cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

When did my files get infected?

Hi, I have a doubt related to mcafee about how to look for modified files in log files. I hope someone can explain if this is as expected or I need to look in some other places.


I'd like to know why I have almost 100 files infected with Expiro.Gen.p and I cannot find those files in Mcafee/Windows logs (solidcore, S3diag*, windows events, etc), if the PC is "locked" with Windows EWF and Mcafee application control-whitelisting.


The PC:

-McAfee Application and Change Control v6.2 and all executable files in C:, 😧 and E: are whitelisted. No exe file is allowed to run if it is not whitelisted and signed (and their certificate added to McAfee).


-Windows 7 Embedded with EWF (Enhanced write filter= C: drive is protected so every time the PC starts, it has the same information as the first day/installation).


We know that someone had to install software using a pendrive on that PC and stopped the Windows EWF and executed Mcafee commands sadmin bu/sadmin eu as expected. But after installing the software and "protect/lock" everything, I should see on Mcafee logs all the files modified/solidified in C:, 😧 or E: (the expected ones because of the legal installation and maybe others because of a virus) then I could determine that there are files modified that have nothing to do with the legal installation.
The problem is that those extra files do not appear in the log files and the only thing that I see in the logs are the correct ones.


For example on Jun 15 2020 SampleA.exe had a correct cksum="643b2d246c5c0812bdbcfeea46dda897832002e3" and I can see only 3 references to that file in the log file:

<PROCESS_CREATED file_name="E:\sample\SampleA.exe" pid="3560" process_name="C:\Windows\explorer.exe" ppid="2668" parent_process_name="C:\Windows\System32\userinit.exe" cksum="643b2d246c5c0812bdbcfeea46dda897832002e3" event_time="..." event_time_utc="Jun 15 2020:13:32:03" user_name="WIN-YNFT6YHTFR9\dgadmin" workflow_id="UPDATE_MODE: AUTO_11" />

<PROCESS_CREATED file_name="E:\sample\SampleA.exe" pid="4064" process_name="C:\Windows\explorer.exe" ppid="2668" parent_process_name="C:\Windows\System32\userinit.exe" cksum="643b2d246c5c0812bdbcfeea46dda897832002e3" event_time="..." event_time_utc="Jun 15 2020:13:33:04" user_name="WIN-YNFT6YHTFR9\dgadmin" workflow_id="UPDATE_MODE: AUTO_11" />

<PROCESS_CREATED file_name="E:\sample\SampleA.exe" pid="1004" process_name="C:\Windows\explorer.exe" ppid="2756" parent_process_name="C:\Windows\System32\userinit.exe" cksum="643b2d246c5c0812bdbcfeea46dda897832002e3" event_time="..." event_time_utc="Jun 15 2020:13:49:32" user_name="WIN-YNFT6YHTFR9\dgadmin" workflow_id="UPDATE_MODE: AUTO_12" />

On Jun 17 2020 SampleA.exe has a different checksum but SampleA.exe does not appear again on the log files.
If the file has been modified, shouldn't it appear in logs after June 15 2020?

Note: The PC does not boot up anymore, that's why we only look in log files.

Thanks in advance,
JL

3 Replies
Bharani_BD
Moderator
Moderator
Report Inappropriate Content
Message 2 of 4

Re: When did my files get infected?

Please let us know the type of product you have, Is it Consumer or Enterprise?

 

Regards,

Bharani

Re: When did my files get infected?

Both products (Application Control and Mcafee endpoint security) are managed by my company. ¿Do you mean that I should ask the question in Enterprise channel?. I chose Consumer channel since I'm not manager of those tools and I wanted a quick answer.
Bharani_BD
Moderator
Moderator
Report Inappropriate Content
Message 4 of 4

Re: When did my files get infected?

Hello @JL_macafi 

It has been moved to Enterprise Forum

Regards
Bharani

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community