5 Replies Latest reply on Mar 13, 2017 3:21 PM by woody188

    Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports

    twenden

      We have just started to take at the new Endpoint Security Threat Prevention 10.1.0.5623. However, I am unable to see any threats that are detected from the client side. We are running with ePO 5.3.1 and Mac Agent 5.0.2.185.

       

      To test threat detection and reporting, I will go to the client and invoke the eicar test virus. The client will get a popup that it detected the EICAR virus. After detection, I will do a agent wake-up call. On the ePO side, I don't see this Eicar threat being reported under the queries or the Threat Events for that particular system . We also have automatic responses set to send an email alert but we don't get this.

       

      If, I uninstall and install EPM 2.3 then we get the virus alerts under ePO. Not too sure what is going on but it is stopping me from wanting to utilize this updated version.

        • 1. Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports
          woody188

          There are specific queries/dashboards for ENS. We have ePO 5.3.2 and are testing ENS 10.2.0. All our VirusScan malware emails come in via automated responses, but Endpoint does not. Looks like I'll have to set up custom queries to get this to occur for Endpoint which is unfortunate because it was all working well for VSE.

          • 2. Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports
            johnmoe

            FWIW, I'm running both VSE and ENS (in the middle of transitioning to 10.5 Win/10.2 Mac & Linux), and I just specify "Threat Category --> belongs to --> Malware Detected", and I get e-mail alerts from both products from the one automatic response rule.

             

            McAfee has an event troubleshooting guide that should help: https://kc.mcafee.com/corporate/index?page=content&id=KB53035e

            1 of 1 people found this helpful
            • 3. Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports
              woody188

              Thanks for the link. If I can't get it figured out I guess it just means another call to support. We've tried Eicar's and even real threats and while it is definitely logged in ePO, the events from ENS never get emails but the VSE ones are going out. Doesn't make any sense to me.

              • 4. Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports
                woody188

                Just so you know I'm not crazy, the event gets to ePO and gets parsed and is viewable as an event under the "Threat Events" tab for the endpoint :

                 

                Threat Event Log Information
                Server ID:EPOHOSTNAME
                Event Received Time:3/13/17 8:55:04 AM
                Event Generated Time:3/13/17 8:53:35 AM
                Agent GUID:REDACTED
                Detecting Prod ID (deprecated):ENDP_AM_1020
                Detecting Product Name:McAfee Endpoint Security
                Detecting Product Version:10.2.0.662
                Detecting Product Host Name:REDACTED
                Detecting Product IPv4 Address:xxx.xxx.xxx.xxx
                Detecting Product IP Address:xxx.xxx.xxx.xxx
                Detecting Product MAC Address:MAC Address
                DAT Version:2915.0
                Engine Version:5800.7501
                Threat Source Host Name:HOSTNAME
                Threat Source IPv4 Address:xxx.xxx.xxx.xxx
                Threat Source IP Address:xxx.xxx.xxx.xxx
                Threat Source MAC Address:
                Threat Source User Name:
                Threat Source Process Name:C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
                Threat Source URL:
                Threat Target Host Name:HOSTNAME
                Threat Target IPv4 Address:xxx.xxx.xxx.xxx
                Threat Target IP Address:xxx.xxx.xxx.xxx
                Threat Target MAC Address:
                Threat Target User Name:DOMAIN\USERID
                Threat Target Port Number:
                Threat Target Network Protocol:
                Threat Target Process Name:
                Threat Target File Path:EicarTest.txt
                Event Category:Malware detected
                Event ID:1278
                Threat Severity:Critical
                Threat Name:EICAR test file
                Threat Type:Test
                Action Taken:Delete
                Threat Handled:True
                Analyzer Detection Method:On-Access Scan

                 

                 

                Events received from managed systems
                Event DescriptionFile infected. No cleaner available, file deleted successfully

                 

                Host IPS 8.0 Event Information
                This is not an Host IPS 8.0 event.
                Additional Event details from VirusScan Enterprise

                 

                ATD Event Log Information

                 

                Endpoint Security
                Module Name:Threat Prevention
                Analyzer Content Creation Date:3/11/17 7:51:00 AM
                AMCore Content Version:2915.0
                Analyzer McAfee GTI Query:No
                Threat Detected On Creation:Yes
                Target Hash:44d88612fea8a8f36de82e1278abb02f
                Target Name:EicarTest.txt
                Target Path:C:\Users\%USER%\Desktop
                Target File Size (Bytes):68
                Target Modify Time:3/13/17 8:53:32 AM
                Target Access Time:3/13/17 8:53:22 AM
                Target Create Time:3/13/17 8:53:22 AM
                Cleanable:No
                Task Name:On-Access Scan
                First Attempted Action:Clean
                First Action Status:Failed
                Second Attempted Action:Delete
                Second Action Status:Succeeded
                Description:DOMAIN\USERID ran C:\WINDOWS\SYSTEM32\NOTEPAD.EXE, which tried to access C:\Users\%USER%\Desktop\EicarTest.txt. The Test named EICAR test file was detected and deleted.
                Duration Before Detection (Days):0
                Attack Vector Type:Local System

                Looks like another call to support...

                • 5. Re: Unable to see threats generated by Endpoint Security Threat Prevention 10.1.0.5623 under ePO dshboard or reports
                  woody188

                  Turns out the names have changed for some of the events. Instead of "Delete" or "Deleted" ENS uses "IDS_ALERT_ACT_TAK_DEL" and my rules were set too restrictive to allow those events to be emailed.