cancel
Showing results for 
Search instead for 
Did you mean: 

Should there be confirmation of a delete following event id 1428 - 'delete pending'?

So I see an endpoint in epo who's last threat event was event id 1428 - delete pending. Without touching the endpoint, how do I know this machine is not compromised? Shouldn't there be a follow up event or flag to say the delete was successful? Thanks Jack
6 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Should there be confirmation of a delete following event id 1428 - 'delete pending'?

There is no such follow flag to know when the file is actually deleted - that would get deleted on a reboot.  If the system was compromised, you would see another detection, especially since it was detected the first time.  You can post any follow up questions for this in the ENS/VSE group.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Should there be confirmation of a delete following event id 1428 - 'delete pending'?

I'm pretty new to the McAfee suite so it's likely I'm missing something, but I don't really understand how you can assume an endpoint is clean of malware by the absence of a threat event.

 

Specifically for delete pending, surely this must be confirmed in logs on the endpoint itself? But if you are managing thousands of endpoints it's not feasible to check on the endpoint itself, so I thought such a success of threat remediation would be fed to epo to give the 'OK'. As I look at the console, it essentially suggests the file is still locked or in use and hasn't yet been able to be cleaned, days weeks or months later.

And if the threat was a dropper, and I don't know the dwell time of the dropper itself, I don't know the level of exposure to something potentially worse I had.

 

Am I fundamentally misunderstanding realtime security vs scans? or even epo itself? probably, but either way I'm not seeing a green tick, or thumbs up, or success message for threat remediation, to give me the confidence the endpoint is clear, and for McAfee to show me it's usefulness/strength/ROI/etc

I'm sure, I'm just missing something, or I'm biased into thinking about this differently from previous AV experience, so I just need to understand the McAfee 'way'

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 7

Re: Should there be confirmation of a delete following event id 1428 - 'delete pending'?

I am going to move this to the ens team that deals regularly with scans and threat remediation. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee chealey
McAfee Employee
Report Inappropriate Content
Message 5 of 7

Re: Should there be confirmation of a delete following event id 1428 - 'delete pending'?

If the delete fails, you'll get an event saying delete failed but if it's successful, you won't see a follow up event.

Was my reply helpful?
If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: Should there be confirmation of a delete following event id 1428 - 'delete pending'?

Presumably the file isn't quarantined until delete as it is locked by another process. So what is to say the process that has it locked isn't malicious? or benign but performing malicious activity due to the file in question?
I'm just trying to understand the process and risk when this event occurs.
Thanks
Siege
Level 7
Report Inappropriate Content
Message 7 of 7

Re: Should there be confirmation of a delete following event id 1428 - 'delete pending'?

I too agree, the lack of a confirmation event/message/notice to state that the action really HAS succeeded is dismaying to say the least, especially when one is managing thousands of endpoints that are not necessarily physically - or by remote - accessible. Oh and this:

McAfee.PNG

 

 

Doesn't count. All this tells me is that the "Delete Pending" event was successfully set/triggered (maybe?), seeing as how the First Action and its status is pretty clearly not true, otherwise the delete would not have been necessary, nor the delete pending event.

Whether a reboot is required or not, McAfee should be logging EVERY action it takes, and when the actual deletion occurs, that should be reported the same as any other successful delete action. I do understand that should it fail to delete, there should be following events stating that a clean/delete had failed, but the lack of a negative event is not the same as a positive confirmation.

 

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community