I received a "malware detected and handled" email report for a Server 2003 host and it had the source IP address, but the Source Host was listed as "_"
I was able look up the server manually from the IP address, but there some way to fix this so it's included in the report? It did include the host name on a Windows 7 workstation.
Also, the report doesn't say what it did to fix the issue other than that it was "handled." Is there a configuration that will be more specific and say exactly what was done?on 7/18/12 9:35:24 AM CDT
The Threat Source Host Name is returning "_" because there isn't a source for the detection logged by VSE. This is expected behavior, there is not always a source.
It depends how the threat was detected. If the threat wasdetected coming from a remote computer, as in, a remote computer trying to write an infected file to the target computer where VSE is making the detectionthen yes, the report should tell you the Threat Source Host Name.
However, if the threat was detected locally, as in, the infected file being ran and detected on the local hard drive,this field will not be populated because the threat did not come from a remotesource (previously it was left blank, but that caused some ePO reports to fall over). In this case, you'd be looking at ThreatTarget Host Name to find out the system name where the detection occurred. (if I remember correctly?)
There is no configuration to make the report more specific, i.e. to state how it has been handled.