McAfee MER Analyzer

Walkthrough Guide

COPYRIGHT
Copyright 2012 McAfee, Inc. All Rights Reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form
or by any means without the written permission of McAfee, Inc., or its suppliers or affiliate companies.
TRADEMARK ATTRIBUTIONS
AVERT, EPO, EPOLICY ORCHESTRATOR, FOUNDSTONE, GROUPSHIELD, INTRUSHIELD, LINUXSHIELD, MAX (MCAFEE SECURITYALLIANCE
EXCHANGE), MCAFEE, NETSHIELD, PORTALSHIELD, PREVENTSYS, SECURITYALLIANCE, SITEADVISOR, TOTAL PROTECTION, VIRUSSCAN,
WEBSHIELD are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the US and/or other countries. McAfee Red in
connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property
of their respective owners.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED,
WHICH SETS FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH
TYPE OF LICENSE YOU HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS
THAT ACCOMPANY YOUR SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET,
A FILE ON THE PRODUCT CD, OR A FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU
DO NOT AGREE TO ALL OF THE TERMS SET FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN
THE PRODUCT TO MCAFEE OR THE PLACE OF PURCHASE FOR A FULL REFUND.

McAfee MER Analyzer 2.1 Walkthrough Guide

Contents
Introducing MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
MER Analyzer 2.1 features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Supported products and components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Installing MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Installing MER Analyzer on COE systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Installing MER Analyzer on engineering systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Uninstalling MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Getting Started with MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

MER Analyzer user interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Loading a file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Canceling product data parsing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Archive MER file data views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
General view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuring Global Error Search. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
File Explorer view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
File Listing view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
EWS archive file data views. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
General view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Database view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
File Explorer view. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Opening supported files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Opening unsupported files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Filtering data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Filtering column data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Filtering by comparing data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Find and Filter Text. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Searching online knowledge databases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Updating MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Using MER Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Working with Network Security Platform encrypted files (.enc). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

McAfee MER Analyzer 2.1 Walkthrough Guide

Contents

Filtering files based on log error category. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Exporting decrypted .enc files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Adding new product categories to Network Security Platform online error code database. . . . . . . . 20
Editing errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Deleting errors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Adding new Error codes to the Network Security Platform online database. . . . . . . . . . . . . . . . . . . . 21
Working with EWS files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring Real-Time Logs settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring Error Detection settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
EWS Dictionary Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Using Rule Builder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Creating a new rule file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Creating a new component entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Importing existing component entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Editing a rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Uploading and sharing product rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Approving uploaded rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Using Rule Analyzer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

McAfee MER Analyzer 2.1 Walkthrough Guide

Introducing MER Analyzer

MER Analyzer extracts and opens MER results archive files (MER tool files). MER Analyzer parses
the data of interest to McAfee technicians into an easy to read GUI format, to assist support
technicians in resolving product issues found on customer systems.
MER Analyzer supports Network Security Platform archives (.enc), Email and Web Security
archives (.zip), and other McAfee product archive files generated by the MER tool such as Host
Intrusion Prevention Shield, Common McAfee Agent, and ePolicy Orchestrator.
MER Analyzer has an intelligence framework that analyzes MER .tgz files. The framework consists
of two components:
Rule Analyzer Allows user to execute predefined Product rules on MER .tgz files.
Rule Builder Enables users to create Product specific rule files that can be stored locally
and Shared with other MER analyzer users.
This chapter provides information on the following topics:
MER Analyzer 2.1 features
System requirements
Supported products and components

MER Analyzer 2.1 features

MER Analyzer Rule Analyzer Allows you to analyze MER .tgz files using a predefined
set of product specific rules.
MER Analyzer Rule Builder Allows you to create product specific rule files which can
be shared with other MER Analyzer users.
Supports Bugzilla search Allows you to search for keywords in Bugzilla on all the views.
Support for Sensor M8000 trace files Allows Log Wizard users to decrypt Sensor
M8000 trace files.
Supports Windows 7 COE Allows you to install and use MER Analyzer on Microsoft
Windows 7 COE systems.
Support for Sensor Aid logs Allows Log Wizard users to view Sensor Aid logs.
Support for MOVE AV Scheduler 1.x MER Analyzer now supports MOVE AV Scheduler
1.x MER .tgz files.
Support for McAfee Inventory agent 2.x MER Analyzer now supports McAfee Inventory
agent 2.x.

