cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AnnaH
Level 7
Report Inappropriate Content
Message 1 of 3

Blocking Indicators of compromise (IOC)

Jump to solution

Hello McAfee Team,

I have a question how to add IOC hash to the environment?  (Add hash values to the block list)

1.How long will it take for the hash to be recognized?

2. How to create alert for it - if such a hash will appear but McAfee will block it anyway?

3. Can I block URL by Mcafee?

4. It is possible to scan whole environment for such a hash?

I think about such a case that at night there is a hash that needs to be blocked because antiviruses still allow it / don't recognize it.

Many thanks!

I have full enterprise product with admins rights
Update 11

 

1 Solution

Accepted Solutions
harshgautam
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Blocking Indicators of compromise (IOC)

Jump to solution

Hi @AnnaH,

 

Thank you for reaching out to us over Community Channel. To answer your queries, Yes it is possible over McAfee Endpoint security to block MD5 Hash through Access Protection rule. However there will an impact in the performance. If you have received a list of hash values/advisory/URL , Kindly log a case and our Malware Team can share the coverage details. This will Provide coverage and will also not impact your system performance,

  1. How to add IOC hash to the environment?  (Add hash values to the block list)-   I am adding the document, on how to block the Hash through AP(Access Protection). However i would still advise you to log an Service request and get the coverage details. 
  2. How long will it take for the hash to be recognized? Once you add the hash through AP rule and policy is applied to to the system, it  will be instantaneous. Application of policy will take max 60 mins if the system is communicating to ePO.
  3. How to create alert for it - if such a hash will appear but McAfee will block it anyway? You can refer to threat event log or schedule a report through ePO.
    Report Name- Endpoint Security Threat Prevention: Detection Response Summary

  4. Can I block URL by Mcafee? To block URL, you are advised to reach out to Reach out to your organization NOC team, so that they can block the URLs there.
    However if you use McAfee ENS Web Control, you cans till block the URLs, but the recommended mode will be through your NOC team.

  5. It is possible to scan whole environment for such a hash? When you have blocked the Hash through AP rule, incase these Hash files are detected in the environment, you will see the details under threat event for Access Protection.

     

    Was my reply helpful?

    If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

     

View solution in original post

2 Replies
harshgautam
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: Blocking Indicators of compromise (IOC)

Jump to solution

Hi @AnnaH,

 

Thank you for reaching out to us over Community Channel. To answer your queries, Yes it is possible over McAfee Endpoint security to block MD5 Hash through Access Protection rule. However there will an impact in the performance. If you have received a list of hash values/advisory/URL , Kindly log a case and our Malware Team can share the coverage details. This will Provide coverage and will also not impact your system performance,

  1. How to add IOC hash to the environment?  (Add hash values to the block list)-   I am adding the document, on how to block the Hash through AP(Access Protection). However i would still advise you to log an Service request and get the coverage details. 
  2. How long will it take for the hash to be recognized? Once you add the hash through AP rule and policy is applied to to the system, it  will be instantaneous. Application of policy will take max 60 mins if the system is communicating to ePO.
  3. How to create alert for it - if such a hash will appear but McAfee will block it anyway? You can refer to threat event log or schedule a report through ePO.
    Report Name- Endpoint Security Threat Prevention: Detection Response Summary

  4. Can I block URL by Mcafee? To block URL, you are advised to reach out to Reach out to your organization NOC team, so that they can block the URLs there.
    However if you use McAfee ENS Web Control, you cans till block the URLs, but the recommended mode will be through your NOC team.

  5. It is possible to scan whole environment for such a hash? When you have blocked the Hash through AP rule, incase these Hash files are detected in the environment, you will see the details under threat event for Access Protection.

     

    Was my reply helpful?

    If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

     

AnnaH
Level 7
Report Inappropriate Content
Message 3 of 3

Re: Blocking Indicators of compromise (IOC)

Jump to solution

Thank you! great support!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community