SlideShare una empresa de Scribd logo

WI_Remediating_SIEM_Alerts_With_McAfee

Descargar como DOCX, PDF
Eric Roberson
Eric Roberson
1 de 6
Page 1 of 6 WORK INSTRUCTIONTITLE RemediatingSIEMAlerts withMcAfee VirusScan REVISION DATE 7-Mar-2014 DEPARTMENT IO – End User Computing REVISION NUMBER 1.0 OWNER IO-EndUser Computing REVIEW DATE APPROVER: TABLE OF CONTENTS TABLE OF CONTENTS............................................................................................................... 1 PURPOSE/BACKGROUND........................................................................................................ 1 SCOPE............................................................................................................................................ 1 RESPONSIBILITIES....................................................................................................................2 REFERENCES/DEFINITIONS..................................................................................................2 Definitions................................................................................................................................... 2 WORK INSTRUCTION...............................................................................................................2 1.0 Determining the Computer Name ........................................................................................ 2 2.1 Connecting to the Remote Computer................................................................................... 3 2.2 Updating AV Definitions and Starting the Full System Scan ................................................. 4 3.0 Resolving the Remedy Incident............................................................................................. 4 REVISION SUMMARY................................................................................................................5 Tags................................................................................................................................................6 PURPOSE/BACKGROUND SIEM alerts require immediate attention by the EUC team, otherwise these Incidents risk breaching service level agreements (SLAs). SCOPE This document includes instructions on determining the computer name, updating McAfee VirusScan Enterprisedefinitions, running a full systemscan with McAfee VirusScan Enterprise, and updating the Incident for resolution. This document does not include instructions on reinstalling McAfee VirusScan Enterprise or escalating incidents to Field Services in the event an infection is not cleaned with McAfee VirusScan Enterprise. As of September 2013, SIEM checks for the following infections:  Win32/Viking.MZ  Win32/Conficker.Binf  Java/CVE-2012-1723  Win32/Rimecud.A  Win32/DealPly  TrojanDropper:Win32/Qakbot.A  HackTool:Win32/Keygen  Win32/Hotbar  VirTool:INF/Autorun.gen!AA  PWS:HTML/Barfraud.B
Page 2 of 6  VirTool:INF/Autorun.gen!B  Worm:Win32/Hamweq!inf  Win32/Medfos.AF RESPONSIBILITIES The EUC team is responsible for triaging SIEM alerts, and only when necessary escalating to the appropriate teams. REFERENCES/DEFINITIONS Definitions SIEM – Security Information and Event Management For more information about this KB solution, please visit the McAfee Knowledge Center at https://support.mcafee.com/ServicePortal/faces/knowledgecenter. Also see page 92 of the McAfee VirusScan Enterprise Product Guide at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22 000/PD22941/en_US/vse_880_product_guide_en-us.pdf . WORK INSTRUCTION 1.0 Determiningthe Computer Name If and only if the host (computer) name does not appear in the Remedy incident notes, then follow these steps to determine the computer name and update the Incident notes with the infected computer name. Otherwise, take possession of the incident and continue to section 2.1 Verifying and Updating AV Definitions. 