I've setup some scheduled regular VSE scans on some machines in my environment as a way to be a bit more proactive in catching infected computers and reduce their number in my environment.
However, I'd like to be able to make a report out of the findings of these scans, so that we can see trending data and more accurately be able to quantify McAfee's effectiveness.
So far, I've only been able to create a report on Event ID 1203 (Scan Completed), but that doesn't actually tell me much more on what the actual results of the scan were. Following KB articles like KB69428 have helped, but the information gathered is still pretty minimal...
I'd like to pull information from the OnDemmandScanLog.txt file that gets generated in each machine and then be able to compile it into something that will tell something like the following example:
-100 computers had the scheduled scan task
-x/100 computers successfully completed the scan
-y/100 computers did not complete the scan
From computers that completed the scan...
-n/x had no detections
-m/x had detections
From computers with detections...
-a/x were cleaned up
-b/x are still infected
From still infected computers, I'd like to have the Service Desk receive an email to address those machines specifically
Lastly, I'd like to compile a list of what these infections were, treated and untreated, and perhaps a log of machines that are "repeat offenders"
I'd appreciate any help with this!
You can definitely do this, there are just a couple of dependencies and then you'll just have to learn the event id's to play around with getting your queries built and either into a report or dashboard.
So for the scan complete/started/ended, this is dependent on having those event ID's forwarded to your DB. Go to Menu > Configuration > Server Settings > Event Filtering. You need to make sure you are having the clients send the DB the events you want for your report. HOWEVER, keep in mind that your DB will be getting tons more events if you start enabling a lof of these informational's and you will need to make sure you are purging regularly. After that, you just need to build the querys you want based on the event ID's of the information you want.
For the scheduled scans, just do a new query Events > Client Events and then configure as you need.
For the infections/detections, just do a new query Events > Threat Events and then configure as you need.
Afer that, you can create a report based on your queries, have it emailed, or create a dashboard.
Just to show you, here is a dashboard I have based on malware detection queries, that could also be put into a report and emailed to whoever.