Mcafee Endpoint Intelligent Agent, Raptor Integration

by butsch 15. September 2015 18:02

Mcafee Endpoint Intelligent Agent Raptor Integration clearing out question what if it DOES block or Isolate


The usage of Endpoint Intelligent Agent for tracing client Executables that make network connections for free of charge was promoted by Mcafee in a blog. However it was not mentioned that they use this to push Raptor their Stinger nextgen malware scanner to corporate clients. This technology will be also integrated in VSE Enterprise Version 10. You may know Raptor or Stinger in cases where VSE does not find malware and you need a second product.


There is really almost no good documentation or inside information on the usage of the EI-Agent and in concern of Raptor. Mainly and maybe because Raptor is there next tool which comes to VSE.


Here is how Endpoint Intelligence looks in EPO. Mainly the Endpoint Intelligence Agent is USED as client part for TIE and Mcafee Firewall to get more info what's in LAN segment (Beside as example HIPS).


Since people are left over with Cryptlocker virus it's good to have a free tool add. To EPO to track EXE Files a little bit. This without installing a FULL SIEM which starts at CHF 50'000.- for a 500+ employee box.





From the test run in Enterprise with 20 Test client with Agent we had 86 application and 2 seen as malware. One was an EXE running from a share and doing Certificate things. The second one a Clickonce side by side installation/Update which does ugly things in temp folder.


We wanted to know from Mcafee if the Raptor MODULE which is used in Endpoint Intelligent Agent EIA will/was blocking something OR not. Because from the regular THREAT Alerts you could assume that.


a) Something is isolated?

Answer : No nothing is isolated.


b) Something is blocked?

Answer : No nothing is blocked.


c) We assume that raptor Module is used by EI-Agent to determine if EXE on client is bad/good nothing. Raptor.exe USED by EI-Agent WILL NOT BLOCK/ISOLATE/TRY-TOSTOP anything?

Answer : Raptor is only used for detecting malicious activity and to identify an executable that is responsible for this. It does not classify an exe as good or bad or unknown. No blocking.


d) As mentioned in the Mcafee Blog where mcafee recommends the EI-Agent as solution for finding Locker Malware EXE on clients IT SAYS it will MONITOR/REPORT only?

Answer : EIA with ePO can be used for reporting number of connections from an executable with other information like MD5, absolute path and also the malware risk score for each of the executables.


e) Why does the EPO then show the THREAT Event?

Answer : Threat event is shown for reporting alone. For alerting the admin.


EPO Threat Alert triggered through RAPTOR from EI-Agent


Detecting Prod ID (deprecated):


Detecting Product Name:

Endpoint Intelligence Agent

Detecting Product Version:

Threat Source Host Name:

Threat Source MAC Address:

Threat Source User Name:

Threat Source Process Name:

Threat Source URL:

Threat Target Host Name:

Threat Target File Path:

rundll32.exe(md5: dd81d91ff3b0763c392422865c9ac12e)

Event Category:

Malware detected

Event ID:


Threat Severity:


Threat Name:


Threat Type:


Action Taken:


Threat Handled:

Analyzer Detection Method:


Events received from managed systems

Event Description:

Infected file found, access denied < THAT'S was unlear


In this case it was a strange but well known hospital software doing Framework clickONCE installation to undergo deployment and process of deployment. (We think)


This the location where you can FIND more info what Raptor did.


\\PCNAME\c$\Program Files (x86)\McAfee\Endpoint Intelligence Agent\x64\RaptorDir











[{"t":"1d0ea2ec71c80c5","p":"0","e":"5","1":"c\\rundll32.exe","2":"1,2d,\"rundll32.exe\" dfshim.dll,shopenverbshortcut 1\\u:\\profiledata\\appdata\\microsoft\\internet explorer\\quick launch\\user pinned\\taskbar\\hospis business center.appref-ms|","j":0},{"t":"1d0ea2ec742021d","p":"2bd","e":"0","1":"7\\bvtbin\\tests\\installpackage\\csilogfile.log","j":0},{"t":"1d0ea2ec7421cec","p":"2bd","e":"d","1":"4\\s-1-5-21-730738710-497051466-624655392-1053\\software\\classes\\software\\microsoft\\windows\\currentversion\\deployment\\sidebyside\\2.0\\","j":0},{"t":"1d0ea2ec7452bd6","p":"2bd","e":"d","1":"4\\s-1-5-21-730738710-497051466-624655392-



Comments are closed

Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: