Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
This discussion is archived
391 Views 1 Reply Latest reply: Feb 15, 2013 5:55 AM by ThomasN RSS
Greg_Steele Newcomer 16 posts since
Nov 16, 2009
Currently Being Moderated

Feb 14, 2013 4:29 PM

Reporting on Reinfected Systems

Is anyone aware if through ePO I can build a query that will report on systems that have become re-infected with malware over a short amount of time?

 

For example, if a systems is infected on Monday with malware and then is re-infected a couple of days later. I am trying to capture this use case with an objective of providing more education to the end users of these machines. So far, I have been unsuccesful in capturing the second infection.

 

ePO 4.6.4

MA 4.5 P3

VSE 8.7.4

AS 8.7

  • ThomasN Apprentice 26 posts since
    Nov 5, 2010
    Currently Being Moderated
    1. Feb 15, 2013 5:55 AM (in response to Greg_Steele)
    Re: Reporting on Reinfected Systems

    Well, there is a way of doing it, even if it is not teribly elegant.

     

    Create a tag that you name for instance INF1 and one that you name INF2, and with name INF3 (May be extended further if you want to)

     

    Create a query (Inf1Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does NOT have the INF1 tag (or the INF2  and INF3 if you extend it)

    Create a query (Inf2Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does have the INF1 tag, but not the INF2 tag, or INF3 tag

    Create a query (Inf3Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does have the INF2 tag, but not the INF1 tag or the INF3 tag

     

    Create a servertask that runs the queries in the following order, and that performs the following tasks.

     

    Inf3query

    Apply tag INF3

    Clear tag INF2

    Clear Tag INF1

     

    Inf2query

    Apply tag INF2

    Clear tag INF1

    Clear tag INF3

     

    Ing1query

    Apply tag INF1

    Clear tag INF2

    Clear tag INF3

     

     

    You may extend this up to 7 days if you want to have a more thorough overview of how many times pr week the clients are infedcted, or bring it down to 2 days/tags if you only want to know that the client has been infected multiple times.

     

    On for instance Sunday you need to create a query to do some cleanup.

     

    There you can chose to just remove all the tags to get a "clear slate" starting on monday

    Or you can remove the tags for computers that have not had any infections in the last 2 days (to cater for no people on in the weekend)

    Or only the computers that have reached INF3 (or inf2) , etc

    Basically just choose what you want out of it.

     

    In reqards to a display of it just create a bolean query that shows clients that have the INF2 tag (for the limited version) or the Inf2,inf 3, inf4, etc (for the "upgraded version)

    Or you can create several counter to show how many computers are at each level.

     

    As I said it is not terribly elegant, but it does give you the results.

     

    /Thomas

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points