8 Replies Latest reply on Nov 5, 2009 12:44 AM by serc09

    "unwanted" programm deleted

    serc09
      Hey.

      I have another problem using ePO 4.5.

      Works all fine so far.

      Set up VSE-policies to "deny access" to unwanted programms.

      Now i have recieved 2 Email from ePO-Server by automatic responses if unwanted programms are detected. In email 1 you can see that access was denied - but in email 2 the file/programm was deleted.

      Email 1:
      ePolicy Orchestrator Benachrichtigung

      Ereignis-Typ: Bedrohung
      Name der Antwort: Email: unerwünschtes Programm

      Beschreibung: Schreibt eine Email-Benachrichtigung wenn ein unerwünschtes Programm entdeckt wurde

      Ereignis Infos:

      Anzahl: 1
      Ereignis ID:21024
      Bedrohung: RemAdm-RemoteAdmin
      Schweregrad: Kritisch
      Ausgeführte Aktion: access denied

      Datei: C:\WINDOWS\system32\r_server.exe

      Entdeckungsprogramm: VirusScan Enterprise
      DAT-Version: 5782.0000

      Ereignisempfang: 10/26/09 09:15:15 UTC
      Ereignisgenerierung: 10/26/09 09:12:10 UTC

      System Infos:

      PC Name: PC016087
      IPv6 Adresse: 10.140.16.87
      IPv4 Adresse: 10.140.16.87
      Betriebsystem: Windows XP Professional


      Email 2:
      ePolicy Orchestrator Benachrichtigung

      Ereignis-Typ: Bedrohung
      Name der Antwort: Email: unerwünschtes Programm

      Beschreibung: Schreibt eine Email-Benachrichtigung wenn ein unerwünschtes Programm entdeckt wurde

      Ereignis Infos:

      Anzahl: 1
      Ereignis ID:21027
      Bedrohung: RemAdm-RemoteAdmin
      Schweregrad: Warnung
      Ausgeführte Aktion: deleted

      Datei: C:\WINDOWS\system32\r_server.exe

      Entdeckungsprogramm: VirusScan Enterprise
      DAT-Version: 5782.0000

      Ereignisempfang: 10/26/09 09:15:15 UTC
      Ereignisgenerierung: 10/26/09 09:13:01 UTC

      System Infos:

      PC Name: PC016087
      IPv6 Adresse: 10.140.16.87
      IPv4 Adresse: 10.140.16.87
      Betriebsystem: Windows XP Professional


      I really don't know what to do, or how to handle that.

      Hope you can help me!

      THX

      serc09
        • 1. RE: "unwanted" programm deleted
          serc09
          Nobody any ideas?
          • 2. RE: "unwanted" programm deleted
            if you're asking how to stop this from being detected (and deleted) you will need to add an exception for 'RemAdm-RemoteAdmin' in your unwanted programs policy

            Andrew
            • 3. RE: "unwanted" programm deleted
              serc09
              Okay, that's a solution, but why was the file deleted instead of beeing access denied like i set it up in the policies?!
              • 4. RE: "unwanted" programm deleted
                I'm not sure I understand what you are saying - I don't see any setting in the 'Unwanted Program Policy' concerning 'access denied'. In that policy I see two tabs; the first has two sections, 'Select categories of unwanted programs to detect:' and 'Unwanted program exclusions:'. The second tab is for 'User-Defined Items'. Where are you setting your policy?

                Andrew
                • 5. RE: "unwanted" programm deleted
                  mrpg
                  serc09 is saying he set his VSE policy for unwanted program detection to not delete the file.

                  In essence when a "unwanted program" is detected, he just wants to the user deny access to it and get a auto-response but its not working as expected. If "deny access" is set as the first action, then there should be no secondary action, it should not delete.

                  serc09- just confirm for sure it is set to "deny access" and not "clean file." A clean file action can generate a "denied access" respnose and delete is the default secondary action for that.

                  Also are you running 4.5?
                  • 6. RE: "unwanted" programm deleted
                    ok so the settings we are referencing are not in the 'Unwanted Programs Policies' policy but are instead in the 'On-Access Default Processes Policies' policy under 'Actions'.
                    Serc09 can you tell us what you have set under 'When an unwanted program is found:'?

                    For example I have:
                    When an unwanted program is found: Perform this action first: Clean files automatically
                    If the first action fails, then perform this action: Delete files automatically

                    Andrew
                    • 7. Re: RE: "unwanted" programm deleted
                      serc09

                      Sorry, had a meeting and after that i had no time to answer.

                       

                      Here my settings:

                       

                      On-Access Default Processes Policies:

                      1 - Thread detected:

                      1. Action: Clean files automatically

                      2. Action: Deny access

                      2 - Unwanted programm detected:

                      1. Action: Allow access

                      2. Action: ---

                       

                      On-Access Processes with low risk Policies:

                      1 - Thread detected:

                      1. Action: Clean files automatically

                      2. Action: Deny access

                      2 - Unwanted programm detected:

                      1. Action: Allow access

                      2. Action: ---

                       

                      On-Access Processes with high risk Policies:

                      1 - Thread detected:

                      1. Action: Clean files automatically

                      2. Action: Deny access

                      2 - Unwanted programm detected:

                      1. Action: Allow access

                      2. Action: ---

                       

                      I made these settings ~3 weeks ago and din't even remember that it should "allow access" - i'm getting old...

                       

                      And yes, we're running ePO 4.5.

                       

                      THX for your help.

                       

                       

                      Nachricht geändert durch serc09 on 11/4/09 11:43 PM

                       

                       

                      Nachricht geändert durch serc09 on 11/4/09 11:43 PM
                      • 8. Re: RE: "unwanted" programm deleted
                        serc09

                        Nobodoy any ideas?