McAfee MER Analyzer 2.1 Walkthrough Guide

Introducing MER Analyzer

System requirements

System requirements
MER Analyzer COE system prerequisites:
Item

Requirements

Operating system

Microsoft Windows XP Professional Service Pack 1

Microsoft Windows 7 64-bit

Microsoft Log Parser

2.2 (Will be installed automatically as part of the COE installation package during MER
Analyzer installation)

Microsoft .NET Framework 2.0 Redistributable Package (x86)

(Will be installed automatically as part of the COE installation package during MER
Analyzer installation)

MER Analyzer Engineering system prerequisites:

Item

Requirements

Operating system

Microsoft Windows XP Professional Service Pack 2

Microsoft Windows 2003

Microsoft Windows 2008

Microsoft Windows Vista Service Pack 1

Microsoft Windows 7

Microsoft Log Parser

2.2

Microsoft .NET Framework 2.0 Redistributable Package (x86)

Supported products and components

Refer to the KB article KB70071 ( http://kb.mcafee.com/agent/index?page=content&id=KB70071)
for the list of supported products and components.

McAfee MER Analyzer 2.1 Walkthrough Guide

Installing MER Analyzer

MER Analyzer can be installed on both COE and engineering systems.
This chapter provides information on the following topics:
Installing MER Analyzer on COE systems
Installing MER Analyzer on engineering systems
Uninstalling MER Analyzer

Installing MER Analyzer on COE systems

Use this task to install MER Analyzer on your COE systems.
Task
1

Run the following line from your Command prompt:

//nai-corp/coeapps/ecoe/MERAnalyzer/E-MerAnalyzer21.exe
This starts the MERAnalyzer 2.1.0 installation package on COE systems.
NOTE: EWS COE Users should install Postgres from the following location:
//nai-corp/coeapps/ECOE/MERAnalyzer/pre-requisites/E-Postgres.exe
Installing from this location overwrites any existing Postgres installation and resolve Postgres
Service failure issues.

Installing MER Analyzer on engineering systems

Use this task to install MER Analyzer on your engineering system.
Task
1

Download the MERAnalyzerSetup.msi file to a temporary location from

//ca-server/Products/McAfeeB2B/Supportability/MERAnalyzer/Version2_1/
NOTE: To install MER Analyzer on COE systems, run the following command from your
command prompt:
\\nai-corp\coeapps\ecoe\MERAnalyzer\E-MerAnalyzer21.exe

Double-click the MERAnalyzer.msi file. Welcome to the MERAnalyzer Setup Wizard

appears.

Click Next. Select Installation Folder page appears.

Click Next to install MERAnalyzer in the default location or click Browse to change the
installation path.

McAfee MER Analyzer 2.1 Walkthrough Guide

Installing MER Analyzer

Uninstalling MER Analyzer

In the Confirm Installation page, click Next to start the installation.

When the installation completes, the Installation Complete page appears. Click Close.

Uninstalling MER Analyzer

Use this task to uninstall MER Analyzer.
Task
1

Click Start | Settings | Control Panel | Add or Remove Programs.

NOTE: To uninstall MER Analyzer from COE systems, raise a IT HelpDesk ticket.

Select MERAnalyzer from the programs list, then click Remove. Add or Remove Programs
dialog box appears.

Click Yes to confirm the uninstallation.

