We are getting report about a targeted attack and would like to be able to look for a specific file on all our PCs.
We'd like to be able to look for a file with a specific name and extension, we also know the path and have a hash number for the file.
E.g. we suspect that file FILENAME.EXE, when it is in C:\ProgramData\Microsoft\ is an attack.
Using VSE User Defined Unwanted Programs we can specify a file name, but not the path or hash value.
Does anyone know of a way to automatically search for a specific file in a specific directory on +1000 machines?
If one can also specify a hash it is even better. (Bonus points? )
Would it be possible to do this with Host IPS?
Thanks for answers
which McAfee products you got? McAfee System Information Reporter's "Find File" option would be my favorite pick, but you could also define a custom access protection rule (with VSE) and wait until it is triggered or use a custom HIPS signature.
there are different ways to find it out. It depends on the products you are using. :-)
Hope this helps.