1 2 Previous Next 13 Replies Latest reply on Jan 20, 2010 4:29 PM by rstaton

    Email Notification for Dat

      Hello all,

      i would like an Email notification for when a computer has failed to get a DAT update for 5 days.

       

      Right now i have the EPO task set to update a DAT to the agent every 6 hours 24 hours a day.

       

      I have created a notification task such as:

       

      Name:Dat Deployment
      Notes:
      Defined at:My Organization
      Priority:High
      Status:Enabled
      Operating systems:Workstation
      Server
      Unknown
      Products:McAfee Agent
      Categories:Software deployment failed
      Software failure or error
      Update/upgrade failed
      Threat name:(Any)
      Aggregation:Send a notification if multiple events occur within 5 days
      When the number of affected systems is at least 1
      When the number of events is at least 20


      then of course the action to email me..

       

      However i have been getting emails from users sparatically, I believe the Aggregation of at least 20 events is whats doing causing this from working correctly..

      Are these 20 events resulting into a failure?  I have gotten an email notifcation within 2 hours from one user, and dont understand how 20 software updates have failed..

       

      Now that i think about it, these software upgrades are something different and have nothing to do with DATS?

       

      can someone help me how to accomplish my task?  Thanks.

        • 1. Re: Email Notification for Dat
          jstanley

          This may prove difficult with a direct notification because they are based off of events and 5 DAT update failures does not necessarily indicate the machine is 5 days out on its DAT (it may have failed 5 times in 1 day but succeeded the next day for example)

           

          The simplest solution would be to setup an automated task that emails you the Compliance Summary Report (one of the default dashboard reports) and modify that report to indicate clients are out of date on DAT files if they are more than 5 versions behind the master repository. Then you will get 1 report emailed once a day (or however often you like) that lists all machines that are out of compliance.

           

          Another solution would be to schedule a server task that runs a VSE DAT compliance report (must be a boolean report) that generates compliance events. Then setup your notification based on the compliance report. This is slightly more complicated but I can provide more specific instructions if you need.

          • 2. Re: Email Notification for Dat

            Sorry for delay, Thanks for the reply, I would like your second option, and have an email sent to me if the DAT is 5 or more versions behind.  Only because i dont want an email spamming me everyday.. Is this possible?

            I made a duplicate of DAT deployment report so i can change it to boolean but it seems a little confusing on how to set it up..

            • 3. Re: Email Notification for Dat
              jstanley

              I warned you its a bit complicated

               

              Here are the steps (assuming EPO 4.5):

              First modify the "VSE: Current DAT Adaption" to meet your needs (this is a boolean report):

              1- Logon to EPO

              2- Click Queries

              3- Select VirusScan Enterprise under Shared Groups

              4- Click Edit next to the VSE: Current DAT Adapation report

              5- Click Configure Criteria

              6- Change the value for "DAT Version (Virus Scan Enterprise) is within X versions of repository" from 1 to 5

              7- Click OK | Run | Save (give the report a different name if you don't want to overwrite the default report)

               

              Then create an automated task to run the report every day and generate a compliance event:

              1- Logon to EPO

              2- Click Menu | Automation | Server Tasks

              3- Click New task and give it a name and click Next

              4- Select "Run Query" for the action

              5- Click on the "..." and select the report you configured above

              6- Select "Generate Compliance Event" for the sub-action.

              7- Select "Specific number of target systems 1" if you want a notification for each event

              8- Click Next | Schedule the report to run at least once a day | Next | Save

               

              Finally create an Automatic Response to trigger when a compliance event is generated:

              1- Logon to EPO

              2- Click Menu | Automation | Automatic Responses

              3- Enable the default "Non-Compliant computer detected" notification

               

              Alternatively you could create your own automatic response but the default one should work fine.

              • 4. Re: Email Notification for Dat

                Thanks!  Thats exactly what i was looking for!

                You my friend, are a genius!

                 

                • 5. Re: Email Notification for Dat

                  Hello,

                   

                  I have tried this method, and it seems that the event "Non-Compliant computer detected" is never created, though in the server task log it says a compliance event and a compliance history record were created.  I was trying to create a query to look for compliance events (I guess Event ID 16000 and/or 13001) that would perhaps be generated per computer, but I have hit a dead end.  My notification rule will never trigger even though the "Non-Compliant computer detected" is selected and I run and re-run my compliance server task.

                   

                  Any suggestions would be much appreciated.

                   

                  Regards,

                   

                  Charles

                  • 6. Re: Email Notification for Dat
                    jstanley

                    Again I would re-iterate that I a much simpler solution is to have the ePO: Compliance Summary report emailed to you once a day

                     

                    If the notification is not triggering the first thing I'd look at is the "Thresholds" tab of your notification rule and make sure you meet the criteria to trigger the notification.

                     

                    The other thing you may want to look at is the Server Task which generates the compliance event. By default it is set to only generate a compliance event when a certain percentage of computers are out of compliance. Try changing it to Specific number of target systems: 1.

                    • 7. Re: Email Notification for Dat

                      Jeremy,

                       

                      Thanks for the quick reply.  Here is a tad more background: I manage several companies AV through a central ePO server.  Whenever I have an un-handled threat on a machine, or any critical event generated by an endpoint, ePO emails a notification to our ticketing system with the name of the server, where the server is, the threat name, and the name of the responsible administrator group (hard-coded in to the notifcation rule).  My tree is set up in such a way that I know that if the notification is generated in this part of the tree, it is supposed to go to the Windows Admins in Dallas, or in this other part of the tree it will go to Desktop Technicians in New York.  I use the compliance reports today, but what I really need it a way to generate notifications on a server by server basis for old DAT files, the absence of Anti-spyware, etc.  This way, when a machine is 3 DAT revisions old, an email notification is sent with the server name in it and my ticketing system can grab that server name and generate a ticket to the proper group.

                       

                      This may be a little too much for the forum, but if you have any other creative ideas, I would love to hear them.  I posed the question to Tier I Gold Support but got frustrated after 2 hours of going no where.

                       

                      Charles

                       

                      PS-my threshold is set to 1.

                      PPS-my ticketing system can't parse attachments easily (otherwise the server task could just send a CSV file of non-compliant systems).

                      • 8. Re: Email Notification for Dat
                        jstanley

                        Their are two places you will want to check. Not only the threshold in the automatic response but also the server task that generates the compliance event. For the server task take a look at the middle set of instructions above.

                         

                        If you have the server task set to generate a compliance event for every computer and the the automatic response is not throttled/aggregated in any way and your still not generating any automatic responses then you may want to check the server task log and confirm that the server task is running successfully. Also manually run the report that the server task is using to generate the compliance event and confirm that it does indicate client machines are out of compliance.

                         

                        If none of the above is helping then perhaps something is going wrong with automatic responses in general. Do you have any automatic responses that are successfully triggering? Also it may be helpful to know what version of EPO you are using.

                         

                        I am sorry to hear that you were not getting any assistance from gold support. If you could provide me the case number I'd be happy to review it.

                        • 9. Re: Email Notification for Dat

                          Jeremy,

                           

                          Thanks again.  I can see you know exactly what I am trying to do.

                           

                          I went back over my server tasks that run my compliance queries.  If I have the server task send me an email with an attachment with drill down data, I get everything I need, but as you know, I am after a notification rule that sends alerts on a per server basis.  I have been using automatic notifications for quite a while, so I know the notification feature is working.

                           

                          My ePO version is 4.0.0.1221.  Do you think upgrading will address this issue?

                           

                          The SR# is 2-773181894.

                           

                          Your help is much appreciated,

                           

                          Charles


                          1 2 Previous Next