We run a weekly "threats detected" report. If threats have been detected it is assumed that it is cleaned or corrected via Artemis. At what point do we become concerned? should we be concerned?
a good idea would be to enable the automatic response to send you a notification when a threat is found and not cleaned or deleted. You can then action those detections.
In particular I am looking at the Threats detected report, Week of January 18 there were total 6556 detected. Week of January 25th there were 10,025 and that is a huge spike. Are you saying don't worry about that spike and just worry about the items that are not cleaned or deleted? I don't need to be concerned with the increase of detections? Looking forward to your thoughts and anyone else that has any.. thanks!
Personally with a spike like that I would spend a little time drilling-down into the report to see what caused it, even if it is just for peace of mind. It could even be just one machine.
With that knowledge you will be better placed to know if policies need adjusting or you need to speak with a few users.
Certainly I would look into any clean failures.
i agree with Rob, spend some time looking through the reports. You might find it to be scanner time outs, then you can filter those out of the queries.
Two reports I would create and get them emailed to you on a daily basis:
Remember, the new ePO query builder is highly customizable, so play around with it. Make it do what you want to see.