Generating the new query with below configuration might solve the issue:
Result Type: events --> threat events
Chart : table
columns: Select Threat source process name, Threat target process name
Filter: "threat type" "equals" "potentially unwanted program"
Q: Is this because the AV client did not send the information to ePO or ePO query does not display this information?
A: To answer this question you need to capture the event that VSE generated and forwarded to ePO. EPO can only include in the report the information that the threat event it received from the client contained. Here is one way to capture the event:
- Stop your apache service on ePO (and any agent handlers you may have). This is to prevent the client from forwarding the event to ePO.
- Generate a detection event. You can use eicar for example for this.
- Navigate to the "agentevents" directory which depending on the OS will be in one of two places:
- C:\Documents and Settings\All users\Application Data\McAfee\CommonFramework\AgentEvents
- C:\ProgramData\McAfee\Common Framework\AgentEvents
- View the events with notepad or explorer and see if they contain the data you are looking for. If the event ends with a .txml you can rename it to .xml and view it in IE in a more readable format.
If the event generated does not contain the process name then the VSE is simply not capturing this data and sending it to ePO. If it does contain the process name then you should be able to query this data in ePO.
murthyadari: None of malware or PUP related events have target/source threat process names in ePO query. Some events
jstanley: Instead of shutting down ePO web server, I updated local hosts file to block the communication between ePO and client. I was able to use eicar to trigger and capture the event description file in .txml format. However, it does not have process name included.
<?xml version="1.0" encoding="UTF-8"?>
<ScannerSoftware ProductName="VirusScan Enterprise" ProductVersion="8.8" ProductFamily="TVD">
<VirusName>EICAR test file</VirusName>
Is this something I need to configure agents?
Do Virus Scan engine and client have this feature to report process name for malware events or I should submit a product enhancement request?
These values are only used by the Access Protection, Port Blocking and Buffer Overflow sections of VSE - so it is normal that they are not included for a virus detection event.
Nothing to worry about
I'd suggest posting this question in the VSE forum; however, based on Joe's response I'm guessing this is "as designed" and you would need to submit a PER against VSE to have this behavior changed.
Actually I wouldn't bother with the PER - from what I understand from the VSE team, this is as designed and can't be changed: these values aren't applicable to virus detections so there's no meaningful way to implement them...
My goal was to collect as much information as possible from an ePO event to find out the possible source of the malware. So far, I can only guess the source from the path of the detected file.
I wish to see Internet Explorer as process name or parent process name if a malware was downloaded through web browsing. Or, if the process name is Outlook, I will know the malware came from Email.
This information will also help me find out if endpoint protection from McAfee and anti-malware solution from other vendors on Internet gateway and email gateway work as expected.
Agent did collect the information at least for EICAR test but not in the report to ePO.
1/3/2012 9:16:19 AM Deleted (Clean failed because the detection isn't cleanable) AD\username C:\WINDOWS\Explorer.EXE C:\temp\Investigation\eicar.com EICAR test file (Test)
1/3/2012 9:46:34 AM Deleted (Clean failed because the detection isn't cleanable) AD\username C:\WINDOWS\Explorer.EXE C:\temp\Investigation\eicar.com EICAR test file (Test)
1/3/2012 9:46:54 AM Deleted (Clean failed because the detection isn't cleanable) AD\username C:\WINDOWS\Explorer.EXE C:\temp\Investigation\eicar.com EICAR test file (Test)
1/3/2012 9:48:57 AM Deleted (Clean failed because the detection isn't cleanable) AD\username C:\WINDOWS\Explorer.EXE C:\temp\Investigation\eicar.com EICAR test file (Test)
I will post this question to VSE as suggested.