1 2 Previous Next 10 Replies Latest reply on Jan 5, 2012 8:59 AM by jin

    ePO report does not have "process name"

      I see the following log entry in McAfee VirusScan Enterprise 8.8 on-access scan log.

       

      10/14/2011    4:32:00 PM    Deleted     AD\user    C:\Program Files\Internet Explorer\iexplore.exe    C:\Documents and Settings\user\Cookies\80HNESF7.txt\00000000.ie    Cookie-2O7 (Potentially Unwanted Program)

       

      However, in the corresponding ePO report, I see every piece of the information except "C:\Program Files\Internet Explorer\iexplore.exe". Is this because the AV client did not send the information to ePO or ePO query does not display this information?

       

      Can anyone help how to include "Threat Source Process Name" or "Threat Target Process Name" in ePO report?

       

      Thank you.

       

      Jin.

        • 1. Re: ePO report does not have "process name"

          Generating the new query with below configuration might solve the issue:

           

          Result Type: events --> threat events

          Chart : table

          columns: Select Threat source process name, Threat target process name

          Filter: "threat type" "equals" "potentially unwanted program"

          • 2. Re: ePO report does not have "process name"
            jstanley

            Q: Is this because the AV client did not send the information to ePO or ePO query does not display this information?

             

            A: To answer this question you need to capture the event that VSE generated and forwarded to ePO. EPO can only include in the report the information that the threat event it received from the client contained. Here is one way to capture the event:

            1. Stop your apache service on ePO (and any agent handlers you may have). This is to prevent the client from forwarding the event to ePO.
            2. Generate a detection event. You can use eicar for example for this.
            3. Navigate to the "agentevents" directory which depending on the OS will be in one of two places:
              • C:\Documents and Settings\All users\Application Data\McAfee\CommonFramework\AgentEvents
              • C:\ProgramData\McAfee\Common Framework\AgentEvents
            4. View the events with notepad or explorer and see if they contain the data you are looking for. If the event ends with a .txml you can rename it to .xml and view it in IE in a more readable format.

             

            If the event generated does not contain the process name then the VSE is simply not capturing this data and sending it to ePO. If it does contain the process name then you should be able to query this data in ePO.

            • 3. Re: ePO report does not have "process name"

              murthyadari: None of malware or PUP related events have target/source threat process names in ePO query. Some events

               

              jstanley: Instead of shutting down ePO web server, I updated local hosts file to block the communication between ePO and client. I was able to use eicar to trigger and capture the event description file in .txml format. However, it does not have process name included.

               

              <?xml version="1.0" encoding="UTF-8"?>

              <VirusDetectionEvent>

                  <MachineInfo>

                      <MachineName>MyPCName</MachineName>

                      <AgentGUID>{31D46A36-694B-42D6-A765-3FE89C8295A8}</AgentGUID>

                      <IPAddress>10.10.10.46</IPAddress>

                      <OSName>Windows XP</OSName>

                      <UserName>AD\UserName</UserName>

                      <TimeZoneBias>300</TimeZoneBias>

                      <RawMACAddress>1433e6a2fe64</RawMACAddress>

                  </MachineInfo>

                  <ScannerSoftware ProductName="VirusScan Enterprise" ProductVersion="8.8" ProductFamily="TVD">

                      <EngineVersion>5400.1158</EngineVersion>

                      <DATVersion>6577.0000</DATVersion>

                      <ScannerType>OAS</ScannerType>

                      <TaskName>OAS</TaskName>

                      <ProductFamily>TVD</ProductFamily>

                      <ProductName>VirusScan Enterprise</ProductName>

                      <ProductVersion>8.8</ProductVersion>

                      <DetectionInfo>

                          <EventID>1278</EventID>

                          <Severity>3</Severity>

                          <GMTTime>2012-01-03T09:48:57</GMTTime>

                          <UTCTime>2012-01-03T14:48:57</UTCTime>

                          <FileName>C:\temp\Investigation\eicar.com</FileName>

                          <VirusName>EICAR test file</VirusName>

                          <Source>_</Source>

                          <VirusType>6</VirusType>

                          <szVirusType>test</szVirusType>

                      </DetectionInfo>

                  </ScannerSoftware>

              </VirusDetectionEvent>

               

               

              Is this something I need to configure agents?

               

              Thank you.

               

              Jin.

              • 4. Re: ePO report does not have "process name"

                Do Virus Scan engine and client have this feature to report process name for malware events or I should submit a product enhancement request?

                • 5. Re: ePO report does not have "process name"
                  JoeBidgood

                  These values are only used by the Access Protection, Port Blocking and Buffer Overflow sections of VSE - so it is normal that they are not included for a virus detection event.

                   

                  Nothing to worry about

                   

                  Regards -

                   

                  Joe

                  • 6. Re: ePO report does not have "process name"
                    jstanley

                    I'd suggest posting this question in the VSE forum; however, based on Joe's response I'm guessing this is "as designed" and you would need to submit a PER against VSE  to have this behavior changed.

                    • 7. Re: ePO report does not have "process name"
                      JoeBidgood

                      Actually I wouldn't bother with the PER - from what I understand from the VSE team, this is as designed and can't be changed: these values aren't applicable to virus detections so there's no meaningful way to implement them...

                       

                      HTH -

                       

                      Joe

                      • 8. Re: ePO report does not have "process name"

                        My goal was to collect as much information as possible from an ePO event to find out the possible source of the malware. So far, I can only guess the source from the path of the detected file.

                         

                        I wish to see Internet Explorer as process name or parent process name if a malware was downloaded through web browsing. Or, if the process name is Outlook, I will know the malware came from Email.

                         

                        This information will also help me find out if endpoint protection from McAfee and anti-malware solution from other vendors on Internet gateway and email gateway work as expected.

                         

                        Thanks all!

                         

                        Jin.

                        • 9. Re: ePO report does not have "process name"

                          Agent did collect the information at least for EICAR test but not in the report to ePO.

                           

                          1/3/2012    9:16:19 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

                          1/3/2012    9:46:34 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

                          1/3/2012    9:46:54 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

                          1/3/2012    9:48:57 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

                           

                           

                          I will post this question to VSE as suggested.

                           

                          Thank you.

                           

                          Jin.

                          1 2 Previous Next