cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

We have just started to take at the new Endpoint Security Threat Prevention 10.1.0.5623. However, I am unable to see any threats that are detected from the client side. We are running with ePO 5.3.1 and Mac Agent 5.0.2.185.

To test threat detection and reporting, I will go to the client and invoke the eicar test virus. The client will get a popup that it detected the EICAR virus. After detection, I will do a agent wake-up call. On the ePO side, I don't see this Eicar threat being reported under the queries or the Threat Events for that particular system . We also have automatic responses set to send an email alert but we don't get this.

If, I uninstall and install EPM 2.3 then we get the virus alerts under ePO. Not too sure what is going on but it is stopping me from wanting to utilize this updated version.

5 Replies
woody188
Level 10
Report Inappropriate Content
Message 2 of 6

Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

There are specific queries/dashboards for ENS. We have ePO 5.3.2 and are testing ENS 10.2.0. All our VirusScan malware emails come in via automated responses, but Endpoint does not. Looks like I'll have to set up custom queries to get this to occur for Endpoint which is unfortunate because it was all working well for VSE.

johnmoe
Level 11
Report Inappropriate Content
Message 3 of 6

Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

FWIW, I'm running both VSE and ENS (in the middle of transitioning to 10.5 Win/10.2 Mac & Linux), and I just specify "Threat Category --> belongs to --> Malware Detected", and I get e-mail alerts from both products from the one automatic response rule.

McAfee has an event troubleshooting guide that should help: https://kc.mcafee.com/corporate/index?page=content&id=KB53035e

woody188
Level 10
Report Inappropriate Content
Message 4 of 6

Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

Thanks for the link. If I can't get it figured out I guess it just means another call to support. We've tried Eicar's and even real threats and while it is definitely logged in ePO, the events from ENS never get emails but the VSE ones are going out. Doesn't make any sense to me.

woody188
Level 10
Report Inappropriate Content
Message 5 of 6

Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

Just so you know I'm not crazy, the event gets to ePO and gets parsed and is viewable as an event under the "Threat Events" tab for the endpoint :

Threat Event Log Information
Server ID:EPOHOSTNAME
Event Received Time:3/13/17 8:55:04 AM
Event Generated Time:3/13/17 8:53:35 AM
Agent GUID:REDACTED
Detecting Prod ID (deprecated):ENDP_AM_1020
Detecting Product Name:McAfee Endpoint Security
Detecting Product Version:10.2.0.662
Detecting Product Host Name:REDACTED
Detecting Product IPv4 Address:xxx.xxx.xxx.xxx
Detecting Product IP Address:xxx.xxx.xxx.xxx
Detecting Product MAC Address:MAC Address
DAT Version:2915.0
Engine Version:5800.7501
Threat Source Host Name:HOSTNAME
Threat Source IPv4 Address:xxx.xxx.xxx.xxx
Threat Source IP Address:xxx.xxx.xxx.xxx
Threat Source MAC Address:
Threat Source User Name:
Threat Source Process Name:C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
Threat Source URL:
Threat Target Host Name:HOSTNAME
Threat Target IPv4 Address:xxx.xxx.xxx.xxx
Threat Target IP Address:xxx.xxx.xxx.xxx
Threat Target MAC Address:
Threat Target User Name:DOMAIN\USERID
Threat Target Port Number:
Threat Target Network Protocol:
Threat Target Process Name:
Threat Target File Path:EicarTest.txt
Event Category:Malware detected
Event ID:1278
Threat Severity:Critical
Threat Name:EICAR test file
Threat Type:Test
Action Taken:Delete
Threat Handled:True
Analyzer Detection Method:On-Access Scan

Events received from managed systems
Event DescriptionFile infected. No cleaner available, file deleted successfully

Host IPS 8.0 Event Information
This is not an Host IPS 8.0 event.
Additional Event details from VirusScan Enterprise

ATD Event Log Information

Endpoint Security
Module Name:Threat Prevention
Analyzer Content Creation Date:3/11/17 7:51:00 AM
AMCore Content Version:2915.0
Analyzer McAfee GTI Query:No
Threat Detected On Creation:Yes
Target Hash:44d88612fea8a8f36de82e1278abb02f
Target Name:EicarTest.txt
Target Path:C:\Users\%USER%\Desktop
Target File Size (Bytes):68
Target Modify Time:3/13/17 8:53:32 AM
Target Access Time:3/13/17 8:53:22 AM
Target Create Time:3/13/17 8:53:22 AM
Cleanable:No
Task Name:On-Access Scan
First Attempted Action:Clean
First Action Status:Failed
Second Attempted Action:Delete
Second Action Status:Succeeded
Description:DOMAIN\USERID ran C:\WINDOWS\SYSTEM32\NOTEPAD.EXE, which tried to access C:\Users\%USER%\Desktop\EicarTest.txt. The Test named EICAR test file was detected and deleted.
Duration Before Detection (Days):0
Attack Vector Type:Local System

Looks like another call to support...

woody188
Level 10
Report Inappropriate Content
Message 6 of 6

Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

Turns out the names have changed for some of the events. Instead of "Delete" or "Deleted" ENS uses "IDS_ALERT_ACT_TAK_DEL" and my rules were set too restrictive to allow those events to be emailed.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community