McAfee HotFix Extension Attribute

AppleADay
New Contributor II

Hi All,

We currently have extension attributes to pull McAfee EPM and EPO version numbers. We are looking for a way to pull the HotFix version number. Has anyone come across this yet?

Thanks!

1 ACCEPTED SOLUTION

AppleADay
New Contributor II

You guys are great! Worked perfectly!

Thanks again!

View solution in original post

7 REPLIES 7

dpertschi
Valued Contributor

Yes, I picked this up off the McAfee channel on the MacAdmins Slack just last week:

#!/bin/sh

## mcafee-threat-prevention-hotfix-version-ea.sh
## version 1.0
## 
## Author: Tom Ziegmann, Intel Security Professional Services
## E-Mail: thomas.a.ziegmann@intel.com

# This script has been verified to work on McAfee Endpoint Security 10 for Mac

AMHotfix=`cat /usr/local/McAfee/AntiMalware/var/HFSP-Version.xml | egrep "<Version0>.*</Version0>" |sed -e "s/<Version0>(.*)</Version0>/1/"|tr -d " "|tr -d "	"|tr -d "
"|tr -d "
"`

echo '<result>'$AMHotfix'</result>'

mm2270
Legendary Contributor III

We built the following Extension Attribute to capture this a long while back now. I believe this still works as of today, but I need to go back and look to be sure. We don't seem to have that many of our Macs with any current Hot Fixes for McAfee installed. If the file that stores this info isn't present, in my testing, it meant that no HFs were installed. If its there, it captures the contents. Note that it only lists them by their HotFix designation, which is pretty much all you'd need, since there's never really a proper name for them.

Give this a try. You may need to adjust it or experiment with it a bit though.

#!/bin/sh

HFXML="/usr/local/McAfee/AntiMalware/var/HFSP-Version.xml"

if [ -e "${HFXML}" ]; then
    RESULT=$(awk -F'>|<' '/Version[0-9]/{print $3}' "${HFXML}")
    if [ ! -z "$RESULT" ]; then
        echo "<result>${RESULT}</result>"
    else
        echo "<result>None Installed</result>"
    fi
else
    echo "<result>None Installed</result>"
fi

AppleADay
New Contributor II

You guys are great! Worked perfectly!

Thanks again!

Phantom155
New Contributor

I created an EA and tried both of these scripts in it. Neither script worked for me. I am extremely new to the whole scripting thing, so I am not quite sure what I am doing wrong. The script works when I run it by itself from terminal.

mm2270
Legendary Contributor III

@Philip.kubala Standard question, but, have any of your Macs reported in with new inventory since you set up the EA(s)? Nothing gets populated in a new EA until they do a 'recon'

Phantom155
New Contributor

I completely forgot about that... I just tried it again with both scripts and it is getting an Unknown error when run the sudo jamf recon command from my test machine.

mm2270
Legendary Contributor III

You're getting an "unknown error" when running a sudo jamf recon? If so, that's an issue with the machine, not with the EA or script. Sounds like it needs to be re-enrolled into the Jamf console to me.