1 2 Previous Next 12 Replies Latest reply on Mar 30, 2015 3:19 PM by derson

    Malware events not fully reported to ePO

      Dear all,

       

      I see the following events in the local VSE on-access log:

       

      1/3/2012    9:16:19 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

      1/3/2012    9:46:34 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

      1/3/2012    9:46:54 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

      1/3/2012    9:48:57 AM    Deleted (Clean failed because the detection isn't cleanable)     AD\username    C:\WINDOWS\Explorer.EXE    C:\temp\Investigation\eicar.com    EICAR test file (Test)

       

       

      However, the captured .txml file to ePO does not have the process information "C:\WINDOWS\Explorer.EXE" included.

       

      <?xml version="1.0" encoding="UTF-8"?>

      <VirusDetectionEvent>

          <MachineInfo>

              <MachineName>MyPCName</MachineName>

              <AgentGUID>{31D46A36-694B-42D6-A765-3FE89C8295A8}</AgentGUID>

              <IPAddress>10.10.10.46</IPAddress>

              <OSName>Windows XP</OSName>

              <UserName>AD\UserName</UserName>

              <TimeZoneBias>300</TimeZoneBias>

              <RawMACAddress>1433e6a2fe64</RawMACAddress>

          </MachineInfo>

          <ScannerSoftware ProductName="VirusScan Enterprise" ProductVersion="8.8" ProductFamily="TVD">

              <EngineVersion>5400.1158</EngineVersion>

              <DATVersion>6577.0000</DATVersion>

              <ScannerType>OAS</ScannerType>

              <TaskName>OAS</TaskName>

              <ProductFamily>TVD</ProductFamily>

              <ProductName>VirusScan Enterprise</ProductName>

              <ProductVersion>8.8</ProductVersion>

              <DetectionInfo>

                  <EventID>1278</EventID>

                  <Severity>3</Severity>

                  <GMTTime>2012-01-03T09:48:57</GMTTime>

                  <UTCTime>2012-01-03T14:48:57</UTCTime>

                  <FileName>C:\temp\Investigation\eicar.com</FileName>

                  <VirusName>EICAR test file</VirusName>

                  <Source>_</Source>

                  <VirusType>6</VirusType>

                  <szVirusType>test</szVirusType>

              </DetectionInfo>

          </ScannerSoftware>

      </VirusDetectionEvent>

       

       

      Can someone suggest how to configure agent to include process name in the report to ePO?

       

      McAfee agent is 4.5.0.1810

      McAfee VSE: 8.8.0.777

       

       

       

      Thank you.

       

      Jin.

       

      Message was edited by: jin on 1/4/12 2:25:30 PM CST
        1 2 Previous Next