cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
User57965125
Level 7
Report Inappropriate Content
Message 1 of 3
‎01-04-2023 08:24 AM

File was quarantined, but we cannot find the respective log file messages.

During integration of the Trellix AntiVirus Standalone solution into the NATSAMAN system we are using an EICAR file to test the behaviour. We could test that the EICAR file was quarantined, but we cannot find the respective log file messages. [root@TP-cwp04 etc]# /opt/McAfee/ens/tp/bin/mfetpcli --version Trellix Endpoint Security for Linux Threat Prevention Version : 10.7.13.20 DAT Version : 5194.0 DAT Date : 22-12-2022 Engine Version : 6600.9927 Exploit Prevention Content Version : 10.7.0.00079 On transferring an EICAR file named NATSAMAN837-EICAR into the AMAN System; it is quarantined immediately: ~> scp eicar.com.txt username@TP-cwp04:/tmp/NATSAMAN837-EICAR ; date eicar.com.txt 100% 68 0.1KB/s 00:00 Tue Jan 3 09:43:02 UTC 2023 ~> On AMAN host a new file is placed into the /Quarantine/ folder and does not exists on target: [root@TP-cwp04 /]# ll /Quarantine/ total 8 -rw-------. 1 root root 250 Jan 3 09:43 Q0.0.958996.000.meta -rw-------. 1 root root 254 Jan 3 09:43 Q0.0.958996.000.zip [root@TP-cwp04 /]# ls -la /tmp/NATSAMAN837-EICAR ls: cannot access '/tmp/NATSAMAN837-EICAR': No such file or directory but there are not log lines like in the Trello log files with Quarantine or the quarantined file name: [root@TP-cwp04 /]# find /var/McAfee/ens/log/ -type f -exec zgrep -i quaran {} \; Jan 02 16:38:31 TP-cwp04 INFO AMQuarantineRestoreManager [248424] Quarantine directory successfully changed to /Quarantine/ [root@TP-cwp04 /]# find /var/McAfee/ens/log/ -type f -exec zgrep -i eicar {} \; Could you please let us know how to configure the system to write and locate log messages for the detection of infected files by the On Access Scanner.
0 Kudos
Reply
2 Replies
User27605043
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3
‎01-04-2023 09:02 AM

Re: File was quarantined, but we cannot find the respective log file messages.

Testing this for me the log shows the detection and delete in the C:\ProgramData\McAfee\Endpoint Security\Logs\ folder in this log. "OnAccessScan_Activity.log"

Shows in ePO as event ID 1278 

 

Stewart
0 Kudos
Reply
BSharma
Employee
Employee
Report Inappropriate Content
Message 3 of 3
‎01-05-2023 12:12 AM

Re: File was quarantined, but we cannot find the respective log file messages.

Hello @User57965125 

 

Looks like you are using Linux machine with ENSL 10.7.13 version. 

Detection msg from OAS will show you in MFEOASMGR.log - The real-time log file for on-Access scan (OAS) Manager 

Path for this log: 

/var/McAfee/ens/log/tp/mfeoasmgr.log

 

By Default mfeoasmgr.log will log only "Critical and Alert" events and this can be changed/configured in ENS COmmon - Option policy. 

 

 

 

 

 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and give a Kudo, together we can help other members.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from product experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by employees.
Join the Community
Join the Community

TrellixSkyhigh Security | Support Trellix.com SkyhighSecurity.com

Legal Privacy Copyright © 2023 Musarubra US LLC