A user doesn't have to log on for their credentials to be used. An intelligent piece of malware can obtain someone's credentials and then use them at its leisure.
- Access Protection is going to generate an event when it sees the violation occurring, so you can infer that this User logged in (or something with their credentials did).
- The other scenario that comes to mind is if an event was generated long ago (when the User had been logged in) but the event was not uploaded until recently (an agent-to-server communication problem). The date/timestamp on the event itself would tell you if it's recent, or if it's old and only now made its way to the server.
You should not expect ODS running twice daily to know about User defined AP rules. They are completely separate features.
Maybe you were expecting the ODS to find this crypto_notes.txt file? That warrants a lot of follow up questions best left between you and a support person, if it's something you'd like to work through.
Thank you wwarren for your explanation.
Here is what i have determined so far:
- The blocked rule was put under Access Protection rule and not under PUP
- Upon researching further I learned that ODS does not pick up any Access Protection rules; ODS only picks up malware to which McAfee has signatures for and any PUPs - Same goes for OAS
With that being said.....
What is being triggered on the machine that is causing an alert after 3 weeks: a potential malware that McAfee does not have signature for.
What is being triggered on the machine that is causing an alert after 3 weeks: a potential malware that McAfee does not have signature for
Yes, that's a possibility.
You should look at the timestamp of the event, i.e. when was the event created (rather than when was the event received).
That will tell you if you're looking more at a potential threat using someone's credentials, or if it's an old event that finally reached you.