cancel
Showing results for 
Search instead for 
Did you mean: 

E-mail alerts - share and discuss your scripts!

I'm not happy with the alerts that we currently have in use and I'm not having much luck configuring them the way I want them. I figured it might be cool if people posted the syntax for their alerts and how they end up coming out, so that maybe other users like myself could some away with some useful ideas.

For example: We have an alert setup that will e-mail us if detections are found and not removed if they involve at least one host, and there are at least two detections. So our syntax looks like this:

Affected Computer Names: {AffectedComputerNames}
Source of Infection(s): {SourceComputers}
ePolicy Orchestrator Notification Rule: {NotificationRuleName}
Rule Defined At: {BranchNodePath}
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

Number of events: {ReceivedNumEvents}
Source computer IP addresses: {SourceComputers}
Actual threat names: {ReceivedThreatNames}
Actual products: {ReceivedProductFamilies}

The e-mail that is generated looks like this:
---------------------------------------
Affected Computer Names: LAPTOP1
Source of Infection(s): Not Available
ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

Number of events: 71
Source computer IP addresses: Not Available Actual threat names: Generic Downloader.dp Actual products: VirusScan
-----------------------------------------

So it lets us know there's a problem, but I don't feel like I'm getting as much information as I probably could be. Anyways, I'd love to see some alerts from others - post em' if you got em'.
13 Replies

RE: E-mail alerts - share and discuss your scripts!

Anyone? sad
cdpayne
Level 7
Report Inappropriate Content
Message 3 of 14

RE: E-mail alerts - share and discuss your scripts!

We had the same problem you seem to be having. It would say that something was found but never list any details and often times it would list 'full scan' as the source of the infection. There is a a KB article that tells how to fix it and I am trying to find it what I did with it.

RE: E-mail alerts - share and discuss your scripts!

Well let me know if you're able to dig anything up, or if you'd be willing to post what you guys are currently using that would be awesome too.

I'm kind of surprised there isn't more interest in this topic. It's either incredibly easy or people just aren't that interested in e-mail alerts.

RE: E-mail alerts - share and discuss your scripts!

Here is how my email alert to the help desk is setup. I replaced computer names and user names with RED.

While I don't feel it is adequate, it does let the help desk know there is probably something wrong and to do a 3rd party (usually malwarebytes) scan. I suggest you add in every tag available, and then remove the ones you don't feel are necessary. Anyway, my 2 cents.

Subject:
Possible Virus problem on {AffectedComputerNames}
Body:
Actual number of events: {ReceivedNumEvents}
Source Systems: {SourceComputers}
Actual number of systems: {ReceivedNumComputers}
IP Address {AffectedComputerIPs}
First Event Time: {FirstEventTime}
Event Description: {EventDescriptions}
Event ID: {EventIDs}
Additional Information: {AdditionalInformation}
Affected systems names: {AffectedComputerNames}
Affected Objects: {AffectedObjects}
Time notification sent: {TimeNotificationSent}

It looks like this:

Subject:Possible Virus problem on (COMPUTER NAME)

Actual number of events: 5
Source Systems: Not Available
Actual number of systems: 1

IP Address 192.168.X.X
First Event Time: 6/10/09 10:00:38 AM
Event Description: Infected file deleted., file infected. Undetermined clean error, deleted successfully Event ID: 1027, 1280

Additional Information: 3
Affected systems names: (COMPUTER NAME)
Affected Objects: C:\Documents and Settings\USERNAME\Local Settings\Temporary Internet Files\Content.IE5\XZ57JBIN\install[1].exe, C:\Documents and Settings\USERNAME\Local Settings\Temporary Internet Files\Content.IE5\O3BC6FCO\index[1].htm\00000122.js, C:\DOCUMENTS AND SETTINGS\USERNAME\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\XZ57JBIN\INSTALL[1].EXE

Time notification sent: 6/11/09 10:00:38 AM
Johonn
Level 7
Report Inappropriate Content
Message 6 of 14

RE: E-mail alerts - share and discuss your scripts!

I am pretty close to rwhitehill too. I added a little details sections because i found that laptops that were off site would report back in and start to send off alerts. Knowing the time of event lets us know how old it is. This is all because Mcafee does not care when the event was created just when it was received by ePO.

I also added "{AffectedObjects}" because alot of times the filepath will be in the users directory and i can see exactly who it was without going else where. However, it can be kind of long if a machine is infected real good.


Subject: {NotificationRuleName}


Actions Taken: {ReceivedEventCategories}
Event Description: {EventDescriptions}
Effected Computer(s): {AffectedComputerNames}
Ip Address: {AffectedComputerIPs}
Number of Computers: {ReceivedNumComputers}
Number of Events: {ReceivedNumEvents}
Threat Names: {ReceivedThreatNames}
Affected Files: {AffectedObjects}


Alert Details:

Notification Rule: {NotificationRuleName}
Time of Event: {FirstEventTime}
Notification Location: {SiteNodeName}

This report is only sent at most every two hours when the Events exceed 20.




Looks like:


Subject: Virus Alert - Removed

Actions Taken: Unwanted program detected and removed
Event Description: Unwanted program, clean error, deleted, Unwanted program deleted.
Effected Computer(s): (COMPUTERNAME)
Ip Address: 192.168.2.2
Number of Computers: 1
Number of Events: 29
Threat Names: Downloader-ABJ
Affected Files: (FILE PATH)


Alert Details:

Notification Rule: Virus Alert - Removed
Time of Event: 6/12/09 9:08:25 AM
Notification Location: Workstations

This report is only sent at most every two hours when the Events exceed 20.

RE: E-mail alerts - share and discuss your scripts!

Johonn, so if your threshold is set to >20 events - how do you deal with a machine that has a file that can't be cleaned and constantly reinfects itself? In theory, wouldn't you never receive an alert on a machine like this?

RE: E-mail alerts - share and discuss your scripts!

This may be a diversion of topic, but is there any possible way to get usernames onto notifications?
Highlighted

RE: E-mail alerts - share and discuss your scripts!

I left this out of mine, but for frequency I use:

Send a notification for every event (Is enabled)

At most, send a notification every: 1 day

So, the Help Desk will get an email for any issue, and only one per day.

--

As far as username, I don't see a variable which gives this information. This is why I make sure the computer name is listed as I can easily look up that information.

RE: E-mail alerts - share and discuss your scripts!



Does anyone know any way to get around this? can any code be inserted in any way etc?
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community