cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 9
Report Inappropriate Content
Message 1 of 7

Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

I am wanting to get alerts on devices that are producing consistent potential risk activity. I don't see a built in report or where this information is being pulled into ePO via the agent. Is there a way to do this?

6 Replies
Highlighted

Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

Hi sol, access protection logs are already pushed to epo by default and they appear under the thread events log

What you need is to customize a query so you can decide which acess protection events you want to appear in it

Highlighted
Level 9
Report Inappropriate Content
Message 3 of 7

Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

These are the types of logs i am looking for and i dont see them in EPO. I see them on the devices in the desktop log files. I see actual threat detections but not even activity that i can set rules on.

I want to know what devices are trying to spoof or run files from the temp folders. I want to be able to set an alert that says if XXXXX device is trying to send from the TEMP folder more than 5 times in 1 minute... alert me. can I do this

4/15/2015            9:37:17
AM         Would be blocked by Access
Protection rule  (rule is currently not enforced)     ST_CLOUD\username    C:\Windows\explorer.exe     \Device\Mup\ hostname
\c$\Users\username2\AppData\Local\Temp\AcDeltree.exe    Common Standard Protection:Prevent common programs from running  files from the Temp folder    Action  blocked : Execute

4/15/2015            10:32:33
AM       Would be blocked by Access
Protection rule  (rule is currently not  enforced)    ST_CLOUD\username    C:\Windows\explorer.exe   \Device\Mup\ hostname \c$\Windows\explorer.exe    Anti-virus   Standard Protection:Prevent Windows Process spoofing    Action blocked : Read

 

4/16/2015            9:19:41
AM     Would be blocked by Access   Protection rule  (rule is currently not   enforced)     ST_CLOUD\username3 C:\Windows\explorer.exe  \Device\Mup\ hostname 2\c$\Windows\explorer.exe   Anti-virus Standard Protection:Prevent Windows Process spoofing   Action  blocked : Read

 

4/16/2015            9:54:30AM    Would be blocked by Access  Protection rule  (rule is currently not enforced)                 ST_CLOUD\username3 C:\Windows\explorer.exe    \Device\Mup\ hostname  \c$\Users\cpt111\AppData\Local\Temp\supoptsetup.exe   Common Standard Protection:Prevent common programs from
running files from the Temp folder   Action  blocked : Execute

Highlighted

Re: Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

Have a look at the attached query, it should reflect access protection events stored in ePO



Highlighted
Level 9
Report Inappropriate Content
Message 5 of 7

Re: Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

Lazlo,  thank you so much for your assistance. This document was an empty page.

Highlighted
Level 9
Report Inappropriate Content
Message 6 of 7

Re: Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

After running the report I realized it shows me the known deteted threats and activity taken. I was looking more for a report/query where devices that are logging activity (OnAccess Protetion log) such as blocks, writes, attempts to disable and there are no threats detected. To me this acitivty could be a sign that something on the device is active but not being deteted.

I would like to check these devices out. The Threat event log only displays KNOWN threats on the device and what action was taken on them

Highlighted
Level 9
Report Inappropriate Content
Message 7 of 7

Re: Is there a way to pull the client AccessProtection log nto ePO to create reports or alerts on them?

You need to first verify if you have the Access Protection rule logging via Policy Catalog > Access Protection Policies

Example

Forums-AccessProtection001.png

Forums-AccessProtection002.png

Forums-AccessProtection003.png

Forums-AccessProtection004.png

-d

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community