Showing results for 
Show  only  | Search instead for 
Did you mean: 

False positives between QRadar and ENS

If this is in the wrong group Please forgive me, but I really don't know exactly WHERE the problem is.

So here is the setup.

I am running my clients ePO, ENS, TIE and ATD through North America, Africa, Europe and Asia.

Another firm is running SIEM, and by the looks of the e-mail, they are running QRadar as a Malware detection software, the Mail references a rule triggered SR17, and claims that my hosts are sending malware.

I have cleared the .TMP files, updated clients and agents, run full scans, gone through the threat event logs, but I have not found a single entry on the local Agent, or even on ePO stating that there might be a problem.



{{Dear Customer,

CloudSIEM Security would like to bring to your attention an offense relating to the local host sending malware, this suggests the local host is likely infected with malware and could potentially be attempting to infect other hosts on the network.

The following rule has triggered:

SR17 - Local Host Sending Malware

The rule indicates that:

A local host machine has been sending malware. This suggests that the host machine could be infected with malware and is attempting to spread to other hosts on the network. This could also indicate a potential insider threat. You may want to review the user as well as the device. Please see further triage included in the email attachment.

Our Analyst Found:

None of the IP addresses in this alert are known to be malicious, however you may want to investigate the alert further. X-Force Exchange will provide more information regarding the IP addresses involved, the link for this is in the attached triage results. The information on X-Force is updated regularly so may not match the triage exactly. If your investigation concludes that any of the IP addresses in the alert are known and valid, please let us know.

We have observed that the host (IP) tried to access some phishing URLs. These events were tracked down by "Zscaler Web Proxy @ (IP)

Kindly investigate these events and check for any suspicious activity within the network.

Kind Regards,



Has anyone else had a similar issue? Any assistance would be greatly appreciated.


#ENS ##QRadar

2 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: False positives between QRadar and ENS

Hello , 

To begin with , you may check the Reputation of the phishing URL [] and of found malicious , you need to block the URL . 

Post that we need to check if there was any malicious file that would have got downloaded to the client machines/Server which a new variant that could potentially be a source of infection. 

Also would recommend you to connect to McAfee Technical Support with the Alerts email that you have received .



Re: False positives between QRadar and ENS

Thank you very much, I will see what can be done to get more information from the 3rd party consultants.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community