cancel
Showing results for 
Search instead for 
Did you mean: 
scoutt
Level 11
Report Inappropriate Content
Message 1 of 4

Multiple responses to a single task

I have some automated responses setup and they all send multiple emails about the exact samething at the exact same time. One for instance is the OnDemand scan. I have it set to email me if it found items. That works fine, but it sends 2 emails per 1 task. I changed the aggregation set to send me an email once every 1 minute. So it sends the same email 3 minutes apart but the eact same time for the detection is in both emails.

Category : Task ended

Virus Detected: none

Event :   1038
Event Action : none
Event Description : Scan found infected files.
Affected Object : 
Detection occured at : 09/16/10 16:20:52 UTC

Affected Computers :  MXM73505RQ
Affected IP Addresses :  10.43.40.37

Detection Method : VirusScan Enterprise

ePolicy Orchestrator Notification Rule:

For additional information, see the Notification Log in the ePolicy Orchestrator console.

I got that exact same email 2 minutes apart. Why is it sending it twice? And anyway to change that UTC time? it is not even the correct time. it shows 4:20pm while the email was sent at 9:20 am. The servers times are good and updated daily. Same with the users PC's. all times are correct.

The filter is set to Threat  Event ID == 1038

Screen shot of the aggregation settings. Nothing special set.

I believe the responses are generated form the Threat event log on the server. This event was in the log onyl once, so why did I get 2 responses?

We have 4.5 build 937 patch 3 I believe

3 Replies
scoutt
Level 11
Report Inappropriate Content
Message 2 of 4

Re: Multiple responses to a single task

Nobody have any idea?

apoling
Level 14
Report Inappropriate Content
Message 3 of 4

Re: Multiple responses to a single task

Please check that the client is not sending two events of the same kind, therefore resulting in two events in the database for the same Event ID, thus justifying the duplicate emails.

Might sound crazy but I suspect there could be two events generating one of which like that: "Infected files were found"and the other "Scan found and cleaned infected files" or the like.

You can check all the events for this particular client in the database around the timestamp you cite here and then if my theory is true, you can decide to suppress one of the events.

Attila

scoutt
Level 11
Report Inappropriate Content
Message 4 of 4

Re: Multiple responses to a single task

Thanks Attila,

But, I only have one auto reponse that deals with OnDemand Scans. The event log only shows 1 per machine (event id 1038) when I filtered the results, so it is not the logs that are doubled, but the generated response is. As I said in my previous post, the email generated reports are doubled from the exact same log it found.

I have attached a screen shot showing the emails. The body of the emails are exact, but the time it was sent to me is 3 min apart. OnDemand scan is only an example, I also get them for trojans/virus's found as well.

These are the only auto repsonses I have enabled.

Adware Detection, Buffer Overflow, KeyLogger, Non-compliant computer detected, OnDemand Scan, P2P Detection,
Port Blocking Rule, Rootkit Detection, Scheduled Task, SpyWare Detection, Tojan Detection, Unwanted Programs
Virus Detection

Those are all my own. I disabled the Malware response that came default.