cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 4

VSE 8.7i and Access Protection>User Defined Rules

Hi All, I'm using ePO 4.5 and for my 8.7i policies I have entered a number of new rules under Access Protection>User Defined rules which include file and registry blocking rules and set it to "report" only . My question is I can't find a way to query or report to show me any "hits" or results from these new rules I created under User defined? Any ideas? and thank you in advance.  

3 Replies
apoling
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: VSE 8.7i and Access Protection>User Defined Rules

Hi,

the best that I can suggest doing is to report on events where threat type is "access protection" and threat name "Contains: User-defined" (or "User", a string long enough to be non-ambiguous.) Threat name contains the exact AP rule name.

Of course make sure you reproduce an issue that triggers this new rule beforehand ( and wait until it is processed and sent up to ePO.

Attila

Former Member
Not applicable
Report Inappropriate Content
Message 3 of 4

Re: VSE 8.7i and Access Protection>User Defined Rules

Thanks Attila, almost nailed it. I can't see a way to display the user defined rules that are in "reporting" mode. If I set a user defined ruleset to "block" then it displays. Any ideas on capturing "report" only? Thanks a lot!

Former Member
Not applicable
Report Inappropriate Content
Message 4 of 4

Re: VSE 8.7i and Access Protection>User Defined Rules

Hi,

Check if Event ID 1095 is enabled in Event filtering(Under Server settings) - Because only if 1095 is enabled the report logs will be parsed to ePO else it will not be parsed to ePO.

If Event ID 1095 is enabled, Then try with below.

* Chart type

* Filter

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community