cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

Is it possible to scan PCs (endpoints) for a specific file?

Hi everyone

We are getting report about a targeted attack and would like to be able to look for a specific file on all our PCs.

We'd like to be able to look for a file with a specific name and extension, we also know the path and have a hash number for the file. 

E.g. we suspect that file  FILENAME.EXE, when it is in  C:\ProgramData\Microsoft\  is an attack.

Using VSE User Defined Unwanted Programs we can specify a file name, but not the path or hash value.

Does anyone know of a way to automatically search for a specific file in a specific directory on +1000 machines?

If one can also specify a hash it is even better.  (Bonus points? )

Would it be possible to do this with Host IPS?

Thanks for answers

  Serge

3 Replies
frank_enser
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Is it possible to scan PCs (endpoints) for a specific file?

Hi,

which McAfee products you got? McAfee System Information Reporter's "Find File" option would be my favorite pick, but you could also define a custom access protection rule (with VSE) and wait until it is triggered or use a custom HIPS signature.

Regards,

Frank

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 4

Re: Is it possible to scan PCs (endpoints) for a specific file?

Hi,

there are different ways to find it out. It depends on the products you are using. 🙂

  1. Applicaton Control (Solidcore): Application Control provides a file inventory from every client. Therefore you can search for Binary Files.
    solidcore.jpg
  2. using a "File Name Search) with Real Time.
    you can define and submit a question, but it toke some time in my lab.
    realtime.jpg

  3. With the upcoming McAfee Solution TIE (Threat Intelligence Exchange) and DXL (Data Exchange Layer). This solution will provide a extremely improvement for Malware detection, visibility and removing.
    - under TIE Reputations just search for the file and click "where has file run".
    DXL.jpg
    This will generate a liste where the file has been run.
    DXL2.jpg

Hope this helps.


Cheers,

Thorsten


Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 4

Re: Is it possible to scan PCs (endpoints) for a specific file?

Hi all,

the new and cool tool now is Active Response (MAR) for Incident Management and Threat Hunting.

Cheers

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community