One of the most common questions we get about ePO is "what should my operations/helpdesk team be looking at in ePO?" If VirusScan and ePO are doing their job properly then malware is cleaned and business continues as usual. But there are cases when VirusScan may need some assistance to fully remove an infection which would be handled by the operations team or the helpdesk team. There is a variable called "threat handled" which can be true or false to reflect if VirusScan properly cleaned a machine. These machines may need a reboot, newer DAT file (that contains proper removal instructions) or manual intervention. Theoretically the number of infections that are "not handled" should be a very low number. Normally you can report on all machines where threats were not handled but that would be a global number that could go back six months and not be very valuable. We take this to the next level by narrowing it down to a 24 hour period and filtering out some noise like shown below.
Then we create the same query for a 48 hour period but NOT the last 24 hours (below) which is mildly confusing. But the purpose of this is to put the two queries next to each other for visual comparison. Why can't we just look at one of them and assume that its the machines we need to take action on? Because if you look at the 24 hour period query this data may change and you will not need to take action on them. For example, if a machine gets a new DAT file that tells it how to properly clean an infection you will no longer need to visit the machine. Another example is a machine may need a reboot to have the infection removed. Either one of these situations will remove the need to visit the machine. Thats why we do a visual comparison of both queries and if we see the event in both queries then we ASSUME that machine is still not fully cleaned after 48 hours and may need some manual intervention. If it only exists in one query then there is a chance it could be fully cleaned in a few hours.
Here is what the final dashboard looks like. The top two queries list the results by infection name and the bottom two queries list it by machine name.