1. Openthe incidentRemedy. Take possessionof the incident,thenchange the statustoIn Progress. 2. Openthe Notesfield. Locate the Host IPAddress. 3. Opena commandprompt. Click Start > Run > thentype cmd. PressEnter or clickOK. 4. Type ping -a X.X.X.X, where X.X.X.Xisthe IPaddressfromthe IncidentNotesfield. 5. Rightclickthe resultsinthe commandpromptwindow,thenclick Mark. Highlightthe results, thenrightclickthe active window barat the top. Click Edit> Copy.
Page 3 of 6 6. Paste the resultsintoa newnote inthe Incident. 7. Addthe computername intothe CI+ fieldinthe leftcolumn. Optionally, alsosearchforthe computername inQIT. Cross reference the employee’sname inQITwiththe Contact+fieldin Remedy. 8. Save the Incident,thenproceedwithone of the followingoptions: a. If the computername isa workstationbeginningwithW,thencontinue tothe next section. b. If the computername doesnotresolve,thenescalatethe incidenttothe queue IPC_InformationProtectionandCompliance. Continue tothe nextsectionafter the IPC teamreturnsthe incidenttoEnd User Computing(EUC) withacomputername. c. If the computername isa server,thenescalate the incidenttothe queue IT Infrastructure Operations>Enterprise Computing. NofurtheractionisrequiredbyEUC. 2.1 Connecting to the Remote Computer Use PSEXECto connectto the remote computerusinganaccount withelevatedprivileges. 1. Opena commandusingan account withelevatedprivileges(eg.A_UserID). Type psexec–s–h {computername} cmd.exe. 2. Type hostname to verifyconnectivitytothe remote computer.
Page 4 of 6 2.2 UpdatingAV Definitions and Startingthe Full System Scan Followthese stepstostartthe full systemscanandcreate a logfile. 1. At the commandprompttype CDProgram FilesMcAfeeVirusscanEnterprise,the press Enter. 2. Type mcupdate.exe /update /quiet,thenpress Enter. 3. Wait while the definitionfilesupdate before continuingtothe nextstep. 4. Type SCAN32.EXE C: /ALL /START /ANALYZE /CLEAN /ARCHIVE /CONTINUE/CONTINUEA /UINONE /NOESTIMATE /LOG=C:LocalDocsScan.log, thenpress Enter. 5. Wait while the scanruns,which will take approximately1-2hoursto complete. 3.0 Resolving the Remedy Incident Once the full AV scan completes,copythe scan.logfiletoC:localdocs. Then,uploadthe logto and resolve the incident. 1. ClickStart > Run, thentype computer_namec$. Whenprompted,type credentialsforan account withelevatedprivileges. 2. Copy computer_namec$scan.log to C:localdocs. 3. In Remedy,clickLinks> Categorizations on the left. Selectthe followingitemsinthe picklists the click Save: a. ResolutionCategorization  Software  Asset  Modify b. ResolutionProductCategorization  Software  PlatformandInfrastructure Management
Page 5 of 6  SecurityApplications  MCAFEE VIRUSSCAN ENTEPRISE  4.6 4. Under Add Work Infointhe Notesfield,type “ScanLog attached”. In the Attachmentfield,click the folder. Browse to C:localdocsscan.log. ClickOK, thenclick Add. 5. In the Resolutionfield,type “Full AV scancompletedandthreatsuccessfullyremoved.” Select Resolvedforthe status and NoFurther Action Requiredforthe StatusReason. 6. ClickSave thenclose Remedy. REVISION SUMMARY Revision Date Author Comments 1.0 7-Mar-2014 Eric Roberson Published
Page 6 of 6 Tags Antivirus, AV, SIEM, Security, McAfee

