cancel
Showing results for 
Search instead for 
Did you mean: 

decipher notifications

I get alot of "Virus Detected and Not Removed" events received from ePo. but how do I find out where they are coming from? The notifications are kinda hard to understand.:eek:

How Do I find the affected machines?:confused:

ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

Number of events: 78326
Source computer IP addresses: 10.1.35.14:25, 217.10.142.247, _, Actual threat names: Cookie-RU4, Cookie-Spylog, Cookie-Atdmt, RemAdm-VNCView, Cookie-Zedo, Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes, Anti-spyware Standard ProtectionSmiley Tonguerotect Internet Explorer favorites and settings, Cookie-Untd, Cookie-ProMarket, Cookie-Insightexpres, Anti-virus Standard ProtectionSmiley Tonguerevent mass mailing worms from sending mail, Cookie-Omniture, Cookie-Adrevolver, Generic Downloader.h, Generic Downloader.g, Cookie-AdBureau, Cookie-Pointroll, Cookie-Trafficmp, Targeted Scan, Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder, Cookie-Revenue, Exploit-ByteVerify, Cookie-Yadro, Common Standard ProtectionSmiley Tonguerevent modification of McAfee Scan Engine files and settings, Cookie-Advertising, Cookie-Nextag, Cookie-Cars, Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings, Cookie-Hotlog, Common Standard ProtectionSmiley Tonguerotect Mozilla & FireFox files and settings, Cookie-Tribalfusion, Cookie-Overture, Cookie-Tickle, KERNEL32.LoadLibraryA, Cookie-AdDynamix, Cookie-RealMedia, Cookie-Burst, VBS/Psyme, OAS, Cookie-Questionmarke, Cookie-Roiservice, Cookie-Bravenet, Cookie-Linkshare, Cookie-Yieldmanager, Cookie-SearchPortal, Generic BackDoor, Cookie-Statcounter, On-Demand Scan, BackDoor-DNM.dldr, Cookie-Valueclick, FakeAlert-AB!lnk, Common Standard ProtectionSmiley Tonguerevent modification of McAfee files and settings, ?, Virtual Machine ProtectionSmiley Tonguerevent modification of VMWare Workstation files and settings, Common Standard ProtectionSmiley Tonguerevent installation of Browser Helper Objects and Shell Extensions, Cookie-Hitbox, Cookie-SpecClick, Adware-OneStep, Cookie-Liveperson, Tibs-Packed, Unknown rule, Cookie-Fastclick, Cookie-Casalemedia, Cookie-Bluestreak, Cookie-Doubleclick, Common Standard ProtectionSmiley Tonguerotect Internet Explorer settings, Cookie-Atwola, Cookie-Eyeblaster, AutoUpdate, Cookie-Gemius, Cookie-Imrworldwide, FakeAlert-AB, Cookie-2O7, Cookie-Mediaplex, FakeAlert-AB.dldr.gen.b, Actual products: GroupShield Exchange, PortalShield, VirusScan, McAfee Agent, ePO Server

For additional information, see the Notification Log in the ePolicy Orchestrator console.

ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

Number of events: 70144
Source computer IP addresses: 10.1.35.14:25, 190.55.172.100:6668, ePO_FS-CH-AV, Actual threat names: Common Standard ProtectionSmiley Tonguerevent common programs from running files from the Temp folder, Anti-virus Standard ProtectionSmiley Tonguerevent mass mailing worms from sending mail, OAS, Cookie-2O7, Common Standard ProtectionSmiley Tonguerevent termination of McAfee processes, Virtual Machine ProtectionSmiley Tonguerevent modification of VMWare virtual machine files, FakeAlert-AB!lnk, Common Standard ProtectionSmiley Tonguerotect Internet Explorer settings, Common Maximum ProtectionSmiley Tonguerevent launching of files from the Downloaded Program Files folder, Adware-WebSearch, Generic Downloader.e, Cookie-SpecClick, JS/Tenia.d, FakeAlert-AG.gen.a, FakeAlert-AB, Common Standard ProtectionSmiley Tonguerevent modification of McAfee files and settings, Common Standard ProtectionSmiley Tonguerevent modification of McAfee Common Management Agent files and settings, Cookie-Pointroll, BackDoor-DNM.dldr, Common Standard ProtectionSmiley Tonguerotect Mozilla & FireFox files and settings, Tibs-Packed, Puper, Anti-virus Standard ProtectionSmiley Tonguerevent IRC communication, W32/Rontokbro.gen@MM, Anti-spyware Standard ProtectionSmiley Tonguerotect Internet Explorer favorites and settings, Common Standard ProtectionSmiley Tonguerevent installation of Browser Helper Objects and Shell Extensions, AutoUpdate, Generic.dx, Actual products: GroupShield Exchange, PortalShield, VirusScan, McAfee Agent, ePO Server

For additional information, see the Notification Log in the ePolicy Orchestrator console.
Tags (1)
8 Replies
tonyb99
Level 13
Report Inappropriate Content
Message 2 of 9

RE: decipher notifications

looks like you've totally knackered these notifications....

disable them and start again

turn off cookie notifying unless you really want it (Cant imagine why anyone would even store cookie events)

start with the basic template they already provide and set for individual events not groups unless you want an unmanageable mess of crud as the response.

if you get too many start thinking about thresholds

RE: decipher notifications

here is an example of one that i have setup.. maybe someone else will post theirs as well? i would be curious to see what other alerts folks have configured - always looking to improve my setup..

