cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
zambox
Level 8
Report Inappropriate Content
Message 1 of 13

EPO, Search hash file of an infected host

Jump to solution

Goodmorning, 

 

is it possible to search into EPO, via api or direct db query,  what is the hash file of an infected ip/hostname ? 

 

thanks

regards

1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 12 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

Ok, go to queries, all queries, then select type ATD in the quick search and it will pull up some of those queries for ATD.  Duplicate one of those, then you can modify it as desired to get the results you want.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

12 Replies
zambox
Level 8
Report Inappropriate Content
Message 2 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

Or to be more specific, is it able to get the ATD Event Log Information.

(details in the image)

ATD_Event_log_information.PNG

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 3 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

In epo, go to new query, events, and you will see an option for adaptive threat events.  Choose that, then when you get to the columns selection tab, you can choose hashes there - there are md5, sha1 and certificate hash options. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

zambox
Level 8
Report Inappropriate Content
Message 4 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

There is no such option as adaptive threat events (options available: Aggregated Exploit Prevention Events, Client Events, Endpoint Security Threat Events, Threat Events, Web Control Events)

But the thing that we need as info (if possible) is how to do it through the API:

URL: https://servername:port/remote/core.executeQuery?target=EPOEvents&select=(select
EPOEvents.AnalyzerHostName EPOEvents.HASH5)

 

OR


Python: mc.core.executeQuery(target="EPOEvents", select="(select EPOEvents.AnalyzerHostName
EPOEvents.HASH5)");

 

(I know that HASH5 column doesn't exist in the EPOEvents table, it was just an example)

 

Thanks in advance

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 5 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

If you don't see that option, then it would seem you are missing an extension.  This is what I have.

atp.pngextension.png

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

zambox
Level 8
Report Inappropriate Content
Message 6 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

We do have the ATD extension up and running:

atd_ext.PNG

But the ATP is not in the options:

options.PNG

 

Thanks in advance.

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

Under endpoint security extensions, do you have Endpoint Security Adaptive Threat Protection?  In the meantime, I will test to see what exact extension adds that to the queries.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 8 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

 Endpoint Security Adaptive Threat Protection extension adds that to the queries.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

zambox
Level 8
Report Inappropriate Content
Message 9 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

First of all, thank you so much for your support, very helpful.

I will just kindly ask you, if you can let me know which package do we need, for the query:

McAfee Endpoint Security (bundle)
Adaptive Threat Protection - full install (package)
Endpoint Security Adaptive Threat Protection 10.6.1 February Update (package)
Adaptive Threat Protection (extension)
Endpoint Security Adaptive Threat Protection 10.6.1 February Update Extension (extension)
Endpoint Security Adaptive Threat Protection Extension 10.6.1 Update (extension)

Thanks again for the quick and helpful replies

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 10 of 13

Re: EPO, Search hash file of an infected host

Jump to solution

If you are running the Feb update version of ens, then that is the extension to add:

Endpoint Security Adaptive Threat Protection 10.6.1 February Update Extension (extension)

Otherwise, click on the bundle in software manager and check what is in the packages.  If you are missing any extensions, you can check those in.

To clarify difference between packages and extensions, the packages go into master repository and are the installers to be pushed to the clients.  They do not add any functionality in epo.

The extensions add the backend management capabilities for a point product to be managed via epo.  They add queries, tasks, policies and other back end supportability info for that product. 

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community