3 Replies Latest reply on Nov 13, 2009 8:19 AM by JoeBidgood

    Virus Severity Rating - Can you implement within a notification rule?

      We are currently rolling out ePO 4.0 and using the email notification rule for virus notification, we want to install some type of severity rating in the email body of the notification.

       

      Within the email body there is a category called {additionalinfo} which returns a certain value. In the live environment so far has resulted in viruses being detected with values of 3 and 4. I've researched the Threat Centre for additional information on these viruses encountered, couldanyone confirm the value of 3 (three) equates to a virus category of low and whether the value of 4 (four) equates to low profiled. Am I correct with the assumption that this {additionalinfo} category relates to the risk level of the virus?

       

       

       

      ePO 4.0 (Patch 4)

      VirusScan 8.7i (Patch 1)

      McAfee Agent 4.0 (Patch 1)

        • 1. Re: Virus Severity Rating - Can you implement within a notification rule?
          JoeBidgood

          eilirw wrote:


          Am I correct with the assumption that this {additionalinfo} category relates to the risk level of the virus?

           

          Not quite - as far as I know the {additonalinfo} field for detection events is mapped to the severity of the event, rather than the rating of the threat, as follows:

           

          1 - Informational

          2 - Warning

          3 - Low

          4 - Severe

           

          In terms of a detection, a virus that was detected and cleaned would be classified Low: a virus that was detected and not cleaned would be classified Severe.

           

          Regards -

           

          Joe

          • 2. Re: Virus Severity Rating - Can you implement within a notification rule?

            Thanks Joe for your reply, makes sense now what those values actually means. Would you know if there is a mechamism of categorising the risk level of the virus within the notification or would it still be the case to check the virus found on-line with the threat centre.

            • 3. Re: Virus Severity Rating - Can you implement within a notification rule?
              JoeBidgood

              As far as I know there is no way to do this - there is no information in the DATs that would allow the scanners to classify detections in this way, especially since the risk level can change.  I would always recommend checking anything you're unsure about on the threat centre.

               

              There's a huge number of potential detections, though, of which only a very small percentage have their risk level elevated - so checking everything that crosses your desk may be a full-time job    If you haven't already done so I would recommend signing up for the McAfee Labs security advisories: that way you will be notified when anything noteworthy happens.  The McAfee Labs blog and podcasts are also a good way of keeping abreast of new developments.

               

              Regards -

               

              Joe

              1 of 1 people found this helpful