Here are a few sample logs: 17:54:30 AutoID=389732 signature="Common Standard Protection:Prevent termination of McAfee processes" threat_type="access protection" signature_id=1092 category=hip.file severity_id=5 event_description="Access Protection rule violation detected and blocked" detected_timestamp=1405554869.000 file_name="C:\\Program Files (x86)\\McAfee\\VirusScan Enterprise\\圆4\\scan64.exe" detection_method=OAS vendor_action="deny terminate" threat_handled=true logon_user="NT AUTHORITY\\SYSTEM" user=freddie3 dest_nt_domain=SLICK dest_dns=HW005029 dest_nt_host=HW005029 fqdn= dest_ip=10.233.11.61 dest_netmask= dest_mac=fc4dd4d210ab os="Windows 7" sp="Service Pack 1" os_version=6.1 os_build=7601 timezone="Canada Central Standard Time" src_dns=_ src_ip=10.233.52.49 src_mac= process="C:\\WINDOWS\\CCM\\CcmExec.exe" url= logon_user_1= is_laptop=0 product="VirusScan Enterprise" product_version=8.8 engine_version= dat_version= vse_dat_version=7500.0000 vse_engine64_version=5600.1067 vse_engine_version=5600.1067 vse_hotfix=2 vse_product_version=8.8.0.975.Wrk vse_sp= The DB Connect is only installed on the Search Head. The Splunk Add-on for McAfee is installed on both the Search Head and the Indexer.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |