cancel
Showing results for 
Search instead for 
Did you mean: 
avi_1_2_4_8
Level 7

How to get notification about AM detection?

Jump to solution

Hi

I want to get a notification from AM when it detects a virus/malware with the infection's details

like infected file, process information (image file, PID), timestamp, infection name/family, etc...

(e.g.: if I have an infected EICAR file "eicar.txt" opened in "notepad", I want to get: "c:\...\eicar.txt" was opened in "notepad.exe" (PID 1234), infection is "EICAR test string" etc...)

is there a way to register to such notifications (on the client side) or some sort of an API?

Thanks,

Avi

0 Kudos
1 Solution

Accepted Solutions
epository
Level 10

Re: How to get notification about AM detection?

Jump to solution

The Application log captures some events under Event ID 259 ...McLogEvent, but you will have to filter these as well to get what you are looking for.

For the EICAR test file, i got

The file C:\Users\joe.smith\Desktop\eicar.txt contains the EICAR test file Test. No cleaner available, file deleted successfully. Detected using Scan engine version 5600.1067 DAT version 7619.0000

But I would think an Automated Response would be a much better way to get these reported via SNMP or an email.

If you are pressed for resources or there is no SIEM in place....maybe an Event Log subscription is the answer.

Its a bit hacky and I dont know how scalable it is....I still think EPO or a SIEM is the better answer

Event Subscriptions

0 Kudos
8 Replies
exbrit
Level 21

Re: How to get notification about AM detection?

Jump to solution

What McAfee product are you using so I can move this to that section, please?   Moderator

0 Kudos
avi_1_2_4_8
Level 7

Re: How to get notification about AM detection?

Jump to solution

Hi,

I'm currently working w/ Endpoint protection suite but I want to be able to log

that information in my application from other McAfee Antivirus solutions

(so the most common solution is the most preferred one...)

Thanks,

Avi

0 Kudos
exbrit
Level 21

Re: How to get notification about AM detection?

Jump to solution

OK, moved provisionally to Endpoint Security - hopefully someone will answer here.

Peter

Moderator

0 Kudos
epository
Level 10

Re: How to get notification about AM detection?

Jump to solution

What is AM?

If you have McAfee EPO, you can either set up an Automated Response or a Server Task to email this to you.

EPO also allows you to set up SNMP traps to send from the EPO to your SNMP system.

Finally, if you have Arcsight deployed, there is an Arcsight connector for McAfee EPO

0 Kudos
avi_1_2_4_8
Level 7

Re: How to get notification about AM detection?

Jump to solution

Thanks epository!

AM = Anti-Malware (or Anti-Virus, same thing).

Is there any other method like running a batch/exe or some sort of API on the client side?

also, does the client use Windows Events to indicate any malware detections?

Regards,

Avi

0 Kudos
epository
Level 10

Re: How to get notification about AM detection?

Jump to solution

The Application log captures some events under Event ID 259 ...McLogEvent, but you will have to filter these as well to get what you are looking for.

For the EICAR test file, i got

The file C:\Users\joe.smith\Desktop\eicar.txt contains the EICAR test file Test. No cleaner available, file deleted successfully. Detected using Scan engine version 5600.1067 DAT version 7619.0000

But I would think an Automated Response would be a much better way to get these reported via SNMP or an email.

If you are pressed for resources or there is no SIEM in place....maybe an Event Log subscription is the answer.

Its a bit hacky and I dont know how scalable it is....I still think EPO or a SIEM is the better answer

Event Subscriptions

0 Kudos
avi_1_2_4_8
Level 7

Re: How to get notification about AM detection?

Jump to solution

Thank you!

I will give all the suggestions a try.

Regards,

Avi

0 Kudos
avi_1_2_4_8
Level 7

Re: How to get notification about AM detection?

Jump to solution

Hi,

does anybody know where can I get the information?

Thanks,

Avi

0 Kudos