cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
LeoM
Level 7
Report Inappropriate Content
Message 1 of 2

Critical Threat Event SHA1

I am getting an alert 

Threat Name: New Startup Program Creation Threat Event ID: 123456 Certificate Name: {setOfSc_binaryCertName} Certificate SHA1: {setOfSc_binaryCertSHA1} Certificate Reputation: {setOfSc_binaryCertReputation} File Paths: HKLM\SOFTWARE\XYZ\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE\{0912602F-4870-412E-B959-11D5284CC497}\ File SHA1s: {setOfSc_evtFileSha1} Severity: Critical

1) How do I tune down the alert on ePO 5.10?

2) Where in ePO 5.10 can I obtain the hash value for this file?

1 Reply
McAfee Employee jess_arman
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: Critical Threat Event SHA1

@LeoM Based on the fields that are included in the alert you're highlighting, this looks like a custom generated automatic response--is this the case? 

In terms of tune down the alert, do you mean how do you change the severity rating, eliminate it being generated, or to throttle the number of times you get the event?

You could likely get the hash from the source Threat Event in your ePO. However, I can't identify for you what that may be because the Event ID listed in your example isn't real "123456". 
Based on this variable, {setOfSc_binaryCertSHA1}, it looks like Solidcore, so I would advise starting there in review of those events to locate hash information.

 

Was my reply helpful?

If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

McAfee ePO Support Center Plug-in
Check out the new McAfee ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.