McAfee MER Analyzer 2.1 Walkthrough Guide

Getting Started with MER Analyzer

This chapter provides information on the following topics:
MER Analyzer user interface
Loading a file
Canceling product data parsing
Archive MER file data views
EWS archive file data views
Opening supported files
Opening unsupported files
Filtering data
Find and Filter Text
Searching online knowledge databases
Updating MER Analyzer

MER Analyzer user interface

To launch the MER Analyzer user interface, click Start | Programs | McAfee | MERAnalyzer
| MERAnalyzer.

McAfee MER Analyzer 2.1 Walkthrough Guide

Getting Started with MER Analyzer

Loading a file

From the left pane of the user interface, you can navigate to different data views of the archive
files. The right pane of the user interface displays the parsed data from the archive files.

Loading a file
To open an archive file using MER Analyzer, in the user interface click File | Open. Browse for
the required file, then click Open.

Canceling product data parsing

To load MER files quickly, right-click the product data, then click Cancel Loading. This stops
loading unnecessary data files.

Archive MER file data views

MER Analyzer supports three types of data views for archive MER files:
General view Provides an overview of the MER file.
File Explorer view Displays the list of files in the MER (.tgz) file in explorer view.
Double-click the file to view details in the file.
File Listing view Lists the files in the MER (.tgz) file.

10

McAfee MER Analyzer 2.1 Walkthrough Guide

Getting Started with MER Analyzer

Archive MER file data views

General view
General view of the archive MER file provides an overview of system details and McAfee product
details installed on the system on which the MER tool was run.
NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark
log files.
MER Analyzer displays the last MVT Execution ID in the MER Result section. Click on this link
to open eReports website, where details of last MVT Execution ID will be displayed.

General details
Item

Description

System Information

Displays the system details including:

OS Information Displays the operating system name, version, and

language.

IE information Displays the Microsoft Internet Explorer version, build,

and language.

Hardware Information Displays the hardware specification such as

processor, memory, and IP address of the system.

Under System Information, double-click the MSinfo.nfo file to display

detailed information of the system.
Processes

Displays all the running processes logged in the MSinfo.nfo.

McAfee MER Analyzer 2.1 Walkthrough Guide

11

Getting Started with MER Analyzer

Archive MER file data views

Item

Description

Services

Displays all the McAfee, Microsoft, and other services running on the system.

Registry

Displays the registry details of the system.

Event Logs

Displays application, security, and system log details such as type, source,
user, and description generated on the system.
NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can
be used to bookmark log files.

Global Error Search

Displays the errors extracted from the archive file in the result. Click the error
to display errors within the context of the log.
You can customize the Global Error Search by configuring the search
settings.

DrWatson Logs

Displays a list of Dr.Watson log files. Double-click the log file to view details.
Dr. Watson logs collected on non-English system can be viewed in the
following localized languages:

Drivers

German

French

Italian

Spanish

Japanese

Korean

Chinese Simplified and Traditional

Dutch

Swedish

Portuguese - Brazilian

Displays all system and digitally signed software drivers.

System and Signed drivers are categorized as

McAfee System/Signed drivers

System/Signed drivers (All non-McAfee drivers)

File List

Lists all the files in the MER file.

MER Activity Log

Lists all the activities logged during creation of the MER file.

MER Statistics

Lists the statistics associated with the creation of the MER.

MER Results

Displays the general customer case information, MER settings, and the products
selected during the creation of MER file.

Product details
To search for specific defined terms in the product logs, click Products on the MER Explorer
and define the error and warning search terms then click Search.
NOTE: Use Add to Bookmarks to bookmark log files. Wild characters can be used to bookmark
log files.

12

McAfee MER Analyzer 2.1 Walkthrough Guide

Getting Started with MER Analyzer

Archive MER file data views

Item

Description

Processes

Displays all processes associated with the product.

If the process was running when the results were collected, complete process
information will be displayed. If the process was stopped, there will be limited
information.

Registry

Displays key product registry information.

Logs

Displays all logs associated with the product. Double-click the log file to view
details.

DrWatson Crashes

Displays all Dr Watson crashes associated with the product.

