6 Replies Latest reply on Jan 14, 2011 3:07 PM by aladdin9

    How to get Windows file time stamps of files that have been quarantined/detected as infected?

    Regis

      So often, I find malware via on-demand scans that I do in followup to  something else (a user complaint about their workstation, a seemingly harmless detection in temp files or email, the web proxy indicating the machine is visiting "malware/spyware effects" category URLs, etc).  These on-demand scans quarantine some files, and I would  like to know a best guess as to when the infections actually occurred.  File creation times from Windows are often a useful indicator not only for incident response purposes, but also in detections in relatively harmless places in teh file system, to make a "system restore point" vs total rebuild decision, and to guide as to what point in the past to rollback to.

       

      Can I get ePO to tell me the Windows file attributes of a file either upon detection or while it's in quarantine?

       

      I've been looking through ePO 4.5 and trying to find a relevant field for this, but I fear it's not supported.  But McAfee if you're listening, it'd be really nice to add to this product.

       

      Unfortunately, if I can't get this information from ePO or the agent somehow,  we have to ask techs to do the arduous task of a) disable on access protection, b) restore file from quarantine, c) hope the policy enforcement interval doesn't turn OAS back on and redetect them before you d) navigate down to the file's location and look at the Properties, then e) re-scan the file to get it back into quarantine.

       

      I'm hoping there's a better way?

       

      Currently on VSE 8.7p3,  with agent 4.0 and ePO 4.5