Menu
Learning has never been so easy!
Aug 24, 2016 Click Browse to select: C:Program FilesSymantecBackup Exec Add two asterisks (.) to the path as wildcards after each path has been added. If it is enabled, the following exclusions must be added: Click Start, Programs, McAfee, VirusScan Console. Into VirusScan Enterprise. Backup programs such as Backup Exec touch a large number of. Click the Scan Items tab. Select Scan files opened for Backup. This option corresponds to a file flag that can be used when a process accesses or creates files.
How to run any command on a client connected to Intel/McAfee ePO.
In this Tutorial particular how to remotly nuke a bit-locker enabled laptop out of the sky using epo/mcafee.
In this Tutorial particular how to remotly nuke a bit-locker enabled laptop out of the sky using epo/mcafee.
Backstory: https://community.spiceworks.com/topic/1878390-lost-a-laptop
One of our Laptops gone missing, with a lot of data on it and in a 'road warrior' configuration. So it can operate for quite a while without a regularly connection to the ADS.
The only connection was a 'pull' connection from the Laptop to our anti-virus solution based on McAfee. So we tried to make any use of it.
The only connection was a 'pull' connection from the Laptop to our anti-virus solution based on McAfee. So we tried to make any use of it.
In this Tutorial we will write a script which forces a bitlocker recovery, kills the bitlocker key from the TPM and forces a reboot.
Then we will deploy this script via ePO to a client.
Then we will deploy this script via ePO to a client.
Of course you can deploy anything you want.
6 Steps total
Step 1: Create the Script
Save your script as a .cmd file.
If you want to test the script or debug it you'll have to use 'psexec -s script.cmd' because the Agent runs as 'Local System'
If you want to test the script or debug it you'll have to use 'psexec -s script.cmd' because the Agent runs as 'Local System'
The Script will run commands from 'c:windowssystem32', the %windir%Sysnative is for compatibility reasons with 32/64 systems.
First we will delete the bitlocker key from the TPM for drive c:, then we will '-forcerecovery' (just to be shure..) drive c: and then we'll reboot the system while killing all open programms.
Please make shure you'll put your code between the
@echo off
pushd '%~dp0'
@echo off
pushd '%~dp0'
and the
popd
exit /B 0
exit /B 0
This is to make sure the script runs in the right folders and returns a correct exit code.
The Script:
[code]
@echo off
pushd '%~dp0'
%windir%Sysnativemanage-bde.exe -protectors c: -delete -type TPM > %temp%kbl_tpm.txt
%windir%Sysnativemanage-bde.exe -fr c: > %temp%kbl_fr.txt
%windir%Sysnativeshutdown.exe /r /f /t 20
popd
exit /B 0
[/code]
@echo off
pushd '%~dp0'
%windir%Sysnativemanage-bde.exe -protectors c: -delete -type TPM > %temp%kbl_tpm.txt
%windir%Sysnativemanage-bde.exe -fr c: > %temp%kbl_fr.txt
%windir%Sysnativeshutdown.exe /r /f /t 20
popd
exit /B 0
[/code]
Step 2: Download the ePO Deployment Kit
Get the ePO Deployment Kit from
https://community.mcafee.com/docs/DOC-3401
https://community.mcafee.com/docs/DOC-3401
Step 3: Run the ePO Deployment Kit
Start the ePO Deployment Kit.
At first you have to configure the program and fill in a path under 'tools' -> 'options'.
Otherwise you'll encounter a lot of errors.
At first you have to configure the program and fill in a path under 'tools' -> 'options'.
Otherwise you'll encounter a lot of errors.
As you can see in the attached screenshot we'll have to fill out some Details:
'Product Name' - Has to be 8 Figures, must be unique. Choose whisly
'Product ID' - starting from 1000, must be unique company wide.
'Product Version' - For minor changes edit the last digit.
'Product Description' - Is shown in the ePO Interface
'Command to run' - The command you want to run (your script...)
...
'Product ID' - starting from 1000, must be unique company wide.
'Product Version' - For minor changes edit the last digit.
'Product Description' - Is shown in the ePO Interface
'Command to run' - The command you want to run (your script...)
...
Then click on 'Build Package' and EDK creates a .zip file in the output folder for you.
Step 4: Check in the Package
You can check in the package with the Depoyment Kit (File -> Check In Package) or with the webinterface (next step).
As you can see on the Screenshot, we'll check it in to the current path and we'll overwrite any previous versions (Product ID + Name).
As you can see on the Screenshot, we'll check it in to the current path and we'll overwrite any previous versions (Product ID + Name).
Step 5: Check in the Package (Webinterface)
go to your ePO Console, go the the Master-Repository, click on 'Check in Package'.
Then you'll have to locate your newly created package, upload it and check it in to your current path.
(Sorry only a german-version of the epo available..)
Then you'll have to locate your newly created package, upload it and check it in to your current path.
(Sorry only a german-version of the epo available..)
Step 6: Create a deployment
Go to your Deployment Center and create a new Deployment, select all the systems (groups) you want the script to run... and wait.
After the client pulls the new task (this depends on your policy..) it's blown.
After the client pulls the new task (this depends on your policy..) it's blown.
In fact it's super easy to run a command as local system if you'll have access to the ePO.
And of course this tutorial isn't the cleanest version (speaking of 'exit code', the possibility of deinstallation, etc..) but I'll think you'll get the idea behind this.
And of course this tutorial isn't the cleanest version (speaking of 'exit code', the possibility of deinstallation, etc..) but I'll think you'll get the idea behind this.
Speaking about our Lost-Laptop problem we've learned that encryption really is the key (pun intended).
References
- ePO Deployment KIT
1 Comment
- Thai PepperPeter (Action1) Feb 14, 2019 at 04:50pmAlso use free tool Action1 to remotely execute program on multiple endpoints. Similar to psexec remote command, but controlled from the Cloud.
https://www.action1.com/p/Free-Run-Application-with-Command-Line-65.html