cancel
Showing results for 
Search instead for 
Did you mean: 

understanding handled / not handled, blocked / not blocked

I have an AV event of minor severity. Under 'handled', it says 'true'. On the same event properties screen, it says that 'this is not an IPS event', and that 'event was NOT blocked.'


I take this to mean that the threat has been neutralized by AV, since handled was true, and that, since it was not an IPS event, it is not a concern that it was not blocked.


Correct?

Thanks!

3 Replies

Re: understanding handled / not handled, blocked / not blocked

Anyone?

wwarren
Level 15
Report Inappropriate Content
Message 3 of 4

Re: understanding handled / not handled, blocked / not blocked

If you're able to get the actual event ID that's being interpreted here, I could tell you if the threat was handled or if the system warrants a closer look.

William W. Warren | S.I.R.R. | Customer Success Group | McAfee

Re: understanding handled / not handled, blocked / not blocked

I have found the answer for this.

If you have an AV event that does not precipitate a specific action to be taken, it will merely be logged. So , in the case above, an event of minor severity was noted, and addressed by AV. In this case, it was merely logged. Therefore, it was considered to have been "handled" .

It was not an IPS event, but that is not what determined that it was blocked or not blocked. If AV policy were set to block minor severity events on the ePO server in question, it would have been blocked and would have reported as having been blocked.