Subject:

"Virus Detected and Not Removed" - {AffectedComputerNames} - {ReceivedThreatNames}

Body:

ePolicy Orchestrator Notification

Rule: {NotificationRuleName}
Number of events: {ReceivedNumEvents}
Affected Computers IP addresses: {AffectedComputerIPs}
Affected Computer Names: {AffectedComputerNames}
Actual Threat Names: {ReceivedThreatNames}
Affected Objects: {AffectedObjects}
First Event Time: {FirstEventTime}

For additional information, see the Notification Log in the ePolicy Orchestrator console.
tonyb99
Level 13
Report Inappropriate Content
Message 4 of 9

RE: decipher notifications

mine are much the same eg:

EPO Threat found and not removed - {AffectedComputerNames} - {AffectedComputerIPs}

ePolicy Orchestrator Notification
Rule: {NotificationRuleName}
Rule Defined At: {BranchNodePath}
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.
Affected computer IP addresses: {AffectedComputerIPs}
Affected computer: {AffectedComputerNames}
Actual threat names: {ReceivedThreatNames}
Affected object: {AffectedObjects}
Actual products: {ReceivedProductFamilies}
Event details: {EventDescriptions}
For additional information, see the Notification Log in the ePolicy Orchestrator console.

RE: decipher notifications

cool, thanks tony.

right now i have 2 alerts that i primarily use

detected and not removed
detected and removed successfully (for comparison)

i have an alert setup to notify me when the on-access scanner is not enabled on a machine, but so far i have not had luck getting this to work.. do you use it by chance?

Thanks Guys

Thanks guys that helps alot. Smiley Wink

I still get alot of jibberish though it seems... Is there a way to have get email notifications that this machine/ip is infected with this virus/malware

Or could you send a copy of one of your email notifications so I can see what a normal one is suppose to look like...

I used both of your suggestion and this is what I get. :confused:

EPO Threat found and not removed - x.x.x.x x.x.x.x.x.x.x.x.x.x.x.x.x

ePolicy Orchestrator Notification
Rule: New Rule
Rule Defined At: Directory
Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.
Affected computer IP addresses: x.x.x.x, x.x.x.x.233, x.x.x.x, x.x.x.x Affected computer:-------, ---------, ---------, --------- Actual threat names: Anti-virus Standard ProtectionSmiley Tonguerevent mass mailing worms from sending mail, Affected object: C:\Program Files\Common Files\McAfee\Engine\avvnames.dat, C:\Program Files\HEAT\CallLog32.exe, DAT, Engine, C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\AUENGINEMETA\AUEngineContentDetection.McS, ----------, C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\00000060.txml, C:\Program Files\Common Files\McAfee\Engine\avvclean.dat, C:\Program Files\Common Files\McAfee\Engine\avvscan.dat Actual products: GroupShield Exchange, VirusScan, McAfee Agent Event details: Scan Timed Out, Update Successful For additional information, see the Notification Log in the ePolicy Orchestrator console.


Or this


ePolicy Orchestrator Notification

Rule: Virus Detected and Not Removed
Number of events: 100
Affected Computers IP addresses: x.x.x.x Affected Computer Names: -------, DELETE Actual Threat Names: Common Standard ProtectionSmiley Tonguerevent installation of Browser Helper Objects and Shell Extensions, Anti-spyware Standard ProtectionSmiley Tonguerotect Internet Explorer favorites and settings, Affected Objects: \REGISTRY\USER\S-1-5-21-256225738-2272727325-1692859293-8349\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, C:\Documents and Settings\domlinj\Local Settings\Temporary Internet Files\Content.IE5\K1UBC1IN\premium[1].css\premium[1], C:\Documents and Settings\domlinj\Local Settings\Temporary Internet Files\Content.IE5\C1I7G5YN\premium[1].css\premium[1], \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-1016\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, C:\Documents and Settings\OneyD\Local Settings\Temporary Internet Files\Content.IE5\C1I7G5YN\premium[1].css\premium[1], \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8DD448E6-C188-4aed-AF92-44956194EB1F}, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}, \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-1011\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, DAT, \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, HotFix, \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-500\Software\Microsoft\Internet Explorer\International\CpCache, C:\Documents and Settings\OneyD\Local Settings\Temporary Internet Files\Content.IE5\X621L1KC\premium[1].css\premium[1], SuperDAT First Event Time: 2/4/09 11:55:23 AM

For additional information, see the Notification Log in the ePolicy Orchestrator console.


:eek::confused:

RE: Thanks Guys

it looks like you have throttling setup of some sort. i didn't like how my alerts were being displayed when i had throttling enabled, so i just turned it off and i deal with the spam via filters.

a typical email would look like this:

subject:
"Virus Detected and Not Removed" - <machine name> - Exploit-XMLhttp.d.gen

BODY:

ePolicy Orchestrator Notification

Rule: Virus detected and not removed
Number of events: 1
Affected Computers IP addresses: <IP address>
Affected Computer Names: <machine name>
Actual Threat Names: Exploit-XMLhttp.d.gen
Affected Objects: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\0B2RY579\b[1].htm
First Event Time: 2/3/09 7:40:29 AM

For additional information, see the Notification Log in the ePolicy Orchestrator console.

RE: Thanks Guys

Now thats what I am looking for... Smiley Very Happy

Where do I turn off this damn throttling???

Thanks in advance.

RE: Thanks Guys

login to your epo server and go to notifications -> rules tab

click the rule you want to modify, at the top skip to step 3 'set threshholds' and change that to what you prefer. send a notification every event, or the different throttling/aggregation options.