systems:
    1. Click Menu, Reporting, Queries & Reports.
    2. Click New Query.
    3. Select Managed Systems and click Next.
    4. On the Chart page, click Table, and then click Next.
    5. On the Columns page, click Next.
    6. On the Filter page, click Run.
    7. Click Save, name the report All Systems, and then click Save again.
       
  4. Create a report that pulls all 1203 events within the past seven days:
    1. Click Menu, Reporting, Queries & Reports.
    2. Click New Query.
    3. Select Events, Threat Events, and then click Next. 
    4. On the Chart page, click Table, and then click Next.
    5. Under the Computer Properties category, add the column System Name, move the column to the far-left side, and then click Next.
    6. Click Event ID and set it to Equals and 1203.
    7. Click Event Generated Time (UTC) and set it to Is within the last and 7 days.
       
      NOTE: You can modify if on-demand scans are run more or less frequently than 7 days.
       
    8. Click Run.
    9. Click Save and save the report with the name Event 1203.
    10. Click Save again.
       
  5. Create a report that pulls all 34855 (ENS) or 1035 (VSE) events within the past seven days:
    1. Click Menu, Reporting, Queries & Reports.
    2. Click New Query.
    3. Select EventsThreat Events, and then click Next.
    4. On the Chart page, click Table, and then click Next.
    5. Under the Computer Properties category, add the column System Name, move the column to the far-left side, and click Next.
    6. Under the Threat Events category, click Event ID and set it to Equals and 34855 (ENS) or 1035 (VSE).
    7. Click Event Generated Time (UTC) and set it to Is within the last and 7 days.
       
      NOTE: You can modify if on-demand scans are run more or less frequently than 7 days.
       
    8. Click Run.
    9. Click Save and save the report with the name Event 34855 (ENS) or Event 1035 (VSE).
    10. Click Save again.
       
  6. Create a server task that applies the Scan Completed tag:
    1. Click Menu, Automation, Server Tasks.
    2. Click New Task.
    3. Name the task Apply Scan Completed Tag and click Next.
    4. On the Actions page for the first Action, select the following:
      • Run Query
      • All Systems
      • Clear Tag
      • Scan Completed 
    5. Click the plus (+) option next to Clear Tag.
    6. Set the Sub-Action to Clear Tag.
    7. Set the tag to Scan Cancelled.
    8. Click the plus (+) option next to Run Query.
    9. On the newly added second Action, select the following:
      • Run Query
      • Event 1203
      • Apply Tag
      • Scan Completed
         
    10. Click the plus (+) option next to Run Query.
    11. On the newly added third Action, select the following:
      • Run Query
      • Event 34855 (ENS) or Event 1035 (VSE)
      • Apply Tag
      • Scan Cancelled
         
    12. Click Next.
    13. Set the task to run Weekly, at any time during the week, and then click Next.
    14. Click Save.
       
  7. Create a report that shows the systems that have completed the last on-demand scan:
    1. Click Menu, Reporting, Queries & Reports.
    2. Click New Query.
    3. Select System Management, Managed Systems, and then click Next.
    4. On the Chart page, click Boolean Pie Chart, Configure Criteria.
    5. Under the Managed Systems category, add the property Tags, set Comparison to Has tag and Value to Scan Completed.
    6. Click the plus (+) to add a new and/ line.
    7. Set Comparison to Does not have tag and Value to Scan Cancelled.
    8. Click OK.
    9. Set the Label for matching slice to Last Scan Completed.
    10. Set the Label for non-matching slice to Not Scanned/Scan Cancelled.
    11. Click Next.
    12. Add the following columns and any other required columns, and click Next:
      • Last Communication
      • Tags
         
    13. Click Save and save the report as Last Scan Completed.
    14. Click Save again.

Rate this document

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.