cancel
Showing results for 
Search instead for 
Did you mean: 
bostjanc
Level 10
Report Inappropriate Content
Message 1 of 11

sending e-mails on detected viruses

Jump to solution

Hi there!

We are using epo 4.5 and viruscan enterprise 8.7.

A user has received a pop-up message that mcafee scanner found a trojan and has deleted. How can I set up, that our sys department will receive messages in this cases?

Can someone tell me step-by-step.

Thank you a lot!

With best regards,

1 Solution

Accepted Solutions
goppetm
Level 8
Report Inappropriate Content
Message 2 of 11

Re: sending e-mails on detected viruses

Jump to solution

Hello bostjanc,

I will try to give you a short overview.

I don't have to mention that the communication between your clients and your ePO server is working.

1.) Make sure that you configured a mail server

Menu - Configuration - Server Settings - Email Server

2.) Make sure that your ePo server is allowed to send mails to your configured Email server.

3.) You can send mails only to persons configured in the ePO server.

You can configure a user here:

a) Menu - User Management - Contacts (for users where no ePO login account is needed)

b) Menu - User Management - Users (users generated here will be displayed in the contacts as well)

4.) Now you can generate your automatic response

Menu - Automation - Automatic Response - Actions - New Response

1 Description:

a) Name: Choose a Rule name

b) Description: Choose aDescription

c) Language: Choose a Language

d) Event: Event group: "ePO Notification Events"

              Event type: Threats

e) Status: I suggest to disable the response as long as you finished configuring

2 Filter

a) Defined  at: choose the location where the rule should be applied to

b) Choose Threat  Category (e.g. belongs to "malware detecion" or belongs to malware detection using heuristics)

3 Aggregation

a) Caution! If you do not use aggregation and throttling you can generate a DOS attack to your mail server by sending many mails in case of a massive file infection on a client or server

4 Actions

a) Choose "Send Email"

b) Choose your reciepients, subject and your body by inserting text combined with the given variables

5.) Save your automatic response and do not forget to activate it!

You can check the server task log to see any responses sent.

Regards, Tim

10 Replies
goppetm
Level 8
Report Inappropriate Content
Message 2 of 11

Re: sending e-mails on detected viruses

Jump to solution

Hello bostjanc,

I will try to give you a short overview.

I don't have to mention that the communication between your clients and your ePO server is working.

1.) Make sure that you configured a mail server

Menu - Configuration - Server Settings - Email Server

2.) Make sure that your ePo server is allowed to send mails to your configured Email server.

3.) You can send mails only to persons configured in the ePO server.

You can configure a user here:

a) Menu - User Management - Contacts (for users where no ePO login account is needed)

b) Menu - User Management - Users (users generated here will be displayed in the contacts as well)

4.) Now you can generate your automatic response

Menu - Automation - Automatic Response - Actions - New Response

1 Description:

a) Name: Choose a Rule name

b) Description: Choose aDescription

c) Language: Choose a Language

d) Event: Event group: "ePO Notification Events"

              Event type: Threats

e) Status: I suggest to disable the response as long as you finished configuring

2 Filter

a) Defined  at: choose the location where the rule should be applied to

b) Choose Threat  Category (e.g. belongs to "malware detecion" or belongs to malware detection using heuristics)

3 Aggregation

a) Caution! If you do not use aggregation and throttling you can generate a DOS attack to your mail server by sending many mails in case of a massive file infection on a client or server

4 Actions

a) Choose "Send Email"

b) Choose your reciepients, subject and your body by inserting text combined with the given variables

5.) Save your automatic response and do not forget to activate it!

You can check the server task log to see any responses sent.

Regards, Tim

bostjanc
Level 10
Report Inappropriate Content
Message 3 of 11

Re: sending e-mails on detected viruses

Jump to solution

Tim!

