Forensics blade can use information from the Windows Event Log to monitor and analyze malware events from third party anti-virus vendors. Based on the Windows Event Log, Forensics can analyze attacks, terminate processes, delete or quarantine files, and do other attack remediation.
You can enable or disable third party integration in SmartEndpoint, from the Automatic Threat Analysis action. This works with most common vendors without manual configuration. Note - Some third party vendors do not automatically send information to the Windows Event Log.
To use third party vendor integration, make sure that your vendor is configured to send information to the Windows Event Log. Events are detected when the client is online or offline.
To enable or disable Forensics Third Party Anti-Virus Vendor integration:
- In a SandBlast Agent Forensics and Remediation rule, right-click the Automatic Threat Analysis Action and select "Edit Shared Action".
- In the bottom of the window, click "Override confidence level per specific event". The Confidence level for automatic response window opens.
- In the Additional Events area, in the Third party row under Forensics Analysis - Select "Always" to enable Third Party Anti-Virus Vendor integration. Select Never to disable it.
- Click "OK".
Integration was tested with the following vendors:
- Windows Defender (English)
- Symantec Endpoint Protection (English)
- F-Secure Anti-Virus (English)
- Kaspersky (English, Russian)
- ESET Smart Security (English)
- ESET NOD32 Antivirus (English)
- ESET Endpoint Antivirus (English)
- Cylance (English)
- McAfee Endpoint Security (English, French)
- Trend Micro (English)
- Create eicar file on your machine.
- Wait a minute and see if forensics analysis has started.
- Open Event Viewer.
- Search for AV vendor log under Application or Application and service logs.
- Find the log of the eicar notification and export it.
- Contact support with exported log, in addition to AV vendor client name and version.
- If the log is missing, it means that the AV vendor did not write the logs to the Event Viewer. In such a case you will need to enable it at the third party vendors policy management.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.