cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
bec3
Level 9
Report Inappropriate Content
Message 1 of 11

Mcafee ATD notification

Jump to solution

Dears,

is there a way to send a notification email when ATD find a malicious file?

1 Solution

Accepted Solutions
Reliable Contributor bretzeli
Reliable Contributor
Report Inappropriate Content
Message 5 of 11

Re: Mcafee ATD notification

Jump to solution

Hello,

a) ATD: Sadly No you CAN only send a THREAT allert with absolute no info you can USE from reports OR automatic answer. There is INFO under: ATD Event Log Information of the TREATH in EPO but you simply can't use it in standard reports. Maybe possible if you use the EPO-API or direct on the SQL tables.

b) Sending E-Mail from ATD: We are sadly dissapointed that they where unable to INTEGRATE that into release 4.0. There has been a MCAFEE IDEA posted from several people for that. They have the E-Mail/SMTP module so sending an E-Mail should not be a problem. It's three lines of code anyway so why not?. BUT maybe if you buy such a XX-Dollar thing they think you have SIEM (Splunk) or large syslog servers in place with reporting etc.

c) TIE: Yes for the TIE you can send such an E-mail play around with and EVENT (Threat) you see in EPO and try to build and automatic Respone.

Heres is a sample from ENS 10.5 and TIE. We send an alert when something is blocked.

Info we get BACK from ATD to EPO sample:

10 Replies
Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 2 of 11

Re: Mcafee ATD notification

Jump to solution

Hi bec3

Nope - you can't configure or send email notifications from ATD. You could however syslog the analysis results out to a SIEM/syslog server and configure email notifications there.

Regards

David

bec3
Level 9
Report Inappropriate Content
Message 3 of 11

Re: Mcafee ATD notification

Jump to solution

Thanks David for the quick response,

okay, what about TIE? can we send notification from TIE when a bad reputation found?

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 4 of 11

Re: Mcafee ATD notification

Jump to solution

No worries bec3

For TIE, I'm not 100 % sure...

I could check the product guide to confirm it..but since TIE is fully integrated with ePO, I'm pretty sure you can email out notifications for specific TIE events from ePO.

Regards

David

Reliable Contributor bretzeli
Reliable Contributor
Report Inappropriate Content
Message 5 of 11

Re: Mcafee ATD notification

Jump to solution

Hello,

a) ATD: Sadly No you CAN only send a THREAT allert with absolute no info you can USE from reports OR automatic answer. There is INFO under: ATD Event Log Information of the TREATH in EPO but you simply can't use it in standard reports. Maybe possible if you use the EPO-API or direct on the SQL tables.

b) Sending E-Mail from ATD: We are sadly dissapointed that they where unable to INTEGRATE that into release 4.0. There has been a MCAFEE IDEA posted from several people for that. They have the E-Mail/SMTP module so sending an E-Mail should not be a problem. It's three lines of code anyway so why not?. BUT maybe if you buy such a XX-Dollar thing they think you have SIEM (Splunk) or large syslog servers in place with reporting etc.

c) TIE: Yes for the TIE you can send such an E-mail play around with and EVENT (Threat) you see in EPO and try to build and automatic Respone.

Heres is a sample from ENS 10.5 and TIE. We send an alert when something is blocked.

Info we get BACK from ATD to EPO sample:

woody188
Level 10
Report Inappropriate Content
Message 6 of 11

Re: Mcafee ATD notification

Jump to solution

This is highly disappointing. So the information is there but you'll need a SIEM to get at it. Just great.

Reliable Contributor d_aloy
Reliable Contributor
Report Inappropriate Content
Message 7 of 11

Re: Mcafee ATD notification

Jump to solution

Maybe another option would be to use the ATD API and script a scheduled check that will trigger an email out based on the threat level of the file inspected? And maybe even add some of the report details... But haven't used the ATD API do not sure how much I do you could pull that way and automate the email notification.

Regards

David

woody188
Level 10
Report Inappropriate Content
Message 8 of 11

Re: Mcafee ATD notification

Jump to solution

Appreciate it, but we're moving forward with a SIEM product anyhow.

Re: Mcafee ATD notification

Jump to solution

Could you please help me to understand this issue. What is this threat message about to.

Re: Mcafee ATD notification

Jump to solution

So anyone could explain what is the cause of this event where threat_name is "atd_detected_threat", Threat Category is "malware" and threat handled is "no".

Signature ID:357-36725 , Normalize ID:1344274432 , Event ID:110537401683

Is it a real threat or issue of ePO/ATD.

What is this issue exactly ?

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center