cancel
Showing results for 
Search instead for 
Did you mean: 

Automatic Response for threat is not working

Jump to solution

Hello,

I am currently on ePO 5.9 and I am working with Automatic Responses in order to send email notification when Malware is detected. i tried everything but the same is not working and i am not getting email for the same. i did below settings: -

Description: Event Group: ' ePO Notification Events' ; Event Type: 'Threat'

Filter: Threat Category belongs to: ' Malware Detected'.

 

Please Note: server task and other responses are working fine like' Master repository update succeeded' 

 

I have both VSE and ENS 

 

1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 12 of 13

Re: Automatic Response for threat is not working

Jump to solution

That's good.  Yes, there is currently an issue being investigated where the responses don't trigger if there are multiple groups configured in the defined at section.  So setting them to single group is the current workaround.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

View solution in original post

12 Replies
McAfee Employee LKS
McAfee Employee
Report Inappropriate Content
Message 2 of 13

Re: Automatic Response for threat is not working

Jump to solution

Hi vineet21,

Have you configured SMTP server in EPO. Can you successfully send a test mail from the email server configuration page under Server settings..?

Was my reply helpful?

If you find this post useful, please give it a Kudos! Also, please don't forget to select "Accept as a Solution" if this reply resolves your query!

 

Re: Automatic Response for threat is not working

Jump to solution

Hi,

Yes SMTP server has already configured and i am able to send the test email. I am getting daily email for configured server tasks.

The problem is that only threat response is not working 

McAfee Employee LKS
McAfee Employee
Report Inappropriate Content
Message 4 of 13

Re: Automatic Response for threat is not working

Jump to solution

Great then couple of things to check. If it is particular task not triggering Email, then the issue could be either on Task configuration nor the out format (may be).

* Can you duplicate that task and check if it is triggering email.

* Orion log is the best place to see whats going on when the task initiates. Incase if you do not find anything, Orion debug may need to enable.

 

 

Re: Automatic Response for threat is not working

Jump to solution

hi,

-> tried with creating new response but no luck

-> Checked Orion log but didn't found anything. 

Please suggest if i need to change any settings on threat policy level?  

13:30:28,999 ERROR [scheduler-InternalTask-thread-15] dispatcher.ThreatNotification - Error processing notification. Operation aborted.
com.mcafee.epo.notifications.dispatcher.UnsupportedRuleConditionException: Multiple SexpDescendsFrom in sexp: com.mcafee.orion.core.query.sexp.ops.SexpAnd@a3119b0f
at com.mcafee.epo.notifications.dispatcher.NotificationUtil.findDefinedAtNodeId(NotificationUtil.java:134)
at com.mcafee.epo.notifications.dispatcher.ThreatNotification.makeWhereClause(ThreatNotification.java:278)
at com.mcafee.epo.notifications.dispatcher.DefinedAtNotification.execute(DefinedAtNotification.java:50)
at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherService.fireAllEvents(NotificationDispatcherService.java:20)
at com.mcafee.epo.notifications.dispatcher.NotificationDispatcherInternalTask.run(NotificationDispatcherInternalTask.java:30)
at com.mcafee.orion.scheduler.engine.InternalTaskWrapper.run(InternalTaskWrapper.java:28)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)

McAfee Employee YashT
McAfee Employee
Report Inappropriate Content
Message 6 of 13

Re: Automatic Response for threat is not working

Jump to solution

Hello @vineet21 ,

Thank you for the logs,

Logs says : 13:30:28,999 ERROR [scheduler-InternalTask-thread-15] dispatcher.ThreatNotification - Error processing notification. Operation aborted.

Your issue looks similar to below article.

All ePO 'Threat Notification' automatic responses stop working when you enable a Host Intrusion Prevention 8.0 'Automatic Response'
Technical Articles ID:   KB77567

Kindly note this is applicable for :
McAfee ePolicy Orchestrator (ePO) 5.x
McAfee Host Intrusion Prevention (Host IPS) 8.0

 

This issue is resolved in Host IPS 8.0 Patch 6, which is available by logging in to the ServicePortal at: https://support.mcafee.com/downloads.

Was my reply helpful?
If you find this post useful, Please give it a Kudos! l Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

Thanks and regards,
Yash T
McAfee Employee LKS
McAfee Employee
Report Inappropriate Content
Message 7 of 13

Re: Automatic Response for threat is not working

Jump to solution

Hi vineet21,

The below error seems like there is some problem with Rule condition. Could you please show us a screenshot of the configuration.

com.mcafee.epo.notifications.dispatcher.UnsupportedRuleConditionException: Multiple SexpDescendsFrom in sexp: com.mcafee.orion.core.query.sexp.ops.SexpAnd@a3119b0f

Highlighted
Reliable Contributor bodysoda
Reliable Contributor
Report Inappropriate Content
Message 8 of 13

Re: Automatic Response for threat is not working

Jump to solution

@vineet21 , here is the example of working automatic response both SNMP & Email. Try to replicate the information on your epo and report back your findings.

 

2019-12-11 14_47_38-ePolicy Orchestrator 5.10.0.jpg

 

2019-12-11 14_48_28-ePolicy Orchestrator 5.10.0.jpg

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 9 of 13

Re: Automatic Response for threat is not working

Jump to solution

Are there multiple "Defined At" filters defined?  If so, test by just using My Organization and see if notification triggers.

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Re: Automatic Response for threat is not working

Jump to solution

Hi All,

Thanks for your suggestions and solutions.

Automatic response for threats are working now. Earlier, there were multiple auto response were configured based on different BIU's. I have deleted all and configured again. I don't know what was the issue but the same is working now after reconfiguration.

 

More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community