In light of the Fireeye breach, we have some Network IOC and SHA256 hashes we want to watch for with ENS but I am not figuring out how to do that with ENS. One article talked about a hunt table, can't find how to make that in EPO. Another one pointed to Policy > ENS Threat Prevention > Access protection but it wants MD5 hashes and not SHA256. Can someone point me to the KB on how to add these to EPO??
Hi @sw41
You can use McAfee ENS Access Protection feature to block processes using MD5.
Its best to create a ticket with McAfee and share the list of IOCs along with its reference URL/Blog/Advisory.
We can confirm with labs if they are already covered.
Meanwhile, if you're looking for instructions on blocking MD5 Processes, please find attached Doc file for your reference.
Thanks
Please review MVISION Insights: FireEye Red Team Tools Stolen In Cyber Attack Technical Articles ID: KB93880
Section at foot of KB
Endpoint Security - Access Protection Custom Rules:
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA