5 Replies Latest reply: Apr 22, 2014 10:32 AM by pwolfe RSS

    Looking for a query

    dpkrijgsman

      Hello,

       

      I don't even know if this is possible.

       

      But i am looking for a query that can show me recurring workstations that get infected. For example:

       

      1. Workstations get infected and cleaned by mcafee

      2. If this workstation gets infected again in a momth he should report it in dashboard (or e-mail)

       

       

      Is this possible?

       

      Thanks in advance!

        • 1. Re: Looking for a query
          mingle1

          The only method I can think of at the moment, would be to create a query that shows you the number of infections for the month. You can then use the webAPI to trigger running the query.

           

          If you need any more information, let me know and I will do my best to provide help.

          • 2. Re: Looking for a query
            dpkrijgsman

            Hi,

             

            At the moment i am using the malware detection history . Put that in a excel every day  and cross reference them. (with smart handlers that detect when computers come more then 1 in the list).

             

            I want to automate the process that i see in a report or query  that  a computer within a month that gets infected more then 2x  that EPO reports it to me . Like in a diagram or just send me a email.

             

            Because i wanna reimage that machine.

             

            Also is it possible to see what mcafee didnt clean?

             

            Message was edited by: dpkrijgsman on 4/15/14 4:36:33 AM CDT
            • 3. Re: Looking for a query
              pwolfe

              I guess I am still trying to understand what exactly it is that you are wanting?

               

              You could use the VSE: Computers with threats Detected per Week

               

              You could duplicate this report and adjust it as needed, for instance, you could change it to report "event generated time = Day" and add the "Threat Handled".

               

              This would look something like:

               

              PC???? (Computer Name)

                   April 17, 2014 (Date of Detection)

                        True: 10 (Handled)

                        False: 1 (Handled)

               

              This data would indicate that you had 11 total threats, 10 were handled correctly 1 was not. Thus you would need to image it,

               

              You could change the "event generated time" to weekly or even monthly.

               

              This however doe's not automate the E-mail response to you....However it does allow you to see users who frequently become infected.

               

              This said, why not just set up an auto response only when a threat is not handled? Ignore when they are, however have it send you a message when "Handled=FALSE" thus only notifying you of Failed cleans. ....

               

              All of this said, I would really recommend following the direction I gave you in a previous post about Malware / Spyware blocking. I have been running 8 Plus years, and as long as I have these enabled and setup correctly I have a wonderful out of box experience....very little issue

               

              https://community.mcafee.com/message/323457

               

              Not sure if this helps....

               

              Patrick

              • 4. Re: Looking for a query
                dpkrijgsman

                HI pwolfe ,

                 

                Thank you for your reply.

                 

                To answer your questions i am looking for a report that will give me workstations that have been infected more then 3 times in 1 month.

                 

                So lets say computer A  is infected on 1 januari but also on 20 and 23 januari. Then the report will give me these result.

                 

                But the report will not show me computers that have been infected only once.

                 

                I will look into the  VSE: Computers with threats Detected per Week report . Thankyou !

                 

                As regaring my previous post where you replied  i cannot do this because we are repackaging msi and use temp for to run it from.

                 

                Enable: Anti-Spyware maximum protection - "Prevent all programs from running files from the Temp folder"

                Enable: Anti-Spyware maximum protection - "Prevent execution of scripts from the Temp folder"

                Enable: Common Standard Protection - "Prevent common programs from running files from the Temp folder"

                Enable: Common Standard Protection - "Prevent installation of Browser Helper Objects and Shell Extensions"

                 

                But thanks again for your replies!

                • 5. Re: Looking for a query
                  pwolfe

                  Not sure if this will give you any ideas on the install of MSI's with those settings enabled, however we package and deploy both MSI's & .exe Setup files. I have 2 ways around this.

                   

                  First, add the calling process, and the msi or .exe to the exclusion list, (This is does not always work, however does most of the time), we are not a Microsoft shop, we are Novell OES 11 & Zenworks site. So I add all of the Novell & ZCM/Zenworks exe's to the allowed list for each exclusion. This works most of the time. As I deploy my MSI's & EXE's using zenworks, and as long as I add the .exe or .msi to the exclusion as well it usually is fine.

                   

                  Second, our VSE 8.8 "access protection" policy has been set as follows:

                   

                  Enabled - Enable access protection

                   

                  as %95 of my users are "Standard Users" on workstations they have no rights and they can not stop the mcafee services anyways, as by default you need admin rights to do so, thus allowing me to administratively. As we use Zenworks I just add the following to my installers. (all installers run as a local system with admin rights or admin account for rights)

                   

                  • sc stop mcshield - With Wait until completed

                   

                  • Run setup.exe or Msi - With Wait until completed
                  • sc start mcshield - With Wait until completed

                   

                   

                  By doing this McAfee is disabled during the install, this also allows faster installs as the "Access Scanner" will not scan this install.