cancel
Showing results for 
Search instead for 
Did you mean: 
SergeM
Level 9
Report Inappropriate Content
Message 1 of 4

Is it possible to scan PCs (endpoints) for a specific file?

Hi everyone

We are getting report about a targeted attack and would like to be able to look for a specific file on all our PCs.

We'd like to be able to look for a file with a specific name and extension, we also know the path and have a hash number for the file. 

E.g. we suspect that file  FILENAME.EXE, when it is in  C:\ProgramData\Microsoft\  is an attack.

Using VSE User Defined Unwanted Programs we can specify a file name, but not the path or hash value.

Does anyone know of a way to automatically search for a specific file in a specific directory on +1000 machines?

If one can also specify a hash it is even better.  (Bonus points? )

Would it be possible to do this with Host IPS?

Thanks for answers

  Serge

3 Replies

Re: Is it possible to scan PCs (endpoints) for a specific file?

Hi,

which McAfee products you got? McAfee System Information Reporter's "Find File" option would be my favorite pick, but you could also define a custom access protection rule (with VSE) and wait until it is triggered or use a custom HIPS signature.

Regards,

Frank

Troja
Level 14
Report Inappropriate Content
Message 3 of 4

Re: Is it possible to scan PCs (endpoints) for a specific file?

Hi,

there are different ways to find it out. It depends on the products you are using. :-)

  1. Applicaton Control (Solidcore): Application Control provides a file inventory from every client. Therefore you can search for Binary Files.
    solidcore.jpg
  2. using a "File Name Search) with Real Time.
    you can define and submit a question, but it toke some time in my lab.
    realtime.jpg

  3. With the upcoming McAfee Solution TIE (Threat Intelligence Exchange) and DXL (Data Exchange Layer). This solution will provide a extremely improvement for Malware detection, visibility and removing.
    - under TIE Reputations just search for the file and click "where has file run".
    DXL.jpg
    This will generate a liste where the file has been run.
    DXL2.jpg

Hope this helps.


Cheers,

Thorsten


Troja
Level 14
Report Inappropriate Content
Message 4 of 4

Re: Is it possible to scan PCs (endpoints) for a specific file?

Hi all,

the new and cool tool now is Active Response (MAR) for Incident Management and Threat Hunting.

Cheers