I have been tracking about eight (8) systems that were reported as having infected files that Mcafee could not handle. Some of the systems were re-imaged and added back to the network. I verified that they were back on the network. In the VSE: Detection Response Summary, it still shows that the system is still there with a very old "Last Communication" date and time.
How is data in this query and others updated so that as systems that get re-mediated and added back to the network, we don't succumb to false reporting?
Is there a refresh procedure or something that will allow systems that are re-mediated to fall off the queries and report (VSE: Detection Response Summary -- not handled)?
It will shows as it was reported on previous days and Query to taking data from DB, Better purge that machine threat event log through ePO server task.
"with a very old "Last Communication" date and time" leads me to believe you also now have two systems/objects in ePO (One old/infected and one new/reimaged) If you're not cleaning up duplicates, you will probably want to delete the old system from ePO, especially if you are monitoring things like DAT compliance. There is a pre-defined Query called Duplicate System Names to make it easier to find.
That was one of the other things that we found as we did more research. Once we deleted the duplicates, there were quite a few things that went away. The Duplicate System Names and I are best friends.