cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
McAfee Employee Greg_Steele
McAfee Employee
Report Inappropriate Content
Message 1 of 2

Reporting on Reinfected Systems

Is anyone aware if through ePO I can build a query that will report on systems that have become re-infected with malware over a short amount of time?

For example, if a systems is infected on Monday with malware and then is re-infected a couple of days later. I am trying to capture this use case with an objective of providing more education to the end users of these machines. So far, I have been unsuccesful in capturing the second infection.

ePO 4.6.4

MA 4.5 P3

VSE 8.7.4

AS 8.7

1 Reply

Re: Reporting on Reinfected Systems

Well, there is a way of doing it, even if it is not teribly elegant.

Create a tag that you name for instance INF1 and one that you name INF2, and with name INF3 (May be extended further if you want to)

Create a query (Inf1Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does NOT have the INF1 tag (or the INF2  and INF3 if you extend it)

Create a query (Inf2Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does have the INF1 tag, but not the INF2 tag, or INF3 tag

Create a query (Inf3Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does have the INF2 tag, but not the INF1 tag or the INF3 tag

Create a servertask that runs the queries in the following order, and that performs the following tasks.

Inf3query

Apply tag INF3

Clear tag INF2

Clear Tag INF1

Inf2query

Apply tag INF2

Clear tag INF1

Clear tag INF3

Ing1query

Apply tag INF1

Clear tag INF2

Clear tag INF3

You may extend this up to 7 days if you want to have a more thorough overview of how many times pr week the clients are infedcted, or bring it down to 2 days/tags if you only want to know that the client has been infected multiple times.

On for instance Sunday you need to create a query to do some cleanup.

There you can chose to just remove all the tags to get a "clear slate" starting on monday

Or you can remove the tags for computers that have not had any infections in the last 2 days (to cater for no people on in the weekend)

Or only the computers that have reached INF3 (or inf2) , etc

Basically just choose what you want out of it.

In reqards to a display of it just create a bolean query that shows clients that have the INF2 tag (for the limited version) or the Inf2,inf 3, inf4, etc (for the "upgraded version)

Or you can create several counter to show how many computers are at each level.

As I said it is not terribly elegant, but it does give you the results.

/Thomas

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community