Recomendados

Carlo Rodrigues-CV
Carlo Rodrigues-CVCarlo Rodrigues-CV
Carlo Rodrigues-CVCarlo Rodrigues
 
Unidades lectores 5°
Unidades lectores 5°Unidades lectores 5°
Unidades lectores 5°Glorita E. Suárez Lugo
 
Certified qa qc Mechanical engineer
Certified qa qc Mechanical engineerCertified qa qc Mechanical engineer
Certified qa qc Mechanical engineerSanjary Educational Academy
 
Master mx 40ª edicion
Master mx 40ª edicionMaster mx 40ª edicion
Master mx 40ª edicionMaster Mx
 
F543 computer science part 2
F543 computer science part 2F543 computer science part 2
F543 computer science part 2Mark Gibbs
 
Cloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudCloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudAzhar Khan
 
COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...
COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...
COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...Ethical Sector
 
ZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKChippy Simumba
 

Recomendados

Carlo Rodrigues-CV
Carlo Rodrigues-CVCarlo Rodrigues-CV
Carlo Rodrigues-CVCarlo Rodrigues
 
Unidades lectores 5°
Unidades lectores 5°Unidades lectores 5°
Unidades lectores 5°Glorita E. Suárez Lugo
 
Certified qa qc Mechanical engineer
Certified qa qc Mechanical engineerCertified qa qc Mechanical engineer
Certified qa qc Mechanical engineerSanjary Educational Academy
 
Master mx 40ª edicion
Master mx 40ª edicionMaster mx 40ª edicion
Master mx 40ª edicionMaster Mx
 
F543 computer science part 2
F543 computer science part 2F543 computer science part 2
F543 computer science part 2Mark Gibbs
 
Cloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudCloud Computing & Application Planning for Cloud
Cloud Computing & Application Planning for CloudAzhar Khan
 
COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...
COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...
COMMUNITY INVESTMENT IN MYANMAR - Discussing MPRL E&P’s CI journey in Mann F...Ethical Sector
 
ZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKZIA 2016 PRESENTATION-OTK
ZIA 2016 PRESENTATION-OTKChippy Simumba
 
Evaluation
EvaluationEvaluation
Evaluationcseerussell
 
Antalis Consultancy Services Brochure 2015
Antalis Consultancy Services Brochure 2015Antalis Consultancy Services Brochure 2015
Antalis Consultancy Services Brochure 2015Matthew Botfield
 
Unit ii
Unit iiUnit ii
Unit iikavukavya
 
WrightSURP2016
WrightSURP2016WrightSURP2016
WrightSURP2016Carlyn Wright
 
Engineered print 1
Engineered print 1Engineered print 1
Engineered print 1Trevor O'Neale
 
Affinity keynote
Affinity keynoteAffinity keynote
Affinity keynotesebuckle
 
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaIulia Pisca
 
ENG3317_Public_Relations_featurestory_lgbt_workplace_equality
ENG3317_Public_Relations_featurestory_lgbt_workplace_equalityENG3317_Public_Relations_featurestory_lgbt_workplace_equality
ENG3317_Public_Relations_featurestory_lgbt_workplace_equalityEric Roberson
 
ENG3305_Adv_Essay_Writing_gay_men_and_barebacking
ENG3305_Adv_Essay_Writing_gay_men_and_barebackingENG3305_Adv_Essay_Writing_gay_men_and_barebacking
ENG3305_Adv_Essay_Writing_gay_men_and_barebackingEric Roberson
 
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4Eric Roberson
 
ENG3373_Advertising_finalsubmissionletter
ENG3373_Advertising_finalsubmissionletterENG3373_Advertising_finalsubmissionletter
ENG3373_Advertising_finalsubmissionletterEric Roberson
 
ENG3373_Advertising_poster_slogan2
ENG3373_Advertising_poster_slogan2ENG3373_Advertising_poster_slogan2
ENG3373_Advertising_poster_slogan2Eric Roberson
 
ENG3373_Advertising_poster_slogan1
ENG3373_Advertising_poster_slogan1ENG3373_Advertising_poster_slogan1
ENG3373_Advertising_poster_slogan1Eric Roberson
 
ENG3373_Advertising_featurestory_fordateline
ENG3373_Advertising_featurestory_fordatelineENG3373_Advertising_featurestory_fordateline
ENG3373_Advertising_featurestory_fordatelineEric Roberson
 
ENG3329_Environmental_Writing_greening_of_datacenters
ENG3329_Environmental_Writing_greening_of_datacentersENG3329_Environmental_Writing_greening_of_datacenters
ENG3329_Environmental_Writing_greening_of_datacentersEric Roberson
 
ENG3308_Legal_Writing_legal_memo_cov
ENG3308_Legal_Writing_legal_memo_covENG3308_Legal_Writing_legal_memo_cov
ENG3308_Legal_Writing_legal_memo_covEric Roberson
 
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equalityENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equalityEric Roberson
 
ENG3317_Public_Relations_newsrelease_print
ENG3317_Public_Relations_newsrelease_printENG3317_Public_Relations_newsrelease_print
ENG3317_Public_Relations_newsrelease_printEric Roberson
 
