2 Replies Latest reply on Oct 16, 2014 7:20 AM by Troja

    Is it possible to scan PCs (endpoints) for a specific file?


      Hi everyone


      We are getting report about a targeted attack and would like to be able to look for a specific file on all our PCs.

      We'd like to be able to look for a file with a specific name and extension, we also know the path and have a hash number for the file. 


      E.g. we suspect that file  FILENAME.EXE, when it is in  C:\ProgramData\Microsoft\  is an attack.


      Using VSE User Defined Unwanted Programs we can specify a file name, but not the path or hash value.


      Does anyone know of a way to automatically search for a specific file in a specific directory on +1000 machines?

      If one can also specify a hash it is even better.  (Bonus points? )


      Would it be possible to do this with Host IPS?


      Thanks for answers


        • 1. Re: Is it possible to scan PCs (endpoints) for a specific file?



          which McAfee products you got? McAfee System Information Reporter's "Find File" option would be my favorite pick, but you could also define a custom access protection rule (with VSE) and wait until it is triggered or use a custom HIPS signature.




          • 2. Re: Is it possible to scan PCs (endpoints) for a specific file?


            there are different ways to find it out. It depends on the products you are using. :-)


            1. Applicaton Control (Solidcore): Application Control provides a file inventory from every client. Therefore you can search for Binary Files.
            2. using a "File Name Search) with Real Time.
              you can define and submit a question, but it toke some time in my lab.

            3. With the upcoming McAfee Solution TIE (Threat Intelligence Exchange) and DXL (Data Exchange Layer). This solution will provide a extremely improvement for Malware detection, visibility and removing.
              - under TIE Reputations just search for the file and click "where has file run".
              This will generate a liste where the file has been run.

            Hope this helps.