Errors

Displays all errors extracted from the product log files. Click the error to display
errors within the context of the log.

Warnings

Displays all warnings extracted from the product log files. Click the warning
to display errors within the context of the log.
Double-click to open the log file which contains the warning.

Configuring Global Error Search

Use this task to configure Global Error Search options for archive MER files.
Task
1

Open a .tgz file, then click Global Error Search on the left pane. The Global Error
Search page appears on the right pane.

Click Search Options tab. On the Search Options dialog box configure the search options
as required.
Tab

Description

File Types

Specify the file types that will be searched for the terms specified in
Error and Warning Search tabs.
Use Perform Global/Product search when loading a file to
search after a MER files is extracted and being parsed.
Use Perform second column E check option to search McAfee
Agent log files.

Error Search Term

Specify the terms that will be identified as errors when searching log
files.

Warning Search Term

Specify the terms that will be identified as warning when searching log
files.

Click Search after configuring all the tabs. The search result is displayed in Results tab.

File Explorer view

File Explorer view lists all the files in the archive MER file in explorer view. This view supports
file filtering based on their type.

McAfee MER Analyzer 2.1 Walkthrough Guide

13

Getting Started with MER Analyzer

EWS archive file data views

File Listing view

File Listing view lists all the files in the archive MER file. This view supports file filtering based
on their name, type, size, modified date, modified time, and relative path.

EWS archive file data views

MER Analyzer supports three types of data views for EWS files:
General view Provides an overview of the EWS system information and other related
details.
Database view Queries EWS PostgresSQL database.
File Explorer view Displays the list of files in the EWS archive file (.zip) in explorer view.
Double-click the file to view details.

General view

14

Item

Description

System Reports

Displays the system details such as system information, network details,

process details, certificate details, and patches/hotfixes installed.

Real-Time Logs

Displays the real-time log properties extracted from the archive file in the
result.

Error Detection

Displays the errors extracted from the specified log file in the result. These
logs can be added to Reports.

McAfee MER Analyzer 2.1 Walkthrough Guide

Getting Started with MER Analyzer

EWS archive file data views

Item

Description

Global Search Error

Displays the errors extracted from the archive file in the result. Click the error
to display errors within the context of the log.
You can customize the Global Error Search by configuring the search
settings.

Escalation Checklist

Displays information required during the escalation process. Each checklist

contains generic and product-specific information.

Database view
Item

Description

System

Queries EWS database for system parameters, including:

Web Reports

Email

Protocol

User and User Interface

Hardware and Resources

Updates

Network

Queries EWS database for web report parameters, including:

HTTP/ICAP/FTP

Web Detection

Queries EWS database for email parameters, including:

SMTP

Transport.log

Email Detection

Queries EWS database for protocol parameters, including:

Conversation

Protocol Events

DLP

Queries EWS database for DLP Detection parameters.

Web Detection

Queries EWS database for web detection parameters, including:

Email Detection

Mail

Viruses/PuPs-Web

Filtered URL-Web

Content-Web

Queries EWS database for email detection parameters, including:

Viruses/PuPs-Web

Content

Spam

Sender Authentication

Queries EWS database for mail parameters, including:

Record

Priority Domain

Domain Status

Domain

McAfee MER Analyzer 2.1 Walkthrough Guide

15

Getting Started with MER Analyzer

Opening supported files

Item

Description

Delivery Strategy

File Explorer view

File Explorer view lists all the files in the archive MER file in explorer view. This view supports
file filtering based on their type.

Opening supported files

MER Analyzer supports the following default file views:
Dr.Watson log Displays in Dr.Watson view
*.Log Displays in list view with filters
*.Csv Displays in list view with filters
*.txt Displays in text view with filters
*.xml - Displays in xml view
Double-click the file to view details.

Opening unsupported files

To open an unsupported file, select the supported program in the Open With dialog box when
prompted.

Filtering data
Use the filter options to filter unwanted data in the log files. You can select the filter type from
the

drop-down menu.

