cancel
Showing results for 
Search instead for 
Did you mean: 
vfcw
Level 7
Report Inappropriate Content
Message 1 of 7

I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

Malicious files which tool should I use to identify and report?

6 Replies
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

I would suggest posting this to the ePolicy Orchestrator forum.

kenobe
Level 10
Report Inappropriate Content
Message 3 of 7

Re: I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

1. You can use Policy Auditor File Integrity Monitor to scan computers and query the database of files it finds by hash - but that only works after scans are run and those scans are VERY CPU intensive.

2. You can use HIPS to block MD5 hashes - but that only works when the file is opened by the user.

3. VirusScan will only scan FILENAMES, not hashes.

That's it.  You're better off using other tools if you want to proactively scan for hashes.

v/r

Ken

Re: I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

Not yet, but stay tuned. There's a product release that will effectively give you this ability VERY easily.

At the moment it is native to Solidcore / Application Control.

Re: I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

You can block files by MD5 Hash in Application Blocking. Not really a "querying tool" but it might meet your desired intent.

kenobe
Level 10
Report Inappropriate Content
Message 6 of 7

Re: I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

Yep, thanks Scott.  The policy for my client is to not block but they do want to search for those hashes.

We've had some success with Policy Auditor (File Integrity Monitor) but there are limitations witih that tool.

Re: I have a quick question (at least I hope it's quick) regarding ePO. Is it possible to use ePO as a querying tool for malicious files ? If you knew of a malicious .dll with a certain MD5 hash - could you look for that file?

We have had issues with FIM as well. You may be better served using some other commercial tool. (Tripwire, Qualys, etc)