cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Rudder88
Level 7
Report Inappropriate Content
Message 1 of 3

ePO VSE Threat Events - Source vs. Target

We are looking at specific threat events generated on a system running VSE, and I was hoping to get more clarity on how the Threat Source / Target fields are populated.  This is for a network where Host A is ePO connected, and Host B is not ePO connected.

Host A reported an event, showing Host B as Threat Source, and Host A as Threat Target. 

A few specific questions arise:

1. Must Host B be running a McAfee AV product for Host A to flag the event?

2. What mechanism does McAfee use when assigning values to these fields, i.e. what criteria does McAfee use to determine what the Threat Source is?

3. What would the best way be to interpret a situation where the Threat Source is different from the Threat Target?  e.g. Is Host B trying to spam malware across the network?  Are detection events just forwarded to Host A and flagged in ePO as such, since Host B is not connected to ePO?

4. Which log file would give the most details about these threat events? 

Would appreciate any information / detail that would clarify any of the above points, thanks!

2 Replies
Dayananda
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 3

Re: ePO VSE Threat Events - Source vs. Target

Hello,

 

Thank you for your post. Please find the answers to your questions.

1. Must Host B be running a McAfee AV product for Host A to flag the event?
Not necessary, the systems which has av will be protect the host machine.
So if HostA has av, then it will be protected against malicious activity.
If HostA doesn't have av then it will not be protected.

2. What mechanism does McAfee use when assigning values to these fields, i.e. what criteria does McAfee use to determine what the Threat Source is?
Some kind of activity on the HostB may be trying to access the resources of HostA, so only HostB is flagged as source.
HostB------------->HostA

3. What would the best way be to interpret a situation where the Threat Source is different from the Threat Target? e.g. Is Host B trying to spam malware across the network? Are detection events just forwarded to Host A and flagged in ePO as such, since Host B is not connected to ePO?
The description of the threat event will give you the information on the threat.

4. Which log file would give the most details about these threat events?
The logs in the below location will give you more information on the event.
(For VSE product)C:\ProgramData\McAfee\DesktopProtection

I hope this helps.

Let us know if you have any queries.

 

Regards,
Daya
yaz
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 3

Re: ePO VSE Threat Events - Source vs. Target

Hi @Rudder88 

Thanks for reaching out to community. 

Please find the answers to your queries. 

1. Must Host B be running a McAfee AV product for Host A to flag the event?

Answer: Host B need not certainly running McAfee AV. Threat Sources from Host A will automatically delete or quarantine or block the suspicious events based on the mechanism of threat accordingly.

2. What mechanism does McAfee use when assigning values to these fields, i.e. what criteria does McAfee use to determine what the Threat Source is?

Answer: Hostname, IP address, Threat Analyzer and Detection (if present). These are common sources. But sources vary accordingly depending on McAfee products.

3. What would the best way be to interpret a situation where the Threat Source is different from the Threat Target?  e.g. Is Host B trying to spam malware across the network?  Are detection events just forwarded to Host A and flagged in ePO as such, since Host B is not connected to ePO?

Answer: Yes Events will be flagged to the EPO and the logs in the ePO will give a clear picture on what is happening. It does not really matter if Host B is connected to ePO, but if within network, definitely any mechanism can mark this threat. If Host B is outside network, you can configure Firewall rules accordingly to block the traffic flow in between.

4. Which log file would give the most details about these threat events? 

Answer: In the local machine, Program Data logs gives this information. Once again this depends on the Threat mechanism (like On Access Scan, On Demand scan, Exploit prevention, Access protection etc)

Kindly write back if you are looking for more details.

Was my Reply Helpful?

If yes, give me a kudo. If I have answered your query, you can mark this as solution, so that we together can assist other community members.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community