cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 13
‎05-14-2019 03:21 AM

EPO, Search hash file of an infected host

Jump to solution

Goodmorning, 

 

is it possible to search into EPO, via api or direct db query,  what is the hash file of an infected ip/hostname ? 

 

thanks

regards

0 Kudos
Reply
1 Solution

Accepted Solutions
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 12 of 13
‎05-14-2019 08:11 AM

Re: EPO, Search hash file of an infected host

Jump to solution

Ok, go to queries, all queries, then select type ATD in the quick search and it will pull up some of those queries for ATD.  Duplicate one of those, then you can modify it as desired to get the results you want.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

Reply
12 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 13
‎05-14-2019 03:51 AM

Re: EPO, Search hash file of an infected host

Jump to solution

Or to be more specific, is it able to get the ATD Event Log Information.

(details in the image)

ATD_Event_log_information.PNG

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 3 of 13
‎05-14-2019 04:34 AM

Re: EPO, Search hash file of an infected host

Jump to solution

In epo, go to new query, events, and you will see an option for adaptive threat events.  Choose that, then when you get to the columns selection tab, you can choose hashes there - there are md5, sha1 and certificate hash options. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 4 of 13
‎05-14-2019 05:11 AM

Re: EPO, Search hash file of an infected host

Jump to solution

There is no such option as adaptive threat events (options available: Aggregated Exploit Prevention Events, Client Events, Endpoint Security Threat Events, Threat Events, Web Control Events)

But the thing that we need as info (if possible) is how to do it through the API:

URL: https://servername:port/remote/core.executeQuery?target=EPOEvents&select=(select
EPOEvents.AnalyzerHostName EPOEvents.HASH5)

 

OR


Python: mc.core.executeQuery(target="EPOEvents", select="(select EPOEvents.AnalyzerHostName
EPOEvents.HASH5)");

 

(I know that HASH5 column doesn't exist in the EPOEvents table, it was just an example)

 

Thanks in advance

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 5 of 13
‎05-14-2019 05:17 AM

Re: EPO, Search hash file of an infected host

Jump to solution

If you don't see that option, then it would seem you are missing an extension.  This is what I have.

atp.pngextension.png

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 6 of 13
‎05-14-2019 05:53 AM

Re: EPO, Search hash file of an infected host

Jump to solution

We do have the ATD extension up and running:

atd_ext.PNG

But the ATP is not in the options:

options.PNG

 

Thanks in advance.

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 7 of 13
‎05-14-2019 06:01 AM

Re: EPO, Search hash file of an infected host

Jump to solution

Under endpoint security extensions, do you have Endpoint Security Adaptive Threat Protection?  In the meantime, I will test to see what exact extension adds that to the queries.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 13
‎05-14-2019 06:04 AM

Re: EPO, Search hash file of an infected host

Jump to solution

 Endpoint Security Adaptive Threat Protection extension adds that to the queries.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
Former Member
Not applicable
Report Inappropriate Content
Message 9 of 13
‎05-14-2019 06:26 AM

Re: EPO, Search hash file of an infected host

Jump to solution

First of all, thank you so much for your support, very helpful.

I will just kindly ask you, if you can let me know which package do we need, for the query:

McAfee Endpoint Security (bundle)
Adaptive Threat Protection - full install (package)
Endpoint Security Adaptive Threat Protection 10.6.1 February Update (package)
Adaptive Threat Protection (extension)
Endpoint Security Adaptive Threat Protection 10.6.1 February Update Extension (extension)
Endpoint Security Adaptive Threat Protection Extension 10.6.1 Update (extension)

Thanks again for the quick and helpful replies

0 Kudos
Reply
cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 13
‎05-14-2019 06:43 AM

Re: EPO, Search hash file of an infected host

Jump to solution

If you are running the Feb update version of ens, then that is the extension to add:

Endpoint Security Adaptive Threat Protection 10.6.1 February Update Extension (extension)

Otherwise, click on the bundle in software manager and check what is in the packages.  If you are missing any extensions, you can check those in.

To clarify difference between packages and extensions, the packages go into master repository and are the installers to be pushed to the clients.  They do not add any functionality in epo.

The extensions add the backend management capabilities for a point product to be managed via epo.  They add queries, tasks, policies and other back end supportability info for that product. 

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Consumer Support   |   Enterprise Support   |   McAfee.com for Enterprise

Legal   |   Privacy   |   Copyright © 2021 Musarubra US LLC