Thank you: http://dagobah.biz/flash/thank_you.swf

With best regards

bostjanc
Level 10
Report Inappropriate Content
Message 4 of 11

Re: sending e-mails on detected viruses

Jump to solution

Tim Goppelt

If I have understood you right, your step-by-step instructions will help me to create a rule which will send me an e-mail only in case if virus has been detected and removed. I would also like to be informed by e-mail when the threat hasn't been removed (in other word: someone is spreading virus in company, you should run and hide).

I saw that Mcafee already has a template of automation response called: Malware detected and not handled soo I am also testing that rule at moment.

But I have one more question. I would like to be informed exactly which file has been infected. (for example C:\program files\pdfcreator.exe) but I didnt find this variable options in action tab.

Currently i have set up an e-mail too look like this:

Mcafee found threat:

The most importing thing to know --> what has been done; if it was removed or not: {listOfThreatActionTaken}
Which computers are/were infected: {listOfTargetHostName}
How many viruses were there: {count}
The name of viruses: {listOfThreatName}

Which files was infected: ????????????????????

What else would you suggest to put in e-mail for good administrator observing?

Message was edited by: bostjanc on 4/14/10 9:55:27 AM GMT+01:00

Message was edited by: bostjanc on 4/14/10 9:57:36 AM GMT+01:00

Message was edited by: bostjanc on 4/14/10 10:05:02 AM GMT+01:00
goppetm
Level 8
Report Inappropriate Content
Message 5 of 11

Re: sending e-mails on detected viruses

Jump to solution

Habe you tried this one.

Target files: {listOfTargetFileName}

We are using the following parameters. But sometimes (for many detections) this can be a little bit confusing.

Affected system(s): {listOfAnalyzerHostName}

System(s) lokated at: {listOfNodeTextPath}

Affected IP address: {listOfAnalyzerIPV4}

Sum of affected system(s): {distinctCountOfAnalyzerHostName}

Alert: {listOfEventDesc}

Alert summaiton: {distinctCountOfEventDesc}

Target files: {listOfTargetFileName}

Sum of target files: {distinctCountOfTargetFileName}

McAfee-Product: {listOfAnalyzer}

Threat or rule: {listOfThreatName}

Detection time list: {listOfDetectedUTC}

Regards, Tim

bostjanc
Level 10
Report Inappropriate Content
Message 6 of 11

Re: sending e-mails on detected viruses

Jump to solution

Thank you for your reply. I will give it a try.

With best regards,

bostjanc
Level 10
Report Inappropriate Content
Message 7 of 11

Re: sending e-mails on detected viruses

Jump to solution

Hi Tim!


I am about to finish this e-mail actions. Only one more question. is it possible to get information which user is logged on that computer.

That will help us to react very fast if we know who is the user of the computer where virus was.

With best regards,

goppetm
Level 8
Report Inappropriate Content
Message 8 of 11

Re: sending e-mails on detected viruses

Jump to solution

Sorry, we do not use this information in our notifications and we never tested it. But have you tried {listOfTargetUserName} yet?

But if nobody is logged on to a system or the OnDemand scan found an infection the logged user will be the <localsystem> or the account you run your McAfee services.

By the way talking about logged users in my opinion McAfee changed the behaviour of logging the last logged on users. If a system is running with currently no logged on user and the agent sent props to the server the last logged on user property is empty. This behaviour changed from ePO 3.6.1 to ePO 4.5.

Regards, Tim

bostjanc
Level 10
Report Inappropriate Content
Message 9 of 11

Re: sending e-mails on detected viruses

Jump to solution

Thank you for the answer.

I noticed when the mail comes, a timestap is 2hours behind. We live in GMT+1 area, and the time on server is set right.Why does this happends and can we change this ?

Re: sending e-mails on detected viruses

Jump to solution

In my opinion ePO 4.5 always uses UTC time from the node where the event took place.. Sorry I don't know if this can be changed.

But I think this was different in ePO 3.6.1

And there are two variales used for detection time in ePO 4.5.

{listOfDetectedUTC} and {listOfReceivedUTC} If you use the receivedUTC there can be a delay to the detectedUTC.

Regards, Tim