Filtering column data

You can filter the log file details displayed in column in the right pane of the user interface.
The filtering options include:
Filter Data As Use this option to select the data type in the column. The data types
supported include string, number, and date.
Clear Filter Clears the filter text.
Ignore Case Ignores the case of the data while filtering.
To filter unwanted log details, click
, then select the filter type and type the required data.
The log details which match the filter data appears on the right pane of the user interface.
Example: If you type McAfee, only the data which contain the term McAfee in the selected
column will be displayed.

16

McAfee MER Analyzer 2.1 Walkthrough Guide

Getting Started with MER Analyzer

Find and Filter Text

Filtering by comparing data

You can use the comparison types to filter data in the log file.
The supported comparison types include, less than (<), less than or equal to (<=), greater
than (>), greater than or equal to (>=), or not (!).
To filter log details using comparison types, click , then select the filter type and type the
required data with the comparison type. The log details which match the filter data appears on
the right pane of the user interface.
Example: To filter dates greater than or equal to 10/10/2006
Set Filter Data as to Date, then type >=20/10/2006.

Find and Filter Text

Find and Filter Text option allows you to search filter data in the MER Analyzer supported
files. It also allows you to create and delete custom filters.

To find and filter data in the log files,

1

Click Find Filter Text on the right pane of the user interface. The Find Filter Text dialog
box appears.

Type the data, then click Search or Filter as required.

To save filter, configure the filter options as required then click Save Filter.
To delete filter, click Delete Filter.

Searching online knowledge databases

MER Analyzer uses these online knowledge databases to search terms in the files.
http://kb.mcafee.com
http://www.processlibrary.com
http://eventid.net

McAfee MER Analyzer 2.1 Walkthrough Guide

17

Getting Started with MER Analyzer

Updating MER Analyzer

http://www.goggle.com
https://bugzilla.corp.nai.org
To search terms in online database, right-click a value, then select Select Cell. Right-click the
selected value, then select the required database.

Updating MER Analyzer

MER Analyzer updates automatically on start up. It also checks for updates regularly (by default
hourly) when MER Analyzer is running.
To update MER Analyzer manually, click Help | Check for updates.

18

McAfee MER Analyzer 2.1 Walkthrough Guide

Using MER Analyzer

This chapter provides information on the following topics:
Working with Network Security Platform encrypted files (.enc)
Working with EWS files
Using Rule Builder

Working with Network Security Platform encrypted

files (.enc)
The MER Analyzer Log Wizard parses the following Network Security Platform log files:
Ems.log
EMSout.log
Sensor.log
Sensor.dbg
Encrypted .enc files
aid_*.log
NOTE: Sensor.log, aid_*.log, and Sensor.dbg files are included in the .enc files.

McAfee MER Analyzer 2.1 Walkthrough Guide

19

Using MER Analyzer

Working with Network Security Platform encrypted files (.enc)

Filtering files based on log error category

Errors are categorized as Error, Audit, or Info. You can filter the log file details displayed in
columns based on log error category, including:
All
Error
Info
Audit
To filter log details, select the log error category from the Select Category to Display
drop-down menu.

Exporting decrypted .enc files

Log wizard has the ability to export decrypted trace files.
To export the decrypted .enc file, right-click Log Wizard on the MER Explorer then select
Export All. Specify the required location, then click OK.

Adding new product categories to Network Security Platform

online error code database
Use this task to add new product categories to Network Security Platform online error code
database.

20

McAfee MER Analyzer 2.1 Walkthrough Guide

Using MER Analyzer

Working with EWS files

Task
1

Log in to the WebMER at: http://mer.mcafee.com/techsupport/.

Click Log Wizard | LogWizard New Category.

The ProductName is Network Security Platform by default. Type the new category
name, then click Add.

Editing errors
You can also edit the details of specific errors from LogWizard in WebMER.
Task
1

Log in to the WebMER at: http://mer.mcafee.com/techsupport/.

Click Log Wizard, then click the required code to edit. The LogWizard Item page appears
with the code details.