ENG3317_Public_Relations_newsrelease_broadcast
ENG3317_Public_Relations_newsrelease_broadcastENG3317_Public_Relations_newsrelease_broadcast
ENG3317_Public_Relations_newsrelease_broadcastEric Roberson
 
ENG3317_Public_Relations_media_kit_contents
ENG3317_Public_Relations_media_kit_contentsENG3317_Public_Relations_media_kit_contents
ENG3317_Public_Relations_media_kit_contentsEric Roberson
 
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equalityENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equalityEric Roberson
 
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quiltENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quiltEric Roberson
 

Más contenido relacionado

Destacado

Antalis Consultancy Services Brochure 2015
Antalis Consultancy Services Brochure 2015Antalis Consultancy Services Brochure 2015
Antalis Consultancy Services Brochure 2015Matthew Botfield
 
Affinity keynote
Affinity keynoteAffinity keynote
Affinity keynotesebuckle
 
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaIulia Pisca
 
ENG3317_Public_Relations_featurestory_lgbt_workplace_equality
ENG3317_Public_Relations_featurestory_lgbt_workplace_equalityENG3317_Public_Relations_featurestory_lgbt_workplace_equality
ENG3317_Public_Relations_featurestory_lgbt_workplace_equalityEric Roberson
 

Destacado (8)

Evaluation
EvaluationEvaluation
Evaluation
 
Antalis Consultancy Services Brochure 2015
Antalis Consultancy Services Brochure 2015Antalis Consultancy Services Brochure 2015
Antalis Consultancy Services Brochure 2015
 
Unit ii
Unit iiUnit ii
Unit ii
 
WrightSURP2016
WrightSURP2016WrightSURP2016
WrightSURP2016
 
Engineered print 1
Engineered print 1Engineered print 1
Engineered print 1
 
Affinity keynote
Affinity keynoteAffinity keynote
Affinity keynote
 
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_RomaniaILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
ILUC prevention Strategies for Sustainable Biofuels 20150402_Romania
 
ENG3317_Public_Relations_featurestory_lgbt_workplace_equality
ENG3317_Public_Relations_featurestory_lgbt_workplace_equalityENG3317_Public_Relations_featurestory_lgbt_workplace_equality
ENG3317_Public_Relations_featurestory_lgbt_workplace_equality
 

Más de Eric Roberson

ENG3305_Adv_Essay_Writing_gay_men_and_barebacking
ENG3305_Adv_Essay_Writing_gay_men_and_barebackingENG3305_Adv_Essay_Writing_gay_men_and_barebacking
ENG3305_Adv_Essay_Writing_gay_men_and_barebackingEric Roberson
 
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4Eric Roberson
 
ENG3373_Advertising_finalsubmissionletter
ENG3373_Advertising_finalsubmissionletterENG3373_Advertising_finalsubmissionletter
ENG3373_Advertising_finalsubmissionletterEric Roberson
 
ENG3373_Advertising_poster_slogan2
ENG3373_Advertising_poster_slogan2ENG3373_Advertising_poster_slogan2
ENG3373_Advertising_poster_slogan2Eric Roberson
 
ENG3373_Advertising_poster_slogan1
ENG3373_Advertising_poster_slogan1ENG3373_Advertising_poster_slogan1
ENG3373_Advertising_poster_slogan1Eric Roberson
 
ENG3373_Advertising_featurestory_fordateline
ENG3373_Advertising_featurestory_fordatelineENG3373_Advertising_featurestory_fordateline
ENG3373_Advertising_featurestory_fordatelineEric Roberson
 
ENG3329_Environmental_Writing_greening_of_datacenters
ENG3329_Environmental_Writing_greening_of_datacentersENG3329_Environmental_Writing_greening_of_datacenters
ENG3329_Environmental_Writing_greening_of_datacentersEric Roberson
 
ENG3308_Legal_Writing_legal_memo_cov
ENG3308_Legal_Writing_legal_memo_covENG3308_Legal_Writing_legal_memo_cov
ENG3308_Legal_Writing_legal_memo_covEric Roberson
 
