6 Replies Latest reply on Jun 22, 2012 5:18 AM by dnf

    Alarm generation

    dnf

      Hi all,

       

      I´m new and this is my first question in the forum. I hope somebody can help me.

      ¿Is there a way to create an alarm when a determinate kind of files are created in a specified location? I´ve been told it is possible by implementing an automated search based on an AV on access scan but I couldn´t find the way.

      Could somebody show or point me in the right direction about how to do it?

       

      Thanks.

        • 1. Re: Alarm generation
          Tristan

          Under the access protection policy create a new 'File/Folder blocking rule' in the 'user-defined rules'. Choose your action read access, write access, file creation etc and choose whether you want to block, report or both.

           

          I've also seen it done with a PUP (potentially unwanted program) user defined item but that's only by filename and not by location and filename.

          1 of 1 people found this helpful
          • 2. Re: Alarm generation
            dnf

            Hi Tristan,

             

            thanks for your quick response. There is a threat that creates determinate kind of files on specific folders, files which consist of 1-2 letters and the suffix (e.g. g.exe, g.bat). If those files are created, an alarm should be generated. This is the behaivour I need to recreate and I don´t know how....

            • 3. Re: Alarm generation
              Tristan

              Is the threat not being detected by VSE itself or is it one of those crafty user installed stealth malware threats?

               

              Either way.

               

              1. Go to your policy catalogue in ePO

              2. Find your globally assigned 'Access Proction Policy' i think the default might be something like 'My Default'

              1.jpg

               

              3. Edit the policy and create a new user defined rule

              2.jpg

              4. Enter in your folder locations and file details

               

              According to https://kc.mcafee.com/corporate/index?page=content&id=KB54812 a wildcard for a single character is ? so to detect g.exe you would enter ?.exe to detect gg.exe it would be ??.exe.

               

              3.jpg

              1 of 1 people found this helpful
              • 4. Re: Alarm generation
                dnf

                Thanks so much. Very handy document. The last question. Will that generate/send an alarm when the file is created? Or will only show up an alarm on the client?

                • 5. Re: Alarm generation
                  Tristan

                  You have the option with the access protection rule to block, report or both.

                   

                  By ticking the block option the client would get an 'access protection' error message box and depending on what option selected in the rule can prevent the file being created.

                   

                  The 'Alert' generated by ticking the 'report' option would be a standard threat event reported to ePO so if you want an instant notification by email then your next step is to start looking at custom queries and automated responses.

                  • 6. Re: Alarm generation
                    dnf

                    Thanks for hour help. Now I´m on the right directión.