1. Page 1 of 6
WORK INSTRUCTIONTITLE
RemediatingSIEMAlerts withMcAfee VirusScan
REVISION DATE
7-Mar-2014
DEPARTMENT
IO – End User Computing
REVISION NUMBER
1.0
OWNER
IO-EndUser Computing
REVIEW DATE
APPROVER:
TABLE OF CONTENTS
TABLE OF CONTENTS............................................................................................................... 1
PURPOSE/BACKGROUND........................................................................................................ 1
SCOPE............................................................................................................................................ 1
RESPONSIBILITIES....................................................................................................................2
REFERENCES/DEFINITIONS..................................................................................................2
Definitions................................................................................................................................... 2
WORK INSTRUCTION...............................................................................................................2
1.0 Determining the Computer Name ........................................................................................ 2
2.1 Connecting to the Remote Computer................................................................................... 3
2.2 Updating AV Definitions and Starting the Full System Scan ................................................. 4
3.0 Resolving the Remedy Incident............................................................................................. 4
REVISION SUMMARY................................................................................................................5
Tags................................................................................................................................................6
PURPOSE/BACKGROUND
SIEM alerts require immediate attention by the EUC team, otherwise these Incidents risk
breaching service level agreements (SLAs).
SCOPE
This document includes instructions on determining the computer name, updating McAfee
VirusScan Enterprisedefinitions, running a full systemscan with McAfee VirusScan Enterprise,
and updating the Incident for resolution. This document does not include instructions on
reinstalling McAfee VirusScan Enterprise or escalating incidents to Field Services in the event an
infection is not cleaned with McAfee VirusScan Enterprise.
As of September 2013, SIEM checks for the following infections:
Win32/Viking.MZ
Win32/Conficker.Binf
Java/CVE-2012-1723
Win32/Rimecud.A
Win32/DealPly
TrojanDropper:Win32/Qakbot.A
HackTool:Win32/Keygen
Win32/Hotbar
VirTool:INF/Autorun.gen!AA
PWS:HTML/Barfraud.B
2. Page 2 of 6
VirTool:INF/Autorun.gen!B
Worm:Win32/Hamweq!inf
Win32/Medfos.AF
RESPONSIBILITIES
The EUC team is responsible for triaging SIEM alerts, and only when necessary escalating to the
appropriate teams.
REFERENCES/DEFINITIONS
Definitions
SIEM – Security Information and Event Management
For more information about this KB solution, please visit the McAfee Knowledge Center at
https://support.mcafee.com/ServicePortal/faces/knowledgecenter. Also see page 92 of the
McAfee VirusScan Enterprise Product Guide at
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22
000/PD22941/en_US/vse_880_product_guide_en-us.pdf .
WORK INSTRUCTION
1.0 Determiningthe Computer Name
If and only if the host (computer) name does not appear in the Remedy incident notes, then
follow these steps to determine the computer name and update the Incident notes with the
infected computer name. Otherwise, take possession of the incident and continue to section
2.1 Verifying and Updating AV Definitions.
1. Openthe incidentRemedy. Take possessionof the incident,thenchange the statustoIn
Progress.
2. Openthe Notesfield. Locate the Host IPAddress.
3. Opena commandprompt. Click Start > Run > thentype cmd. PressEnter or clickOK.
4. Type ping -a X.X.X.X, where X.X.X.Xisthe IPaddressfromthe IncidentNotesfield.
5. Rightclickthe resultsinthe commandpromptwindow,thenclick Mark. Highlightthe results,
thenrightclickthe active window barat the top. Click Edit> Copy.
3. Page 3 of 6
6. Paste the resultsintoa newnote inthe Incident.
7. Addthe computername intothe CI+ fieldinthe leftcolumn. Optionally, alsosearchforthe
computername inQIT. Cross reference the employee’sname inQITwiththe Contact+fieldin
Remedy.
8. Save the Incident,thenproceedwithone of the followingoptions:
a. If the computername isa workstationbeginningwithW,thencontinue tothe next
section.
b. If the computername doesnotresolve,thenescalatethe incidenttothe queue
IPC_InformationProtectionandCompliance. Continue tothe nextsectionafter the IPC
teamreturnsthe incidenttoEnd User Computing(EUC) withacomputername.
c. If the computername isa server,thenescalate the incidenttothe queue IT
Infrastructure Operations>Enterprise Computing. NofurtheractionisrequiredbyEUC.
2.1 Connecting to the Remote Computer
Use PSEXECto connectto the remote computerusinganaccount withelevatedprivileges.
1. Opena commandusingan account withelevatedprivileges(eg.A_UserID). Type psexec–s–h
{computername} cmd.exe.
2. Type hostname to verifyconnectivitytothe remote computer.
4. Page 4 of 6
2.2 UpdatingAV Definitions and Startingthe Full System Scan
Followthese stepstostartthe full systemscanandcreate a logfile.
1. At the commandprompttype CDProgram FilesMcAfeeVirusscanEnterprise,the press Enter.
2. Type mcupdate.exe /update /quiet,thenpress Enter.
3. Wait while the definitionfilesupdate before continuingtothe nextstep.
4. Type SCAN32.EXE C: /ALL /START /ANALYZE /CLEAN /ARCHIVE /CONTINUE/CONTINUEA
/UINONE /NOESTIMATE /LOG=C:LocalDocsScan.log, thenpress Enter.
5. Wait while the scanruns,which will take approximately1-2hoursto complete.
3.0 Resolving the Remedy Incident
Once the full AV scan completes,copythe scan.logfiletoC:localdocs. Then,uploadthe logto
and resolve the incident.
1. ClickStart > Run, thentype computer_namec$. Whenprompted,type credentialsforan
account withelevatedprivileges.
2. Copy computer_namec$scan.log to C:localdocs.
3. In Remedy,clickLinks> Categorizations on the left. Selectthe followingitemsinthe picklists
the click Save:
a. ResolutionCategorization
Software
Asset
Modify
b. ResolutionProductCategorization
Software
PlatformandInfrastructure Management
5. Page 5 of 6
SecurityApplications
MCAFEE VIRUSSCAN ENTEPRISE
4.6
4. Under Add Work Infointhe Notesfield,type “ScanLog attached”. In the Attachmentfield,click
the folder. Browse to C:localdocsscan.log. ClickOK, thenclick Add.
5. In the Resolutionfield,type “Full AV scancompletedandthreatsuccessfullyremoved.” Select
Resolvedforthe status and NoFurther Action Requiredforthe StatusReason.
6. ClickSave thenclose Remedy.
REVISION SUMMARY
Revision Date Author Comments
1.0 7-Mar-2014 Eric Roberson Published