Threat Type : None
Severity : Critical
Action Taken : none
User : useruser
Machine Name : egmachine
Virus Name : none
I have an automatic response configured to email me whenever a threat is detected by VSE 8.5 and the threat severity is either critical or emergency. Above is the body of an email I have since received several times. The machine name and username are different for different detections. Whenever I then scan the machine the threat is detected on the only thing that shows up are cookies if anything. What I am wondering is why threat type and virus name are 'none'? Also is there a better way of configuring an automatic response to email me when a machine is infected with a serious threat (ie. not just a cookie or a warning about a rule violation)?
Any assistance or advice greatly appreciated.
Currently running EPO 4.5, vse 8.5 + antispyware, agent 4.0.
Personally I would disable the cookie detection notifications in the VSE Policies first. As this will get rid of the possibly unwanted nagging about cookies. Also these cookie detections will fill up an ePO Database quickly. Once this is done your current configuration should work just fine.
Not sure how to disable the cookie detection notifications, would be happy to do so.
Is it Policy Catalog - Product: vse 8.5, Catagory: Alert policies - Alert Manager Options: Disable Alerting??? - worried that this will disable alerting for more serious threats rather than just cookies?
answering these 2 questions
What I am wondering is why threat type and virus name are 'none'?
because the event really has no threat type and no virus name...typically happens on a scan timeout or a scan skipped due to an encrypted file.
Also is there a better way of configuring an automatic response to email me when a machine is infected with a serious threat (ie. not just a cookie or a warning about a rule violation)?
we have a default response for that...its called 'malware detected and not handled' which covers 'infections'...aka detections that the VSE could not handle which you need to action on.
Message was edited by: dvo on 12/2/09 9:44 AMMessage was edited by: dvo on 12/2/09 9:48 AM