cancel
Showing results for 
Search instead for 
Did you mean: 
kami88
Level 7
Report Inappropriate Content
Message 1 of 6

EPO 4.5 Automatic Responses

Hi all,

A few weeks ago we moved from EPO 4.0 to 4.5.

In EPO 4.0 we received emails when a virus was detected on a client with the antivirus software installed.

Now in EPO 4.5 we don't receive those mails anymore.

I tried to create an automatic response but i only receive mails like this:

-------------

ePolicy Orchestrator Notification
Response Name: Malware detected and not handled
Event Type Name: Threat
Defined at: My Organization
System Location: GlobalRoot\Directory\Inactive Agents
Description: Sends an e-mail notification when "Malware detected and not handled" events are received.

Number of events: 1
Source IPV6 addresses: X
Source IPV4 addresses: X
Threat Names:
Detecting Product Names: VirusScan Enterprise
Target File C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_F002.xml
none

-------------

how can I get this back? that I receive emails when a virus is detected?

Any help is welcome!

Thanks

5 Replies

Re: EPO 4.5 Automatic Responses

How about creating a respone like this one:

Event group: epo notification events
event type: threat

Filter:
defined at - system is in group or subgroup /my organisation
threat category: belongs to malware detected or
belongs to malware detected using heuristics

Aggregation:
trigger a response for every event


actions:
send email

enter email address for recipients
subject:
{threatName} detected on {analyzerHostName}

Body:
Virus detected on
Computer: {analyzerHostName}
IP: {listOfAnalyzerIPV4}
Time: {detectedUTC}

File Name: {targetFileName}
Threat Name: {threatName}
Action Taken: {threatActionTaken}

Product:{analyzer}
Dats: {analyzerDATVersion}
Engine: {analyzerEngineVersion}
Detection Method: {analyzerDetectionMethod}

Source host name: {sourceHostName}
Source IP: {sourceIPV4}
Source process name: {sourceProcessName}
Source UserName: {sourceUserName}
-------

kami88
Level 7
Report Inappropriate Content
Message 3 of 6

Re: EPO 4.5 Automatic Responses

Hi,

Thanks for your fast reply!

I'll try this out, I'll inform you what my result is.

kami88
Level 7
Report Inappropriate Content
Message 4 of 6

Re: EPO 4.5 Automatic Responses

Hi jmcleish,

I tried your suggestion and now I'm receiving a lot of mails about virus warnings, but also non virus related mails like this:

==========

Virus detected on
Computer:
IP:
Time: 06/24/10 06:22:53 UTC

File Name: \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray
Threat Name: Algemene standaardbeveiliging:Voorkomen dat bestanden en instellingen van McAfee Common Management Agent worden gewijzigd
Action Taken: deny create

Product:VIRUSCAN8600
Dats:
Engine:
Detection Method: OAS

Source host name:
Source IP:
Source process name: C:\windows\Explorer.EXE
Source UserName:

==========

Or this:

==========

Virus detected on
Computer:
IP:
Time: 06/24/10 06:43:06 UTC

File Name: C:\Lotus\Notes\NCDaemon.exe
Threat Name: Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes
Action Taken: deny terminate

Product:VIRUSCAN8700
Dats:
Engine:
Detection Method: OAS

Source host name:
Source IP:
Source process name: C:\Lotus\Notes\nsd.exe
Source UserName:

Do you have a suggestions for this? Can I filter those messages out because this is nothing about a virus..

Thanks!

Re: EPO 4.5 Automatic Responses

Sorry- I have this one runing on my servers, so have not had these.

Try changing the

threat category:

belongs to malware detected or
belongs to malware  detected using heuristics

to

Threat type

equals and add in the names of the detections .

(just like the filter in the default query "all threats detected in the last 7 days")

and threat name value is not blank.

kami88
Level 7
Report Inappropriate Content
Message 6 of 6

Re: EPO 4.5 Automatic Responses

Ok thanks! I'll try this out