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equalityENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equalityEric Roberson
 
ENG3317_Public_Relations_newsrelease_print
ENG3317_Public_Relations_newsrelease_printENG3317_Public_Relations_newsrelease_print
ENG3317_Public_Relations_newsrelease_printEric Roberson
 
ENG3317_Public_Relations_newsrelease_broadcast
ENG3317_Public_Relations_newsrelease_broadcastENG3317_Public_Relations_newsrelease_broadcast
ENG3317_Public_Relations_newsrelease_broadcastEric Roberson
 
ENG3317_Public_Relations_media_kit_contents
ENG3317_Public_Relations_media_kit_contentsENG3317_Public_Relations_media_kit_contents
ENG3317_Public_Relations_media_kit_contentsEric Roberson
 
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equalityENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equalityEric Roberson
 
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quiltENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quiltEric Roberson
 
ENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbell
ENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbellENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbell
ENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbellEric Roberson
 
gradschool_personalstatement
gradschool_personalstatementgradschool_personalstatement
gradschool_personalstatementEric Roberson
 
County_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseon
County_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseonCounty_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseon
County_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseonEric Roberson
 
Visio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERoberson
Visio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERobersonVisio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERoberson
Visio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERobersonEric Roberson
 
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseonLargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseonEric Roberson
 
Robersone5_ENG6318_FinalEssayOnLanguageUse
Robersone5_ENG6318_FinalEssayOnLanguageUseRobersone5_ENG6318_FinalEssayOnLanguageUse
Robersone5_ENG6318_FinalEssayOnLanguageUseEric Roberson
 

Más de Eric Roberson (20)

ENG3305_Adv_Essay_Writing_gay_men_and_barebacking
ENG3305_Adv_Essay_Writing_gay_men_and_barebackingENG3305_Adv_Essay_Writing_gay_men_and_barebacking
ENG3305_Adv_Essay_Writing_gay_men_and_barebacking
 
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
ENG3331_Adv_Desktop_Publishing_adp_aat_catalog_assignment4
 
ENG3373_Advertising_finalsubmissionletter
ENG3373_Advertising_finalsubmissionletterENG3373_Advertising_finalsubmissionletter
ENG3373_Advertising_finalsubmissionletter
 
ENG3373_Advertising_poster_slogan2
ENG3373_Advertising_poster_slogan2ENG3373_Advertising_poster_slogan2
ENG3373_Advertising_poster_slogan2
 
ENG3373_Advertising_poster_slogan1
ENG3373_Advertising_poster_slogan1ENG3373_Advertising_poster_slogan1
ENG3373_Advertising_poster_slogan1
 
ENG3373_Advertising_featurestory_fordateline
ENG3373_Advertising_featurestory_fordatelineENG3373_Advertising_featurestory_fordateline
ENG3373_Advertising_featurestory_fordateline
 
ENG3329_Environmental_Writing_greening_of_datacenters
ENG3329_Environmental_Writing_greening_of_datacentersENG3329_Environmental_Writing_greening_of_datacenters
ENG3329_Environmental_Writing_greening_of_datacenters
 
ENG3308_Legal_Writing_legal_memo_cov
ENG3308_Legal_Writing_legal_memo_covENG3308_Legal_Writing_legal_memo_cov
ENG3308_Legal_Writing_legal_memo_cov
 
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equalityENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
ENG3317_Public_Relations_positionpaper_lgbt_workplace_equality
 
ENG3317_Public_Relations_newsrelease_print
ENG3317_Public_Relations_newsrelease_printENG3317_Public_Relations_newsrelease_print
ENG3317_Public_Relations_newsrelease_print
 
ENG3317_Public_Relations_newsrelease_broadcast
ENG3317_Public_Relations_newsrelease_broadcastENG3317_Public_Relations_newsrelease_broadcast
ENG3317_Public_Relations_newsrelease_broadcast
 
ENG3317_Public_Relations_media_kit_contents
ENG3317_Public_Relations_media_kit_contentsENG3317_Public_Relations_media_kit_contents
ENG3317_Public_Relations_media_kit_contents
 
