2 Replies Latest reply on Oct 16, 2014 7:20 AM by Troja

    Is it possible to scan PCs (endpoints) for a specific file?

    SergeM

      Hi everyone

       

      We are getting report about a targeted attack and would like to be able to look for a specific file on all our PCs.

      We'd like to be able to look for a file with a specific name and extension, we also know the path and have a hash number for the file. 

       

      E.g. we suspect that file  FILENAME.EXE, when it is in  C:\ProgramData\Microsoft\  is an attack.

       

      Using VSE User Defined Unwanted Programs we can specify a file name, but not the path or hash value.

       

      Does anyone know of a way to automatically search for a specific file in a specific directory on +1000 machines?

      If one can also specify a hash it is even better.  (Bonus points? )

       

      Would it be possible to do this with Host IPS?

       

      Thanks for answers

        Serge

        • 1. Re: Is it possible to scan PCs (endpoints) for a specific file?
          frank_enser

          Hi,

           

          which McAfee products you got? McAfee System Information Reporter's "Find File" option would be my favorite pick, but you could also define a custom access protection rule (with VSE) and wait until it is triggered or use a custom HIPS signature.

           

          Regards,

          Frank

          • 2. Re: Is it possible to scan PCs (endpoints) for a specific file?
            Troja

            Hi,

            there are different ways to find it out. It depends on the products you are using. :-)

             

            1. Applicaton Control (Solidcore): Application Control provides a file inventory from every client. Therefore you can search for Binary Files.
              solidcore.jpg
            2. using a "File Name Search) with Real Time.
              you can define and submit a question, but it toke some time in my lab.
              realtime.jpg

            3. With the upcoming McAfee Solution TIE (Threat Intelligence Exchange) and DXL (Data Exchange Layer). This solution will provide a extremely improvement for Malware detection, visibility and removing.
              - under TIE Reputations just search for the file and click "where has file run".
              DXL.jpg
              This will generate a liste where the file has been run.
              DXL2.jpg

            Hope this helps.


            Cheers,

            Thorsten