Every hour we receive an email with the subject "No change in Virus Data" that also has a body of "No change in virus data."
Where can I modify it so the email does not get generated or only generated if there is an actual threat.
Any help is appreciated,
Run this command on the CLI:
$> acat -e "event AUDIT_R_ALERT and alert_actions email"
You'll see audit events that similar to this:
Feb 17 11:36:55 2016 CST f_auditbotd a_server t_alert p_major
pid: 3110 ruid: 0 euid: 0 pgid: 3110 logid: 0 cmd: 'auditbotd'
domain: Abot edomain: Abot hostname: sw1.fwdomain.com event: alert triggered
alert_name: Type Enforcement alert_type: Attack num_events: 1
start_time: Wed Feb 17 11:36:55 2016 end_time: Wed Feb 17 11:36:55 2016
sacap_filter: (event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM)
"Alerts" on the firewall are triggered by audit events; the 'sacap_filter' (Sidewinder audit capture filter) you see there is the audit filter that the auditbot daemon (auditbotd) watches the audit stream for and then triggers an alert_action if an audit event happens which matches that filter.
These alerts are configured in two places in the GUI under Monitor and then "Attack Responses" at v8 (called "IPS Attack Responses" at version 7) and "System Responses" (both versions). You are matching something from one of those two places. In my test I matched an Attack Response named "Type Enforcement" (you can see after the "alert_name" there is a field called "alert_type" and mine says "Attack;" the other type is "System.")
I've disabled the Attack Response "Type Enforcement" However here is my issue. If the event being generated is in fact from Type Enforcement.. now i won't see whenever somebody tries to make a change to the firewall via CLI and doesn't have permissions. As that type of event is also a Type Enforcement. So is there any way to disable specific "Type Enforcement events" and leave the attack type as enabled?
Running the above command does not show me any events at the time these emails are being generated. The email is generated every hour. So i don't believe this is an Attack Response / System Response. I believe it to be something else.
if i run mail -f username
I am able to see the details of the message but the smtp wasn't setup yet so all the emails were saying host unknown. The emails go back to 2013. So I'm attempting to clean out the mailbox and see what the new one looks like...
Oh, yes! I forgot about the other places you can input an email address, namely for any third-party updates on the firewall (like A/V updates).
At version 7 you can configure an email address for A/V updates under Policy -> Application Defenses -> Virus Scanning (the 'Enable Email Notification' box). At version 8 this is set under Maintenance -> Updates -> click 'A/V updates' at the top (it is selected by default). Remove the email address you have specified there.