We have just started to take at the new Endpoint Security Threat Prevention 10.1.0.5623. However, I am unable to see any threats that are detected from the client side. We are running with ePO 5.3.1 and Mac Agent 184.108.40.206.
To test threat detection and reporting, I will go to the client and invoke the eicar test virus. The client will get a popup that it detected the EICAR virus. After detection, I will do a agent wake-up call. On the ePO side, I don't see this Eicar threat being reported under the queries or the Threat Events for that particular system . We also have automatic responses set to send an email alert but we don't get this.
If, I uninstall and install EPM 2.3 then we get the virus alerts under ePO. Not too sure what is going on but it is stopping me from wanting to utilize this updated version.
There are specific queries/dashboards for ENS. We have ePO 5.3.2 and are testing ENS 10.2.0. All our VirusScan malware emails come in via automated responses, but Endpoint does not. Looks like I'll have to set up custom queries to get this to occur for Endpoint which is unfortunate because it was all working well for VSE.
FWIW, I'm running both VSE and ENS (in the middle of transitioning to 10.5 Win/10.2 Mac & Linux), and I just specify "Threat Category --> belongs to --> Malware Detected", and I get e-mail alerts from both products from the one automatic response rule.
McAfee has an event troubleshooting guide that should help: https://kc.mcafee.com/corporate/index?page=content&id=KB53035e
Thanks for the link. If I can't get it figured out I guess it just means another call to support. We've tried Eicar's and even real threats and while it is definitely logged in ePO, the events from ENS never get emails but the VSE ones are going out. Doesn't make any sense to me.
Just so you know I'm not crazy, the event gets to ePO and gets parsed and is viewable as an event under the "Threat Events" tab for the endpoint :
Threat Event Log Information
Events received from managed systems
Host IPS 8.0 Event Information
Additional Event details from VirusScan Enterprise
ATD Event Log Information
Looks like another call to support...
Turns out the names have changed for some of the events. Instead of "Delete" or "Deleted" ENS uses "IDS_ALERT_ACT_TAK_DEL" and my rules were set too restrictive to allow those events to be emailed.