cancel
Showing results for 
Search instead for 
Did you mean: 

Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

Hello...just upgraded to ePO 4.5 and have configured a notification event to send an email when a threat is detected and not handled.  I have the rule set as following:

Defined at:  My Organization

Threat Type:

equals virus or

equals trojan or

equals adware or

equals p2p client or

equals password cracker or

equals rootkit or

equals spyware

and

threat handled equals false

and

detecting product name equals virusscan enterprise

and

threat severity equals alert

I am receiving alerts on all kinds of items which I know are normal activity, such as dameware, autorun on discs, and even Mcafee files.

Dameware: Virus

agtmetadet.mcs(mcafee EPOAgent3000Meta): Virus

netterm.exe: virus

\Network Associates\Common Framework\UpdateHistory.ini:  virus

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\AgentEvents\20100721151337761000008E0.txml: virus

Should I set Threat Severity to Critical? Any other ideas?


Message was edited by: aquilisdicio on 7/21/10 2:28:35 PM CDT
1 Solution

Accepted Solutions
apoling
Level 14
Report Inappropriate Content
Message 8 of 8

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

We see this event quite often on servers (because Microsoft Operations Manager alerts for this event come regularly). I would not say this is a very common event as sometimes I get it very often but sometimes weeks can pass without it. I would by all means filter this event from getting into ePO database.

7 Replies
apoling
Level 14
Report Inappropriate Content
Message 2 of 8

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

Hi,

you are likely to get some emails due to occassions when VirusScan cannot finish scanning an item thus "marking" this item as infected. This is likely happening with your McAfee files. Please exclude these files from OAS scanning.

Also please filter (or exclude from query) the events "Scan Timed Out" and/or "Unable to scan password protected", because these could happen quite frequently and also can trigger your response unnecessary.

Attila

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

I'll give it a try.  Thanks.

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

Still getting false alerts...newest one is:

Object: C:\Program Files\McAfee\VirusScan Enterprise\mytilus3.dll

Should I change the sensitivty level or artemis level?  I have it set the same it was when we were running ePO 4.0 and not having this problem.

apoling
Level 14
Report Inappropriate Content
Message 5 of 8

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

Artemis gives names for findings like Artemis!xxxx, if this is the case with the mytilus3.dl, then you can try decreasing the Artemis level (what is it set on, by the way? I think Medium is recomended, higher would likely give more false positives).

I also recommend inserting more event variables into the automatic alert message even if temporarily for diagnostic reasons, event code should be there and such like. Please next time copy the full alert message so we can take a look.

Attila

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

Computer Name: *****

IP Address:  *****

Object: C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\2010072310105436300000C14.txml

Process Name: 

Threat Name: 

Detection Method: OAS

Username: NT AUTHORITY\SYSTEM

Threat Type: Virus

Event Code:  1059

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

Starting to see more come in...all with event code 1059.  I looked up the code:

The scan of %FILENAME% has taken too long to complete and is being canceled.  Scan engine version used is %ENGINEVERSION% DAT version %DATVERSION%.
I will exclude this event code from my e-mail alerts.  Is this a common occurence?
apoling
Level 14
Report Inappropriate Content
Message 8 of 8

Re: Automatic e-mails too sensitive...firing every few minutes.

Jump to solution

We see this event quite often on servers (because Microsoft Operations Manager alerts for this event come regularly). I would not say this is a very common event as sometimes I get it very often but sometimes weeks can pass without it. I would by all means filter this event from getting into ePO database.