does anybody could solve somehow, to have results on the server after run Stinger on the endpoint?
We have Solidcore installed on the endpoint, and we could manage the clients with ePO server. But before we enable the solidcore feature we would like to be sure, that the endpoint is not infected. So, we started to run Stinger via "Run Client task", but we have no real result from its running. I can see, that the task was completed successfully, also, I can check the result html from the endpoint (with --reportpath command line switch), but not easy to login one-by one to the endpoint. It would be much easier, if I could create a report about non-infected machines, to enable the Solidcore....
Thanks in advance:
if only an AV product is installed there can always be malicious files on it. Additional there can be several files which are unknown by any AV vendor.
After installing Solidcore any executable code is "whitelisted", this means the file can be started. If unknown by McAfee you can use any available tool, you will not see any threat event.
If there is malware the file can be started, but the PE is not able to install anything else, neither generated code is not allowed to run. Also your memory is protected.
At this time it is useful to activate the server tasks to check the File inventory in Solidcore against the GTI cloud. If there is any known malicious file you will see a threat event.
My recommentation if you do not know the state of your endpoints.
- Configure Solidcore running in Observation Mode.
- run OnDemand Scans in regular time frames.
- Compare the file inventory with McAfee GTI (server tasks)
- Create a query to figure out any client which reports no threat event over a specific time.
- Based on the result TAG you can activate a solidcore task to switch from observation mode to enabled mode.
- Check your threat events if any malicious files are reported to block and remove them.
Perhaps you may take a look at Threat Intelligence Exchange (TIE). TIE is able to deliver you an event if unknown code is executed on your endpoint.
Thank you Troja!
I will follow your recommendations..
I try to figure out, how can I make TAG based on query (I'm new ePO user), to activate enable mode. It sounds not easy
Tagging is easy going.
- Define a Query "Events -> Threat Events", choose the Table as the Output.
- use the filters to define your query in Detail...
Define a Server Task in this way
- Action: Run Query
- Sub-Action: Tag Systems
This should work and you can check the TAG how many Systems have the TAG assigned.