Edit the code as required, then click Update.

Deleting errors
Use this task to delete errors from LogWizard in WebMer.
Task
1

Log in to the WebMER at: http://mer.mcafee.com/techsupport/.

Click Log Wizard, then click Delete on the required code row and confirm deletion.

Adding new Error codes to the Network Security Platform online

database
Use this task to add new Error codes to the Network Security Platform online database.
Task
1

Log in to the WebMER at:http://mer.mcafee.com/techsupport/.

Click Log Wizard | LogWizard New Item.

Configure the error code details as required, then click Add.

Working with EWS files

MER Analyzer supports EWS archive files (.zip). It extracts the errors and real-time log properties
from the archive file. It also support a dictionary that is used as database of pre-configured
errors while detecting errors in the archive file.

Configuring Real-Time Logs settings

Use this task to configure real-time properties chart settings.

McAfee MER Analyzer 2.1 Walkthrough Guide

21

Using MER Analyzer

Using Rule Builder

Task
1

Start MER Analyzer, then open the EWS archive file (.zip).

On the General tab, click Real-Time Logs. The Real-Time Properties Chart window appears
in the right pane.

Click Properties. The Property Selection dialog box appears.

Select the required real-time property(s), then click Add Selected Item(s) | Done.

Select the Date Range for which you require to generate real-time properties chart, then
click Start to view the real-time properties chart.

Configuring Error Detection settings

Use this task to configure error detection settings.
Task
1

Start MER Analyzer, then open the EWS archive file (.zip).

On the General tab, click Error Detection. The Error Detection Settings window appears
in the right pane.

Select the date range for which you require to generate error detection result.

Click Edit. The Select Terms dialog box appears.

Add the term(s), then click Done.

6
Select the log file category and click
7

Click Start to view the error detection result.

EWS Dictionary Manager

MER Analyzer supports EWS Dictionary Manager that is used as database of pre-configured
errors while detecting errors in the archive file.
To add error logs to the dictionary,
1

Click Edit | Preferences | EWS Dictionary. The Dictionary Manager appears.

Click Add Item, then configure the necessary details.

Click OK.

To delete an error log from the dictionary, select the error message then click Delete Item
and confirm deletion.

Using Rule Builder

To launch Rule Builder, click Tools | Rule Building and Catalog.... You can create a new
rule, open an existing rule, and administrators can approve uploaded rule files.
McAfee Customer Support users should add their WebMER credentials in Edit | Preferences
| WebMER login details to :
Mark rules for an internal McAfee audience only
Upload rules for sharing

22

McAfee MER Analyzer 2.1 Walkthrough Guide

Using MER Analyzer

Using Rule Builder

Download rules intended for an internal McAfee audience only

Approve rules submitted for sharing (Administrators only)

Creating a new rule file

Use this task to create and configure new rule file.
Task
1

Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears.

Select Create new rule file, then click Next.

Select a Product Name and a Product Version.

NOTE: The Rule Builder doesn't list the McAfee products and versions for which rules have
been created.

Type a valid KB Link, add any Suggestions, then select a Security Level for the Rule.
NOTE: Rules marked Internal can only be viewed by McAfee users and External rules
can be viewed by all users.

Click Next. The Rule view appears.

On the Components tab, right click on a component then add or import component entries.
NOTE: Refer to Creating a new component entry and Importing existing component entry
for more details.

McAfee MER Analyzer 2.1 Walkthrough Guide

23

Using MER Analyzer

Using Rule Builder

On the Rule tab the rules are grouped in categories. Right click on the product name, then
select Create Category. The New Category window appears.

Type a category name then click Add Category. The category appears in Rule tab.

To add rules to the category, right click on the category then select Create Rule. The
Rule Builder window appears.

10 Type a name to rule and other rule information, then click Add Rule. The Rule Builder
Add Criteria dialog box appears.
11 To add criteria to the rule, select a criteria from the list then click the logical operation from
the Expression Builder. The list logical criteria for the rule appears in the Expression
Builder.
12 Click Add Criteria to add the new rule. The new rule now appears on the Rule tab of
Rule view.