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equalityENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
ENG3317_Public_Relations_backgrounder_lgbt_workplace_equality
 
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quiltENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
ENG3317_RhetoricalTheory_ideological_analysis_of_aids_memorial_quilt
 
ENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbell
ENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbellENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbell
ENG3317_RehtoricalTheory_neo_aristotelian_analysis_of_karlyn_kohrs_campbell
 
gradschool_personalstatement
gradschool_personalstatementgradschool_personalstatement
gradschool_personalstatement
 
County_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseon
County_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseonCounty_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseon
County_AccessDataEnterprise3_3TopologyChart_RevisedJune2011_byERoberseon
 
Visio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERoberson
Visio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERobersonVisio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERoberson
Visio-AccessDataEnterprise3_3TopologyChart_Revised13Jul2011_byERoberson
 
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseonLargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
LargeCorp_AccessData_Examiner3TopologyChart_Revised22June2011_byERoberseon
 
Robersone5_ENG6318_FinalEssayOnLanguageUse
Robersone5_ENG6318_FinalEssayOnLanguageUseRobersone5_ENG6318_FinalEssayOnLanguageUse
Robersone5_ENG6318_FinalEssayOnLanguageUse
 

WI_Remediating_SIEM_Alerts_With_McAfee

  • 1. Page 1 of 6 WORK INSTRUCTIONTITLE RemediatingSIEMAlerts withMcAfee VirusScan REVISION DATE 7-Mar-2014 DEPARTMENT IO – End User Computing REVISION NUMBER 1.0 OWNER IO-EndUser Computing REVIEW DATE APPROVER: TABLE OF CONTENTS TABLE OF CONTENTS............................................................................................................... 1 PURPOSE/BACKGROUND........................................................................................................ 1 SCOPE............................................................................................................................................ 1 RESPONSIBILITIES....................................................................................................................2 REFERENCES/DEFINITIONS..................................................................................................2 Definitions................................................................................................................................... 2 WORK INSTRUCTION...............................................................................................................2 1.0 Determining the Computer Name ........................................................................................ 2 2.1 Connecting to the Remote Computer................................................................................... 3 2.2 Updating AV Definitions and Starting the Full System Scan ................................................. 4 3.0 Resolving the Remedy Incident............................................................................................. 4 REVISION SUMMARY................................................................................................................5 Tags................................................................................................................................................6 PURPOSE/BACKGROUND SIEM alerts require immediate attention by the EUC team, otherwise these Incidents risk breaching service level agreements (SLAs). SCOPE This document includes instructions on determining the computer name, updating McAfee VirusScan Enterprisedefinitions, running a full systemscan with McAfee VirusScan Enterprise, and updating the Incident for resolution. This document does not include instructions on reinstalling McAfee VirusScan Enterprise or escalating incidents to Field Services in the event an infection is not cleaned with McAfee VirusScan Enterprise. As of September 2013, SIEM checks for the following infections:  Win32/Viking.MZ  Win32/Conficker.Binf  Java/CVE-2012-1723  Win32/Rimecud.A  Win32/DealPly  TrojanDropper:Win32/Qakbot.A  HackTool:Win32/Keygen  Win32/Hotbar  VirTool:INF/Autorun.gen!AA  PWS:HTML/Barfraud.B
