cancel
Showing results for 
Search instead for 
Did you mean: 
eddiec
Level 7
Report Inappropriate Content
Message 1 of 3

Do unhandled threats ever become handled?

Jump to solution

Hi all,

I am wondering if McAfee has the notion of unhandled threats, or threats that require manual administrator intervention. I've worked with anivirus platforms in the past that will alert if a virus is detected that can not be cleaned. For these systems I've created reports to give to administrators that basically say, "This machine X is infected with this virus Y and it needs to be manually cleaned". I am trying to recreate this functionality with McAfee and I suspect that I am not doing it quite right.

I have created the following query, (edited and cleaned up for brevity):

target=EPOEvents&select=(select EPOLeafNode.NodeName EPOEvents.TargetFileName EPOEvents.ThreatName EPOEvents.ThreatType)&where=(where (eq EPOEvents.ThreatHandled "false"))

The idea here is that the threat is not handled, thus the ThreatHandled column is marked false; What I have noticed though is that when these threats are cleaned off the machine, these records remain marked as ThreatHandled = false in the database. Because of this, I suspect that I am misunderstanding what this column is meant for.

So my questions are:

Does McAfee ever get into a state where a threat is detected but not handled?

If yes, what is the best way to get that information?

Will these database records update themselves to reflect the removal of the threat once it has been cleaned up?

Much thanks to whomever can help me out with this,

-Eddie

1 Solution

Accepted Solutions
jking
Level 10
Report Inappropriate Content
Message 2 of 3

Re: Do unhandled threats ever become handled?

Jump to solution

No, that's an event, not a state.  You might be able to correlate with another scan time (maybe something from the client events) but the events are essentially an audit log -- written as they occur.

Jon

2 Replies
jking
Level 10
Report Inappropriate Content
Message 2 of 3

Re: Do unhandled threats ever become handled?

Jump to solution

No, that's an event, not a state.  You might be able to correlate with another scan time (maybe something from the client events) but the events are essentially an audit log -- written as they occur.

Jon

eddiec
Level 7
Report Inappropriate Content
Message 3 of 3

Re: Do unhandled threats ever become handled?

Jump to solution

I was able to verify thast pretty much everything in the system is event-based. Additionally, I've learned through talking with McAfee support that threats that can not be automatically handled should be reported to McAfee.