We are looking at specific threat events, and I was hoping to get more clarity on how the Threat Source / Target fields are populated. This is for a network where Host A is ePO connected, and Host B is not ePO connected.
Host A reported an event, showing Host B as Threat Source, and Host A as Threat Target.
A few specific questions arise:
1. Must Host B be running a McAfee AV product for Host A to flag the event?
2. What mechanism does McAfee use when assigning values to these fields, i.e. what criteria does McAfee use to determine what the Threat Source is?
3. What would the best way be to interpret a situation where the Threat Source is different from the Threat Target? e.g. Is Host B trying to spam malware across the network? Are detection events just forwarded to Host A and flagged in ePO as such, since Host B is not connected to ePO?
4. Which log file would give the most details about these threat events?
Would appreciate any information / detail that would clarify any of the above points, thanks!
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.