There are specific queries/dashboards for ENS. We have ePO 5.3.2 and are testing ENS 10.2.0. All our VirusScan malware emails come in via automated responses, but Endpoint does not. Looks like I'll have to set up custom queries to get this to occur for Endpoint which is unfortunate because it was all working well for VSE.
1 of 1 people found this helpful
FWIW, I'm running both VSE and ENS (in the middle of transitioning to 10.5 Win/10.2 Mac & Linux), and I just specify "Threat Category --> belongs to --> Malware Detected", and I get e-mail alerts from both products from the one automatic response rule.
McAfee has an event troubleshooting guide that should help: https://kc.mcafee.com/corporate/index?page=content&id=KB53035e
Thanks for the link. If I can't get it figured out I guess it just means another call to support. We've tried Eicar's and even real threats and while it is definitely logged in ePO, the events from ENS never get emails but the VSE ones are going out. Doesn't make any sense to me.
Just so you know I'm not crazy, the event gets to ePO and gets parsed and is viewable as an event under the "Threat Events" tab for the endpoint :Threat Event Log Information
Server ID: EPOHOSTNAME Event Received Time: 3/13/17 8:55:04 AM Event Generated Time: 3/13/17 8:53:35 AM Agent GUID: REDACTED Detecting Prod ID (deprecated): ENDP_AM_1020 Detecting Product Name: McAfee Endpoint Security Detecting Product Version: 10.2.0.662 Detecting Product Host Name: REDACTED Detecting Product IPv4 Address: xxx.xxx.xxx.xxx Detecting Product IP Address: xxx.xxx.xxx.xxx Detecting Product MAC Address: MAC Address DAT Version: 2915.0 Engine Version: 5800.7501 Threat Source Host Name: HOSTNAME Threat Source IPv4 Address: xxx.xxx.xxx.xxx Threat Source IP Address: xxx.xxx.xxx.xxx Threat Source MAC Address: Threat Source User Name: Threat Source Process Name: C:\WINDOWS\SYSTEM32\NOTEPAD.EXE Threat Source URL: Threat Target Host Name: HOSTNAME Threat Target IPv4 Address: xxx.xxx.xxx.xxx Threat Target IP Address: xxx.xxx.xxx.xxx Threat Target MAC Address: Threat Target User Name: DOMAIN\USERID Threat Target Port Number: Threat Target Network Protocol: Threat Target Process Name: Threat Target File Path: EicarTest.txt Event Category: Malware detected Event ID: 1278 Threat Severity: Critical Threat Name: EICAR test file Threat Type: Test Action Taken: Delete Threat Handled: True Analyzer Detection Method: On-Access ScanEvents received from managed systems Event Description File infected. No cleaner available, file deleted successfullyHost IPS 8.0 Event InformationAdditional Event details from VirusScan EnterpriseATD Event Log InformationEndpoint Security Module Name: Threat Prevention Analyzer Content Creation Date: 3/11/17 7:51:00 AM AMCore Content Version: 2915.0 Analyzer McAfee GTI Query: No Threat Detected On Creation: Yes Target Hash: 44d88612fea8a8f36de82e1278abb02f Target Name: EicarTest.txt Target Path: C:\Users\%USER%\Desktop Target File Size (Bytes): 68 Target Modify Time: 3/13/17 8:53:32 AM Target Access Time: 3/13/17 8:53:22 AM Target Create Time: 3/13/17 8:53:22 AM Cleanable: No Task Name: On-Access Scan First Attempted Action: Clean First Action Status: Failed Second Attempted Action: Delete Second Action Status: Succeeded Description: DOMAIN\USERID ran C:\WINDOWS\SYSTEM32\NOTEPAD.EXE, which tried to access C:\Users\%USER%\Desktop\EicarTest.txt. The Test named EICAR test file was detected and deleted. Duration Before Detection (Days): 0 Attack Vector Type: Local System
Looks like another call to support...
Turns out the names have changed for some of the events. Instead of "Delete" or "Deleted" ENS uses "IDS_ALERT_ACT_TAK_DEL" and my rules were set too restrictive to allow those events to be emailed.