Creating a new component entry

MERAnalyzer supports six types of components: Registry, File, Event, Process, Service,
and Driver. Use this task create to a new component entry.
Task
1

In the Components tab of the Rule view, right click on a component type then select
Create Entry. The new entry window appears.

Type the Operation details and other required component details, then click Create.

Importing existing component entry

MERAnalyzer supports six types of components: Registry, File, Event, Process, Service,
and Driver. You can import these component entries from the local machine, an existing rule
file, or a .TGZ file.
Use this task to import an existing component entry.
Task
1

To import component entries from the local machine, right click on a component type then
select Machine.
When importing component entries for a file from the local machine, on the Select the
File Options window browse for the file then add the text you want search the file for.
NOTE: You can also select text and right click to add it as search criteria.

When importing component entries for an event from the local machine, select the
Windows Event to add as criteria then select the description text to search.
To import component entries from an existing rule file, right click on a component type
then select Rule File. The Rule Builder appears.
a Select the Product name and Product version then click Next. The list of component
entries appears.
b Select the components from the list, then click Add. The component entries appear on
the Components tab of Rule view.

24

To import component entries from a .TGZ file, right click on a component type then select
MER file.

McAfee MER Analyzer 2.1 Walkthrough Guide

Using MER Analyzer

Using Rule Builder

a Browse for a .TGZ file on the local machine.

b Select the component entries then click Add.

Editing a rule
Once a rule has been created it is added to the Rule view. The rule can be edited using the
Basic tab. Use this task to edit an existing rule.
Task
1

Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears.

Select Open rule file, then click Next.

Select a Product Name and a Product Version, then click Next. The rule for the select
product and version appears on the Rule view.
NOTE: The Product name and Product Version fields contains all versions for all McAfee
for products which rule have not previously been created.

On the Basic tab, edit the required details then click Save All.
NOTE: A more detailed explaination is availabe in the Detail tab.

Uploading and sharing product rules

Uploader privileges are required to upload a rule. Contact DL Supportability MER if you require
Uploader rights. Use this task to upload and share product rules
Task
1

Open the rule file you want to upload.

Click Upload. The User Credentials window appears.

Type the email address and WebMER password, then click Login. Once the user is
authenticated with the server the Rule Upload window appears.

Select the rules to upload, then click Upload Rules. Before the rules are available to other
MERAnalyzer users, the uploaded rules should be approved by the administrator.

Approving uploaded rules

Administrator privileges are required to approve an uploaded rule. Contact DL Supportability
MER if you require Rule Administrator rights.
Rules uploaded by administrators are automatically approved and shared with other users.
Use this task to approve or reject uploaded rules
Task
1

Click Tools | Rule building and Catalog. The Rule Builder and Catalog wizard appears.

Select Approve Rules, then click Next. The User Credentials window appears.

Type in email address and WebMER administrator password, then click Login. The
Requests submitted for review window appears.

McAfee MER Analyzer 2.1 Walkthrough Guide

25

Using MER Analyzer

Using Rule Analyzer

In the Approve/Reject column, select Approved or Rejected then click Submit. The
approved rules are now available to other MERAnalyzer users.

Using Rule Analyzer

To put the rules into operation, the user needs to run the Rule Analyzer engine. To open the
Rule Analyzer, click on the Rule Analysis in the MER Analyzer tree.
The Analyzer Task bar provides following options:
Analyze Use this to run the Rule engine
Analyze Options Use this to refine the rules
View report Use this to select error only or the full report
Save Use this to save the report in a .htm format.

26

McAfee MER Analyzer 2.1 Walkthrough Guide

Index
C

cancelling parsing 10

MER Analyzer
loading file 10

L
loading file 10

McAfee MER Analyzer 2.1 Walkthrough Guide

27

Index

28

McAfee MER Analyzer 2.1 Walkthrough Guide