cancel
Showing results for 
Search instead for 
Did you mean: 

decipher notifications

I get alot of "Virus Detected and Not Removed" events received from ePo. but how do I find out where they are coming from? The notifications are kinda hard to understand.:eek:

How Do I find the affected machines?:confused:

ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

Number of events: 78326
Source computer IP addresses: 10.1.35.14:25, 217.10.142.247, _, Actual threat names: Cookie-RU4, Cookie-Spylog, Cookie-Atdmt, RemAdm-VNCView, Cookie-Zedo, Common Standard Protection:Prevent termination of McAfee processes, Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings, Cookie-Untd, Cookie-ProMarket, Cookie-Insightexpres, Anti-virus Standard Protection:Prevent mass mailing worms from sending mail, Cookie-Omniture, Cookie-Adrevolver, Generic Downloader.h, Generic Downloader.g, Cookie-AdBureau, Cookie-Pointroll, Cookie-Trafficmp, Targeted Scan, Common Standard Protection:Prevent common programs from running files from the Temp folder, Cookie-Revenue, Exploit-ByteVerify, Cookie-Yadro, Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings, Cookie-Advertising, Cookie-Nextag, Cookie-Cars, Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings, Cookie-Hotlog, Common Standard Protection:Protect Mozilla & FireFox files and settings, Cookie-Tribalfusion, Cookie-Overture, Cookie-Tickle, KERNEL32.LoadLibraryA, Cookie-AdDynamix, Cookie-RealMedia, Cookie-Burst, VBS/Psyme, OAS, Cookie-Questionmarke, Cookie-Roiservice, Cookie-Bravenet, Cookie-Linkshare, Cookie-Yieldmanager, Cookie-SearchPortal, Generic BackDoor, Cookie-Statcounter, On-Demand Scan, BackDoor-DNM.dldr, Cookie-Valueclick, FakeAlert-AB!lnk, Common Standard Protection:Prevent modification of McAfee files and settings, ?, Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings, Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions, Cookie-Hitbox, Cookie-SpecClick, Adware-OneStep, Cookie-Liveperson, Tibs-Packed, Unknown rule, Cookie-Fastclick, Cookie-Casalemedia, Cookie-Bluestreak, Cookie-Doubleclick, Common Standard Protection:Protect Internet Explorer settings, Cookie-Atwola, Cookie-Eyeblaster, AutoUpdate, Cookie-Gemius, Cookie-Imrworldwide, FakeAlert-AB, Cookie-2O7, Cookie-Mediaplex, FakeAlert-AB.dldr.gen.b, Actual products: GroupShield Exchange, PortalShield, VirusScan, McAfee Agent, ePO Server

For additional information, see the Notification Log in the ePolicy Orchestrator console.

ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

Number of events: 70144
Source computer IP addresses: 10.1.35.14:25, 190.55.172.100:6668, ePO_FS-CH-AV, Actual threat names: Common Standard Protection:Prevent common programs from running files from the Temp folder, Anti-virus Standard Protection:Prevent mass mailing worms from sending mail, OAS, Cookie-2O7, Common Standard Protection:Prevent termination of McAfee processes, Virtual Machine Protection:Prevent modification of VMWare virtual machine files, FakeAlert-AB!lnk, Common Standard Protection:Protect Internet Explorer settings, Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder, Adware-WebSearch, Generic Downloader.e, Cookie-SpecClick, JS/Tenia.d, FakeAlert-AG.gen.a, FakeAlert-AB, Common Standard Protection:Prevent modification of McAfee files and settings, Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings, Cookie-Pointroll, BackDoor-DNM.dldr, Common Standard Protection:Protect Mozilla & FireFox files and settings, Tibs-Packed, Puper, Anti-virus Standard Protection:Prevent IRC communication, W32/Rontokbro.gen@MM, Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings, Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions, AutoUpdate, Generic.dx, Actual products: GroupShield Exchange, PortalShield, VirusScan, McAfee Agent, ePO Server

For additional information, see the Notification Log in the ePolicy Orchestrator console.
Tags (1)
8 Replies
tonyb99
Level 13
Report Inappropriate Content
Message 2 of 9

RE: decipher notifications

looks like you've totally knackered these notifications....

disable them and start again

turn off cookie notifying unless you really want it (Cant imagine why anyone would even store cookie events)

start with the basic template they already provide and set for individual events not groups unless you want an unmanageable mess of crud as the response.

if you get too many start thinking about thresholds

RE: decipher notifications

here is an example of one that i have setup.. maybe someone else will post theirs as well? i would be curious to see what other alerts folks have configured - always looking to improve my setup..

