cancel
Showing results for 
Search instead for 
Did you mean: 
anhp
Level 7
Report Inappropriate Content
Message 1 of 7

Rule to monitor disabled McAfee AV

Jump to solution

Does anyone know what event I will need to use to monitor and alert on systems with disabled McAfee AV? I currently have McAfee ePo sending logs to ESM but can't find a rule that will work. Thanks!

1 Solution

Accepted Solutions

Re: Rule to monitor disabled McAfee AV

Jump to solution

service stop.jpgSo Sig ID 43-216070360 is for the status of a windows service is successful.  if you look at the rule you would be able to say the command is stopped and the application is McAfee mcshield.  Don't forget to Group by Source  IP or host.


see the screen shot above:

6 Replies

Re: Rule to monitor disabled McAfee AV

Jump to solution

Hi

This isnt straight forward.  because it depends on the events and the data source.  I am not sure ePO will send and event when it gets disabled.  i will have to look into it.  But depending on if you collect the windows logs from the systems (which most the time we will for certain servers but not all endpoints) then you could create a rule that monitors the windows event service.

so for example, you could create a rule that uses Sig ID 43-216070360, the command is in stopped and the application is McAfee mcshield.  can you test that and see if it works for your use case?

anhp
Level 7
Report Inappropriate Content
Message 3 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

Rlourenco,

I did a search for Sig ID 43-216070360, got results with "Service $1 entered state $2". State $2 includes both stop and running. Also, this ID includes a lot of other services, how do I weed them out and only alert on McAfee Virus Scan Enterprise?

Thanks,

AP

Re: Rule to monitor disabled McAfee AV

Jump to solution

service stop.jpgSo Sig ID 43-216070360 is for the status of a windows service is successful.  if you look at the rule you would be able to say the command is stopped and the application is McAfee mcshield.  Don't forget to Group by Source  IP or host.


see the screen shot above:

anhp
Level 7
Report Inappropriate Content
Message 5 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

Testing this now. Will update with result. Thanks again!

anhp
Level 7
Report Inappropriate Content
Message 6 of 7

Re: Rule to monitor disabled McAfee AV

Jump to solution

rlourenco,

I created the correlation rule with that Sig ID (43-216070360) and the parameters for Command and Application. However, somehow this rule is triggering every time a successful logon is detected (4624), even though I don't have the Sig ID for that event anywhere in the rule. Any idea?

Thanks,

Anh Pham

Re: Rule to monitor disabled McAfee AV

Jump to solution

Hi Anh,

Just came across this post of yours and wanted to ask if you had a success implementing the rule?

Thanks in advance.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community