cancel
Showing results for 
Search instead for 
Did you mean: 
jin
Level 7
Report Inappropriate Content
Message 1 of 13

Malware events not fully reported to ePO

Dear all,

I see the following events in the local VSE on-access log:

1/3/2012    9:16:19 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

1/3/2012    9:46:34 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

1/3/2012    9:46:54 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

1/3/2012    9:48:57 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

However, the captured .txml file to ePO does not have the process information "C:\WINDOWS\Explorer.EXE" included.

<?xml version="1.0" encoding="UTF-8"?>

<VirusDetectionEvent>

    <MachineInfo>

        <MachineName>MyPCName</MachineName>

        <AgentGUID>{31D46A36-694B-42D6-A765-3FE89C8295A8}</AgentGUID>

        <IPAddress>10.10.10.46</IPAddress>

        <OSName>Windows XP</OSName>

        <UserName>AD\UserName</UserName>

        <TimeZoneBias>300</TimeZoneBias>

        <RawMACAddress>1433e6a2fe64</RawMACAddress>

    </MachineInfo>

    <ScannerSoftware ProductName="VirusScan Enterprise" ProductVersion="8.8" ProductFamily="TVD">

        <EngineVersion>5400.1158</EngineVersion>

        <DATVersion>6577.0000</DATVersion>

        <ScannerType>OAS</ScannerType>

        <TaskName>OAS</TaskName>

        <ProductFamily>TVD</ProductFamily>

        <ProductName>VirusScan Enterprise</ProductName>

        <ProductVersion>8.8</ProductVersion>

        <DetectionInfo>

            <EventID>1278</EventID>

            <Severity>3</Severity>

            <GMTTime>2012-01-03T09:48:57</GMTTime>

            <UTCTime>2012-01-03T14:48:57</UTCTime>

            <FileName>C:\temp\Investigation\eicar.com</FileName>

            <VirusName>EICAR test file</VirusName>

            <Source>_</Source>

            <VirusType>6</VirusType>

            <szVirusType>test</szVirusType>

        </DetectionInfo>

    </ScannerSoftware>

</VirusDetectionEvent>

Can someone suggest how to configure agent to include process name in the report to ePO?

McAfee agent is 4.5.0.1810

McAfee VSE: 8.8.0.777

Thank you.

Jin.

Message was edited by: jin on 1/4/12 2:25:30 PM CST
12 Replies

Re: Malware events not fully reported to ePO

I have an issue similar but not the same you reported.

From 2 weeks I did not receive "theat handled equal to false" anymore. I have upgrade ePO from 4.5 P5 to 4.6 P1 and McAfee Agent to 4.5 P3 to 4.6 P1.

jin
Level 7
Report Inappropriate Content
Message 3 of 13

Re: Malware events not fully reported to ePO

On-Access does have the information about which application is related with the malware. Anyone know how to include this information to the report to ePO?  Thank you.

eicar.JPG

Re: Malware events not fully reported to ePO

Hi Mate,

You could try to check the server settings about which event notifications are selected also you can configure to receive more detailed logging by the agent policies.

jin
Level 7
Report Inappropriate Content
Message 5 of 13

Re: Malware events not fully reported to ePO

In ePO -> Server Settings -> Event Filtering, I do have all necessary event ID checked. But for each event ID, I don't see a choice for me to customize the message to collect from the agents. In fact, McAfee agent on client computers does not have that information in the .txml file at all. I assume this is a client-side configuration but cannot figure out.

Re: Malware events not fully reported to ePO

Just try to create a custom query with information you need a see what's the result. You can try to install agent 4.6

jin
Level 7
Report Inappropriate Content
Message 7 of 13

Re: Malware events not fully reported to ePO

Tried agent v4.6. The result is same. The agent did not include process name in the report to ePO at all.

        <DetectionInfo>

            <EventID>1278</EventID>

            <Severity>3</Severity>

            <GMTTime>2012-01-11T10:08:21</GMTTime>

            <UTCTime>2012-01-11T15:08:21</UTCTime>

            <FileName>C:\temp\Investigation\eicar.com</FileName>

            <VirusName>EICAR test file</VirusName>

            <Source>_</Source>

            <VirusType>6</VirusType>

            <szVirusType>test</szVirusType>

        </DetectionInfo>

Re: Malware events not fully reported to ePO

Please create a new Wuery whit all info which you want into it and let us know the result.

jin
Level 7
Report Inappropriate Content
Message 9 of 13

Re: Malware events not fully reported to ePO

My concerns is how an ePO query work if agents not sending process name to the ePO. I did create a new query with threat source/target process names but it is always blank.

Thank you.

Jin.

Re: Malware events not fully reported to ePO

Hm,

Okay what about the logging of the agent in the policy tab have you tried to set this up to report all events?

Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.