  • 2. Page 2 of 6  VirTool:INF/Autorun.gen!B  Worm:Win32/Hamweq!inf  Win32/Medfos.AF RESPONSIBILITIES The EUC team is responsible for triaging SIEM alerts, and only when necessary escalating to the appropriate teams. REFERENCES/DEFINITIONS Definitions SIEM – Security Information and Event Management For more information about this KB solution, please visit the McAfee Knowledge Center at https://support.mcafee.com/ServicePortal/faces/knowledgecenter. Also see page 92 of the McAfee VirusScan Enterprise Product Guide at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/22 000/PD22941/en_US/vse_880_product_guide_en-us.pdf . WORK INSTRUCTION 1.0 Determiningthe Computer Name If and only if the host (computer) name does not appear in the Remedy incident notes, then follow these steps to determine the computer name and update the Incident notes with the infected computer name. Otherwise, take possession of the incident and continue to section 2.1 Verifying and Updating AV Definitions. 1. Openthe incidentRemedy. Take possessionof the incident,thenchange the statustoIn Progress. 2. Openthe Notesfield. Locate the Host IPAddress. 3. Opena commandprompt. Click Start > Run > thentype cmd. PressEnter or clickOK. 4. Type ping -a X.X.X.X, where X.X.X.Xisthe IPaddressfromthe IncidentNotesfield. 5. Rightclickthe resultsinthe commandpromptwindow,thenclick Mark. Highlightthe results, thenrightclickthe active window barat the top. Click Edit> Copy.
  • 3. Page 3 of 6 6. Paste the resultsintoa newnote inthe Incident. 7. Addthe computername intothe CI+ fieldinthe leftcolumn. Optionally, alsosearchforthe computername inQIT. Cross reference the employee’sname inQITwiththe Contact+fieldin Remedy. 8. Save the Incident,thenproceedwithone of the followingoptions: a. If the computername isa workstationbeginningwithW,thencontinue tothe next section. b. If the computername doesnotresolve,thenescalatethe incidenttothe queue IPC_InformationProtectionandCompliance. Continue tothe nextsectionafter the IPC teamreturnsthe incidenttoEnd User Computing(EUC) withacomputername. c. If the computername isa server,thenescalate the incidenttothe queue IT Infrastructure Operations>Enterprise Computing. NofurtheractionisrequiredbyEUC. 2.1 Connecting to the Remote Computer Use PSEXECto connectto the remote computerusinganaccount withelevatedprivileges. 1. Opena commandusingan account withelevatedprivileges(eg.A_UserID). Type psexec–s–h {computername} cmd.exe. 2. Type hostname to verifyconnectivitytothe remote computer.
  • 4. Page 4 of 6 2.2 UpdatingAV Definitions and Startingthe Full System Scan Followthese stepstostartthe full systemscanandcreate a logfile. 1. At the commandprompttype CDProgram FilesMcAfeeVirusscanEnterprise,the press Enter. 2. Type mcupdate.exe /update /quiet,thenpress Enter. 3. Wait while the definitionfilesupdate before continuingtothe nextstep. 4. Type SCAN32.EXE C: /ALL /START /ANALYZE /CLEAN /ARCHIVE /CONTINUE/CONTINUEA /UINONE /NOESTIMATE /LOG=C:LocalDocsScan.log, thenpress Enter. 5. Wait while the scanruns,which will take approximately1-2hoursto complete. 3.0 Resolving the Remedy Incident Once the full AV scan completes,copythe scan.logfiletoC:localdocs. Then,uploadthe logto and resolve the incident. 1. ClickStart > Run, thentype computer_namec$. Whenprompted,type credentialsforan account withelevatedprivileges. 2. Copy computer_namec$scan.log to C:localdocs. 3. In Remedy,clickLinks> Categorizations on the left. Selectthe followingitemsinthe picklists the click Save: a. ResolutionCategorization  Software  Asset  Modify b. ResolutionProductCategorization  Software  PlatformandInfrastructure Management
  • 5. Page 5 of 6  SecurityApplications  MCAFEE VIRUSSCAN ENTEPRISE  4.6 4. Under Add Work Infointhe Notesfield,type “ScanLog attached”. In the Attachmentfield,click the folder. Browse to C:localdocsscan.log. ClickOK, thenclick Add. 5. In the Resolutionfield,type “Full AV scancompletedandthreatsuccessfullyremoved.” Select Resolvedforthe status and NoFurther Action Requiredforthe StatusReason. 6. ClickSave thenclose Remedy. REVISION SUMMARY Revision Date Author Comments 1.0 7-Mar-2014 Eric Roberson Published
  • 6. Page 6 of 6 Tags Antivirus, AV, SIEM, Security, McAfee