Subject:

"Virus Detected and Not Removed" - {AffectedComputerNames} - {ReceivedThreatNames}

Body:

ePolicy Orchestrator Notification

Rule: {NotificationRuleName}
Number of events: {ReceivedNumEvents}
Affected Computers IP addresses: {AffectedComputerIPs}
Affected Computer Names: {AffectedComputerNames}
Actual Threat Names: {ReceivedThreatNames}
Affected Objects: {AffectedObjects}
First Event Time: {FirstEventTime}

For additional information, see the Notification Log in the ePolicy Orchestrator console.
tonyb99
Level 13
Report Inappropriate Content
Message 4 of 9

RE: decipher notifications

mine are much the same eg:

EPO Threat found and not removed - {AffectedComputerNames} - {AffectedComputerIPs}

ePolicy Orchestrator Notification
Rule: {NotificationRuleName}
Rule Defined At: {BranchNodePath}
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.
Affected computer IP addresses: {AffectedComputerIPs}
Affected computer: {AffectedComputerNames}
Actual threat names: {ReceivedThreatNames}
Affected object: {AffectedObjects}
Actual products: {ReceivedProductFamilies}
Event details: {EventDescriptions}
For additional information, see the Notification Log in the ePolicy Orchestrator console.

RE: decipher notifications

cool, thanks tony.

right now i have 2 alerts that i primarily use

detected and not removed
detected and removed successfully (for comparison)

i have an alert setup to notify me when the on-access scanner is not enabled on a machine, but so far i have not had luck getting this to work.. do you use it by chance?

Thanks Guys

Thanks guys that helps alot. 😉

I still get alot of jibberish though it seems... Is there a way to have get email notifications that this machine/ip is infected with this virus/malware

Or could you send a copy of one of your email notifications so I can see what a normal one is suppose to look like...

I used both of your suggestion and this is what I get. :confused:

EPO Threat found and not removed - x.x.x.x x.x.x.x.x.x.x.x.x.x.x.x.x

ePolicy Orchestrator Notification
Rule: New Rule
Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.
Affected computer IP addresses: x.x.x.x, x.x.x.x.233, x.x.x.x, x.x.x.x Affected computer:-------, ---------, ---------, --------- Actual threat names: Anti-virus Standard Protection:Prevent mass mailing worms from sending mail, Affected object: C:\Program Files\Common Files\McAfee\Engine\avvnames.dat, C:\Program Files\HEAT\CallLog32.exe, DAT, Engine, C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\AUENGINEMETA\AUEngineContentDetection.McS, ----------, C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\00000060.txml, C:\Program Files\Common Files\McAfee\Engine\avvclean.dat, C:\Program Files\Common Files\McAfee\Engine\avvscan.dat Actual products: GroupShield Exchange, VirusScan, McAfee Agent Event details: Scan Timed Out, Update Successful For additional information, see the Notification Log in the ePolicy Orchestrator console.


Or this


ePolicy Orchestrator Notification

Rule: Virus Detected and Not Removed
Number of events: 100
Affected Computers IP addresses: x.x.x.x Affected Computer Names: -------, DELETE Actual Threat Names: Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions, Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings, Affected Objects: \REGISTRY\USER\S-1-5-21-256225738-2272727325-1692859293-8349\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, C:\Documents and Settings\domlinj\Local Settings\Temporary Internet Files\Content.IE5\K1UBC1IN\premium[1].css\premium[1], C:\Documents and Settings\domlinj\Local Settings\Temporary Internet Files\Content.IE5\C1I7G5YN\premium[1].css\premium[1], \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, C:\Documents and Settings\OneyD\Local Settings\Temporary Internet Files\Content.IE5\C1I7G5YN\premium[1].css\premium[1], \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8DD448E6-C188-4aed-AF92-44956194EB1F}, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}, \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-1011\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, DAT, \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, HotFix, \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-500\Software\Microsoft\Internet Explorer\International\CpCache, C:\Documents and Settings\OneyD\Local Settings\Temporary Internet Files\Content.IE5\X621L1KC\premium[1].css\premium[1], SuperDAT First Event Time: 2/4/09 11:55:23 AM

For additional information, see the Notification Log in the ePolicy Orchestrator console.


:eek::confused:

RE: Thanks Guys

it looks like you have throttling setup of some sort. i didn't like how my alerts were being displayed when i had throttling enabled, so i just turned it off and i deal with the spam via filters.

a typical email would look like this:

subject:
"Virus Detected and Not Removed" - <machine name> - Exploit-XMLhttp.d.gen

BODY:

ePolicy Orchestrator Notification

Rule: Virus detected and not removed
Number of events: 1
Affected Computers IP addresses: <IP address>
Affected Computer Names: <machine name>
Actual Threat Names: Exploit-XMLhttp.d.gen
Affected Objects: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\0B2RY579\b[1].htm
First Event Time: 2/3/09 7:40:29 AM

For additional information, see the Notification Log in the ePolicy Orchestrator console.

RE: Thanks Guys

Now thats what I am looking for... 😄

Where do I turn off this damn throttling???

Thanks in advance.
Highlighted

RE: Thanks Guys

login to your epo server and go to notifications -> rules tab

click the rule you want to modify, at the top skip to step 3 'set threshholds' and change that to what you prefer. send a notification every event, or the different throttling/aggregation options.
More McAfee Tools to Help You

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community