cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 7

Rule to monitor disabled McAfee AV

Jump to solution

Does anyone know what event I will need to use to monitor and alert on systems with disabled McAfee AV? I currently have McAfee ePo sending logs to ESM but can't find a rule that will work. Thanks!

1 Solution

Accepted Solutions
Highlighted

Re: Rule to monitor disabled McAfee AV

Jump to solution

service stop.jpgSo Sig ID 43-216070360 is for the status of a windows service is successful.  if you look at the rule you would be able to say the command is stopped and the application is McAfee mcshield.  Don't forget to Group by Source  IP or host.


see the screen shot above:

View solution in original post

6 Replies
Highlighted

Re: Rule to monitor disabled McAfee AV

Jump to solution

Hi

This isnt straight forward.  because it depends on the events and the data source.  I am not sure ePO will send and event when it gets disabled.  i will have to look into it.  But depending on if you collect the windows logs from the systems (which most the time we will for certain servers but not all endpoints) then you could create a rule that monitors the windows event service.

so for example, you could create a rule that uses Sig ID 43-216070360, the command is in stopped and the application is McAfee mcshield.  can you test that and see if it works for your use case?

Highlighted
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

Rlourenco,

I did a search for Sig ID 43-216070360, got results with "Service $1 entered state $2". State $2 includes both stop and running. Also, this ID includes a lot of other services, how do I weed them out and only alert on McAfee Virus Scan Enterprise?

Thanks,

AP

Highlighted

Re: Rule to monitor disabled McAfee AV

Jump to solution

service stop.jpgSo Sig ID 43-216070360 is for the status of a windows service is successful.  if you look at the rule you would be able to say the command is stopped and the application is McAfee mcshield.  Don't forget to Group by Source  IP or host.


see the screen shot above:

View solution in original post

Highlighted
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

Testing this now. Will update with result. Thanks again!

Highlighted
Level 7
Report Inappropriate Content
Message 6 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

rlourenco,

I created the correlation rule with that Sig ID (43-216070360) and the parameters for Command and Application. However, somehow this rule is triggering every time a successful logon is detected (4624), even though I don't have the Sig ID for that event anywhere in the rule. Any idea?

Thanks,

Anh Pham

Highlighted
Level 10
Report Inappropriate Content
Message 7 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

Hi Anh,

Just came across this post of yours and wanted to ask if you had a success implementing the rule?

Thanks in advance.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community