Knowledge Center

How to Query for the status of your real-time (On-Access) scanner
Technical Articles ID:   KB77262
Last Modified:  7/23/2015


McAfee ePolicy Orchestrator 4.x
McAfee VirusScan Enterprise 8.7i, 8.8


VirusScan Enterprise (VSE) provides information to the ePolicy Orchestrator (ePO) database that represents the status of the real-time scanner. This information is considered near live, which means it depends on how long it has been since the data was collected from the client. This could be "very recent" if a property collection was just forced to occur on the system.

The following questions will be addressed in this article:
  • How do I determine whether VirusScan is actually scanning for viruses?
  • In lieu of using the Eicar test file virus, how do I know the scanner is working?


A report to display this information is planned to be added into the VSE reporting extension in a future release.

As a temporary measure, implement the workaround shown below. 


Run the following query to list the systems that have the on-access scanner (OAS) enabled:

NOTE: The following information is applicable to VSE 8.8 Patch 1, 2, and 3.
  1. Ensure that Hotfix 820636 has been deployed to the environment. See KB77043 for details on Hotfix 820636.
    NOTE: This hotfix improves the reliability of the information being returned by client systems to ePO.
  2. Use the following SQL query:
    NOTE: When you enter the database name for the USE command, do not include the < > signs. Example: USE [ePO4_ePOtestserver].

    USE [<database name>]

       [EPOLeafNode].[NodeName] AS ServerName, 
       CASE WHEN rsOASEnabled.value IS NOT NULL THEN rsOASEnabled.value ELSE 'Unknown' END AS OASEnabled
       INNER JOIN [EPOProductProperties] ON [EPOLeafNode].[AutoID] = [EPOProductProperties].[ParentID]
       LEFT JOIN [dbo].EPOProductSettings AS rsOASEnabled ON (EPOProductProperties.AutoID = rsOASEnabled.ParentID AND
                                                                                                                      rsOASEnabled.SectionName = N'On-Access General' AND
                                                                                                                      rsOASEnabled.SettingName = N'bEnabled')
       EPOProductProperties.ProductCode LIKE 'VIRUSCAN%'

    NOTE: This query will display results from both VSE 8.7 and VSE 8.8 systems. Replace the LIKE 'VIRUSCAN%' entry in the WHERE command with either one of the following to list systems for a specific version.

    LIKE ‘VIRUSCAN8800’ for VSE 8.8.
    LIKE ‘VIRUSCAN8700’ for VSE 8.7.
Output from the query above will look similar to the following:
NOTE: The 1 entry under the Enabled column means the OAS is enabled for that system.

  ServerName OASEnabled
1 SystemName1 1
2 SystemName2 1
3 SystemName3 1

Rate this document

Did this article resolve your issue?

Please provide any comments below

Glossary of Technical Terms

Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.