cancel
Showing results for 
Search instead for 
Did you mean: 

EPO 4.0 Notification Rules

Jump to solution

Can somepne point me to some good documentation (Best Practices) for setting up notification rules?  I have been trying to create rules that will notifiy us if a system is infected and cannot be cleaned or if a virus is removed but continues to infect the system.  It's getting frustrating to have our end-users call us to report that there computer is infected.  When we investigate the issue we discover that the system is infected but EPO never sent a notification.  Here is a view of one of my rules:

Name:Virus detected and not removed
Notes:Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received
Defined at:My Organization
Priority:High
Status:Enabled
Operating systems:Workstation
Server
Products:ePO Server
GroupShield Exchange
McAfee Agent
VirusScan
Categories:Virus detected and NOT removed
Threat name:(Any)
Aggregation:Send a notification if multiple events occur within 20 minutes
When the number of affected systems is at least 10
When the number of events is at least 25
Throttling:At most, send a notification every 1 hours
Notifications:Email:


Does this look right to you?  BTW, I do have our IT staff listed in the EMail section of the notification.

Thanks,

Ron

1 Solution

Accepted Solutions
Highlighted
ajacobs
Level 12
Report Inappropriate Content
Message 2 of 6

Re: EPO 4.0 Notification Rules

Jump to solution

I've moved this to our ePO area. The URL did not change.

5 Replies
Highlighted
ajacobs
Level 12
Report Inappropriate Content
Message 2 of 6

Re: EPO 4.0 Notification Rules

Jump to solution

I've moved this to our ePO area. The URL did not change.

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 3 of 6

Re: EPO 4.0 Notification Rules

Jump to solution

At first glance, those aggregation and throttling criteria are going to slow down your alerts.I would remove those to start with so that you get a notification for each detection. If after that you find that you're getting flooded you can introduce them again.

Regards -

Joe

Re: EPO 4.0 Notification Rules

Jump to solution

Joe,

Thanks for the input.  I will follow your advice and tweak the aggregation and throttling criteria.

Ron

Re: EPO 4.0 Notification Rules

Jump to solution

I made the following changes.  Now I'll just sit back and seee what happens.

Aggregation:Send a notification if multiple events occur within 10 minutes
When the number of affected systems is at least 1
When the number of events is at least 5
Throttling:At most, send a notification every 10 minutes

McAfee Employee JoeBidgood
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: EPO 4.0 Notification Rules

Jump to solution

I'd possibly go even further - under aggregation, select "Trigger this response for every event" and make sure the throttling checkbox is not selected...

Regards -

Joe

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator