2 Replies Latest reply on Apr 10, 2012 4:11 PM by eddiec

    Do unhandled threats ever become handled?

      Hi all,

       

      I am wondering if McAfee has the notion of unhandled threats, or threats that require manual administrator intervention. I've worked with anivirus platforms in the past that will alert if a virus is detected that can not be cleaned. For these systems I've created reports to give to administrators that basically say, "This machine X is infected with this virus Y and it needs to be manually cleaned". I am trying to recreate this functionality with McAfee and I suspect that I am not doing it quite right.

       

      I have created the following query, (edited and cleaned up for brevity):

       

      target=EPOEvents&select=(select EPOLeafNode.NodeName EPOEvents.TargetFileName EPOEvents.ThreatName EPOEvents.ThreatType)&where=(where (eq EPOEvents.ThreatHandled "false"))

       

       

      The idea here is that the threat is not handled, thus the ThreatHandled column is marked false; What I have noticed though is that when these threats are cleaned off the machine, these records remain marked as ThreatHandled = false in the database. Because of this, I suspect that I am misunderstanding what this column is meant for.

      So my questions are:

      Does McAfee ever get into a state where a threat is detected but not handled?

      If yes, what is the best way to get that information?

      Will these database records update themselves to reflect the removal of the threat once it has been cleaned up?

      Much thanks to whomever can help me out with this,

      -Eddie