cancel
Showing results for 
Search instead for 
Did you mean: 

Regarding McAfee HIP v8.0.0 AgentEvent logs

How can I find information that explains what the AgentEvent logs contain?  I have several XML logs that show eventID 18000 with an signatureID 4336, along with other details regarding the incident.  Can I show this suspicious file that the HIP alerted to was actually executed or just viewed?

5 Replies

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

Moved this to HIPs for better attention hopefully.

Peter

Moderator

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

If you go into the ePO console, find the machine that produced that HIPS event (18000), Actions -> Agent -> Show Threat Events. From there you can click on the event and see all the details about it; what detected it, directory of the file, action taken, what it tried to do, etc.

ansarias Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

Hello,

You can validate through below 2 ePO properties.

1. Event Category > Belongs to = Host Intrusion

2. Event Description > Equals = Host intrusion detected and handled

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

I found entries in the AgentEvent logs, so I have a couple of follow up questions:

I am conducting a forensics examination of this host.  In the registry, there is a key named "LoggedOnUser" in SOFTWARE>Wow6432Node>Network Associates>ePolicy Orchestrator>Agent

How is this key populated?

Is there a registry artifact (or some other indication) that shows when the last time the AgentEvent logs were cleared?

ansarias Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

Re: Regarding McAfee HIP v8.0.0 AgentEvent logs

Well LoggedOnUser defines currently logged user account details during Agent to ePO server communication. As it will use that user ID to upload the events into ePO console.

McAfee Agent policy is having settings on Log size so once it filled than automatically it will be override with new agent logs.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community