6 Replies Latest reply on Sep 11, 2012 9:36 AM by Tristan

    Threat Source Systems Query

    cisadmin

      Hi All,

       

      Is there a way to create a query that will create a table of Threat Source Systems so they can be actioned by a Server Task.

       

      Obviously Source Systems are the key to resolving Outbreaks so we would like to be able run a query that identifies these systems and then run a server task that places them in an Outbreak Control Group and force remediation of the threat - Policy lockdown - running full On-Demand Scans - automating deployment of stinger Stinger silently and scanning all drives etc.

       

      We have tried numerous methods to date but it seems the target systems are those moved to the group.

       

      With large outbreaks with numerous source systems, having to do this process manually is very resource intensive.

       

      Regards,

       

      Caveo Systems Technical Support

        • 1. Re: Threat Source Systems Query
          Tristan

          You could have a look at this dashboard tool that echarron has developed

           

          https://community.mcafee.com/docs/DOC-3469

           

          Although it's a dashboard it does load all the necessary queries into ePO which you can then utilize in building a automated response/query/report

          • 2. Re: Threat Source Systems Query
            greatscott

            At least in 4.5 there is no way to configure this for an automatic response, however, you can create a server task that does something similar. You would create the query, create a server task, configure the "Action" to "Run Query". As the "Sub Actions" you would select "Move system to another group".

             

            From this group you can configure your Full Disk On Demand Scans, locked down FW policies, etc.

            • 3. Re: Threat Source Systems Query
              petersimmons

              I've helped customers with a couple hundred outbreaks over the last 7 years. The key to controlling them is a small checklist of minimum policy configurations:

               

              1. Self protection must be on without any exceptions.

              2. On Access Scanning must scan on Reads and you must scan "All files"

              3. You must perform a daily scan of the two memory items. The frequency goes up during an outbreak.

              4. You must perform a full On Demand Scan on a Weekly basis. Use a list of infected machines and a list from #3 to figure out what to perform extra Full ODS.

              5. Make sure you are on updated versions. VSE 8.8 patch 1 has an additonal protection that no other version has. And 8.8 is twice as fast as 8.7.

              6. Make sure you have the correct engine updates (Almost everyone has this at this point)

              7. GTI (Artemis) must be turned on. The correct setting is Medium.

              8. All of the Potentiall Unwanted Program categories must be turned on. ALL of them.

              9. Exclusions must be trimmed to remove dangerous directories (temp folders, user profiles, web servers, windows directories are all bad exclusions)

              10. The DAT file should be sort of current. Anything in the last week is probably okay. Rarely is the latest DAT the key to fighting malware.

              • 4. Re: Threat Source Systems Query
                cisadmin

                Hi Guys,

                 

                Many thanks for your replies.

                 

                We actually have all of those dashboards as well as what we call a Live Dashboard for ePO Admins that gives you up to date information on systems in your environment that require attention - No AV, No HIPS, Threats Not Handled, Systems Communicating but DAT out of Date etc. - so you can see systems you can action and not worry about those offline.

                 

                The problem here is that there seems to be no way to create a query that will give you a list of "Source" systems that you can then link to a Server Task to automate actions.

                 

                Basically only queries that are built as tables can be actioned but there is no way we have found of building a table of source systems. You can create the query but when you run the task on it, it actually takes the Target and not the Source. Target systems tend to be able take care of themselves if VSE is working correctly so you actually don't need to lock them down and scan them aggressively and therefore cause issues for the end-user unnecessarily.

                 

                Source systems are the main target of any Outbreak initially but as mentioned this is currently a manual drag and drop to the Outbreak Control Grou which is a killer with large Outbreaks.

                 

                Regards,

                 

                Diarmuid

                • 5. Re: Threat Source Systems Query
                  cisadmin

                  Hi Guys.

                   

                  Again, many thanks.

                   

                  We are an experienced company in relation to Outbreak Control and cleanup but appreciate the tips.

                   

                  To be honest I don't think there is a solution currently to my problem and think it would need McAfee Developers to look at.

                   

                  Thanks for your feedback anyway.

                   

                  Regards,

                   

                  Diarmuid

                  • 6. Re: Threat Source Systems Query
                    Tristan

                    Why can't you do this with an 'Automatic Response'

                     

                    Menu -> Automation -> Automatic Responses

                     

                    On the first screen set the 'event group' to 'ePO Notification Events' and the 'Event Type' to 'Threats'

                     

                    Second and third screen set up your filters and aggregation which is pretty straight forward

                     

                    The bit you want is on the fourth screen, with the selection on the first screen you now get an option to 'Run System Command' and from this you have a number of options e.g. add tag, move system or run on-demand scan now