Showing results for 
Show  only  | Search instead for 
Did you mean: 

McAfee Enterprise Firewall email issue

Every hour we receive an email with the subject "No change in Virus Data" that also has a body of "No change in virus data."

Where can I modify it so the email does not get generated or only generated if there is an actual threat.

Any help is appreciated,


6 Replies
Level 14
Report Inappropriate Content
Message 2 of 7

Re: McAfee Enterprise Firewall email issue

Run this command on the CLI:

$> acat -e "event AUDIT_R_ALERT and alert_actions email"

You'll see audit events that similar to this:

Feb 17 11:36:55 2016 CST  f_auditbotd a_server t_alert p_major

pid: 3110 ruid: 0 euid: 0 pgid: 3110 logid: 0 cmd: 'auditbotd'

domain: Abot edomain: Abot hostname: event: alert triggered

alert_name: Type Enforcement alert_type: Attack num_events: 1

start_time: Wed Feb 17 11:36:55 2016 end_time: Wed Feb 17 11:36:55 2016

sacap_filter: (event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM)

alert_actions: email

"Alerts" on the firewall are triggered by audit events; the 'sacap_filter' (Sidewinder audit capture filter) you see there is the audit filter that the auditbot daemon (auditbotd) watches the audit stream for and then triggers an alert_action if an audit event happens which matches that filter.

These alerts are configured in two places in the GUI under Monitor and then "Attack Responses" at v8 (called "IPS Attack Responses" at version 7) and "System Responses" (both versions).  You are matching something from one of those two places.  In my test I matched an Attack Response named "Type Enforcement" (you can see after the "alert_name" there is a field called "alert_type" and mine says "Attack;" the other type is "System.")

Re: McAfee Enterprise Firewall email issue

I've disabled the Attack Response "Type Enforcement"  However here is my issue.  If the event being generated is in fact from Type Enforcement.. now i won't see whenever somebody tries to make a change to the firewall via CLI and doesn't have permissions.  As that type of event is also a Type Enforcement.  So is there any way to disable specific "Type Enforcement events" and leave the attack type as enabled?

Level 14
Report Inappropriate Content
Message 4 of 7

Re: McAfee Enterprise Firewall email issue

I used the 'Type Enforement' Attack Response only as an example.  You need to run the commands I gave you to determine which Response is triggering the email on your system.

Re: McAfee Enterprise Firewall email issue

Running the above command does not show me any events at the time these emails are being generated.  The email is generated every hour.  So i don't believe this is an Attack Response / System Response.  I believe it to be something else.

if i run mail -f username

I am able to see the details of the message but the smtp wasn't setup yet so all the emails were saying host unknown.  The emails go back to 2013.  So I'm attempting to clean out the mailbox and see what the new one looks like...

Re: McAfee Enterprise Firewall email issue

I figured it out.  Under Maintenance - Updates there is the A/V signatures.  That would be the email that is generated every hour.  I'll disable email notification on that.

Level 14
Report Inappropriate Content
Message 7 of 7

Re: McAfee Enterprise Firewall email issue

Oh, yes!  I forgot about the other places you can input an email address, namely for any third-party updates on the firewall (like A/V updates).

At version 7 you can configure an email address for A/V updates under Policy -> Application Defenses -> Virus Scanning (the 'Enable Email Notification' box).  At version 8 this is set under Maintenance -> Updates -> click 'A/V updates' at the top (it is selected by default).  Remove the email address you have specified there.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community