cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 1 of 6

Way to be alerted about when the OAS is disabled

We are wanting to know if it is possible to get email alerts from EPO when say a virus/user has disabled the On-Access Scanner and that it did not get re-enabled?

In our environment, we allow the user to temporarily disable the OAS for 30 minutes until the EPO policy re-enables it. We are aware that a lot of viruses/trojans will run scripts to disable the OAS. We want to get alerts from EPO to get notified when this occurs.

We do currently get "notification" alerts from EPO about when systems get a virus.
5 Replies
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 6

RE: Way to be alerted about when the OAS is disabled

Well, I think I found my answer on the McAfee knowledgebase. Acticle KB41896

It states that you can't get alerted when a user manually disables the OAS. The "On-Access Scanner is disabled" selection under the notification rules is for a malfunction/threat. That explains why it did not send an alert when I manually disabled the OAS on a test workstation.

Not too sure how to test a malfunction/threat to see if it will send the alert.
tonyb99
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 3 of 6

RE: Way to be alerted about when the OAS is disabled

kill mcshield from the system services on a remote machine and see if it generates a notification
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 6

RE: Way to be alerted about when the OAS is disabled

I have tried to do what you suggested by ending the Mcshield process. I had to modify the access protection rules to allow for mcshield to be removed. This I done using task manager.

It does not seem to send out the alert. Have you managed to get alerts from your EPO 3.6.1 this way? We do get alerts about viruses being detected and users that might uninstall the epo agent etc.
tonyb99
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 5 of 6

RE: Way to be alerted about when the OAS is disabled

tbh i dont even report on those events (have them filtered out) since all that crud with 8.5 starting and stopping all the time
twenden
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 6

RE: Way to be alerted about when the OAS is disabled

Thanks.

It was my boss who wanting to find out if we could get those alerts. She has since told me not to pursue it any more.
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community