if only an AV product is installed there can always be malicious files on it. Additional there can be several files which are unknown by any AV vendor.
After installing Solidcore any executable code is "whitelisted", this means the file can be started. If unknown by McAfee you can use any available tool, you will not see any threat event.
If there is malware the file can be started, but the PE is not able to install anything else, neither generated code is not allowed to run. Also your memory is protected.
At this time it is useful to activate the server tasks to check the File inventory in Solidcore against the GTI cloud. If there is any known malicious file you will see a threat event.
My recommentation if you do not know the state of your endpoints.
- Configure Solidcore running in Observation Mode.
- run OnDemand Scans in regular time frames.
- Compare the file inventory with McAfee GTI (server tasks)
- Create a query to figure out any client which reports no threat event over a specific time.
- Based on the result TAG you can activate a solidcore task to switch from observation mode to enabled mode.
- Check your threat events if any malicious files are reported to block and remove them.
Perhaps you may take a look at Threat Intelligence Exchange (TIE). TIE is able to deliver you an event if unknown code is executed on your endpoint.
Thank you Troja!
I will follow your recommendations..
I try to figure out, how can I make TAG based on query (I'm new ePO user), to activate enable mode. It sounds not easy
Tagging is easy going.
- Define a Query "Events -> Threat Events", choose the Table as the Output.
- use the filters to define your query in Detail...
Define a Server Task in this way
- Action: Run Query
- Sub-Action: Tag Systems
This should work and you can check the TAG how many Systems have the TAG assigned.