Showing results for 
Search instead for 
Did you mean: 

Correlation not Triggering for ePO malware events

Hi Everyone,

Today i was trying to create a correlation rule to notify me about multiple/reoccurring Virus detection on single machine.

My Datasource is ePO server integrated as regular DS instead of Integrated device.

I've created a correlation as follows:

I've tried various combinations including normalized rule and ID but no luck.

I've tried with and without grouping however no luck.

P.S: i'm running 9.6 MR5 Combo Device

Thank you in advance,


2 Replies
Reliable Contributor sssyyy
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Correlation not Triggering for ePO malware events

have you saved and rolled out? Maybe check first in events to make sure the signature IDs do trigger five times in 30 mins?

Re: Correlation not Triggering for ePO malware events

Hi sssyyy,

Well i've tried that as it's a common problem . I've tested further and the correlation doesn't work only for short signatures like:



However it works normally with the normal full length signature like:


I did additional test and it seems that the alarms will be triggered based on both type of signatures but the correlation would not

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator