Symantec Management Platform (Notification Server)

 View Only

  • 1.  Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 08:02 AM

    SMP 7.1 SP1, running on Windows 2008 R2

    Somehow, a large percentage of our computers have been added to the Host Resource Blacklist.

    Last night, following the instructions I've found elsewhere on the site, I ran the following query against two machines

     delete from agentblacklist where guid in (select [guid] from vcomputer where [name] = 'computer name')

    replacing 'computer name' with the actual device name, and deleted one of the two from the All Computers view. As expected, the one I removed from All Computers eventually requested it's configuration and appears to have "fixed" itself while the other remained in a "broken" state, showing only the machine name and server. This morning, I deleted the other and within a few minutes it too fixed itself.

    Since I presume it will be easy enough to extend the SQL query above to just clear out all the blacklisted agents from the table, what I'm hoping someone can help me with is finding a way to search All Computers for those blacklisted machines for deletion. Is there a DataClass I can use to identify those? I've got thousands and trying to deal with them singly is pretty impractical.



  • 2.  RE: Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 08:42 AM

    And thanks to one of the folks in the IRC chatroom, I realized I was overthinking the SQL end of things.

     delete from agentblacklist

    And to confirm they're gone

     select * from agentblacklist

    That still leaves me with the All Computers list to deal with though.



  • 3.  RE: Dealing with the Host Resource Blacklist
    Best Answer

    Posted Jul 26, 2011 09:16 AM

    insert your query into the LIFESAVING (just in case Andrew is reading wink) bulk delete tool posted here: https://www-secure.symantec.com/connect/downloads/bulk-delete-resources



  • 4.  RE: Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 09:30 AM

    First of all, thanks...I can see where this tool will come in handy (I'll keep it closely guarded since it's obviously quite dangerous).

    I presume I've lost the opportunity to use it as I've already removed the machines from the agentblacklist table, but for future reference would this have removed them from the All Computers view as well?



  • 5.  RE: Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 01:04 PM

    Anyone have a query that can identify machines that have no value for Operating System as that seems to be symptomatic of the blacklisted machines?



  • 6.  RE: Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 01:05 PM

    And I presume I could have used that script before I cleared the AgentBlacklist table, Jim. I'll definitely keep it for future use (under lock and key of course, as it appears to be pretty dangerous).



  • 7.  RE: Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 01:44 PM

    I can see your comments, but they are flagged for some strange reason, so I'll answer your questions so you're not waiting around.

    1) Query for OS blank - you could use something like

    select * from vcomputer where [os name] ISNULL

    That should work for 6.x and 7.x

    2) The script should remove all traces of the guid, thereby the asset from the system, including all views, targets and filters.



  • 8.  RE: Dealing with the Host Resource Blacklist

    Posted Jul 26, 2011 01:46 PM

    Thanks, Jim. I'll definitely use that if I run into this problem again.

    For the moment though, I'll test the SELECT statement you gave me and, assuming I get the results I'm hoping for, I'll pump those into the script.