1 Reply Latest reply on Apr 1, 2010 9:50 AM by dustrho

    ePO V4.5 On Access Automated Alerts Not Available??

    Keanhi

      G'day Everyone.

       

      Background to the issue.

       

      We had alert messages in ePO V3.6 and V4.0 ticking away nicely.  Any time a forced scan, on demand scan, or the on access

      real time scanner found a virus.....bang, straight into my email.

       

      Updated to ePO v4.5 and found an entire new world of pain...the very granular way you can pump out automate alerts to warn of

      messages seems very bogged down and, to me at least, down right confusing.

       

      Now, I can get alert messages if I force a scan on all our pc's in the fleet.  While I think the list of variable in the filtering is a biit

      of a dog....at least I can get something.

       

      The really major concern I have is not receiving any alerts via On Access Real Time Scanning.  Personally this give me more current

      and up to date warnings that doing a scan.....reason...if I scan all of our fleets pc everyday the clients get really peaved, call my boss

      who tells me to turn it off.......so the full scans on pc's are only once a week.    Real Time scanning picks up the issue straight away

      an gives me an indication of an outbreak.

       

      However, no matter what Automated Alert variable/filters I select...and I've tried nearly all of them....I cannot get an alert message from

      an On Acess real time scan event.

       

      I know the pc's pick up viruses and on access is working.  I have a test virus and when I do an on demand scan it send an alert message.

      However, if let the on access scan detect it....nothing....it shows up in the on access scanner log....but no alert emails.

       

      This one is surely bugging me and Im not getting any resolution from the Tech lads in New Dehli....6 hours logged in remotely to our setup

      with the online support and no solution.

       

      Any help would be appreciated.

       

      Signed.

      Keith

      Lost in McAfee ePO v4.5

        • 1. Re: ePO V4.5 On Access Automated Alerts Not Available??
          dustrho

          Here's how I have on-access scanning alerts (aka automatic responses) configured in my office...

           

          Description Tab:
          1) event = ePO notification events
          2) event type = threat

           

          Filter Tab:
          1) threat category = belongs to "malware detected" and "malware detected using heuristics"
          2) threat handled = I have alerts for true so I receive everything in email form and false that goes to our floor support to remediate

           

          Aggregation Tab:
          1) aggregation = trigger this response for every event
          2) throttling = at most, trigger this response once every 15 minutes

           

          Actions Tab:
          1) send email (see subject and body I use in enviornment below)

           

          EMAIL CODE / SUBJECT

          Threat Handled ({threatHandled}) - {targetHostName}

           

          EMAIL CODE / BODY

          A virus was detected on {targetHostName}. If the affected computer is located in your office, please have your local user support resource investigate this issue as soon as possible.

           

          COMPUTER INFORMATION:
          Hostname: {targetHostName}
          IP Address: {targetIPV4}
          Last Logged in User: {targetUserName}

           

          EVENT DETAILS:
          Number of Events: {count}
          First Event Time: {detectedUTC}
          Threat Type: {threatType}
          Threat Name: {threatName}
          Event ID: {threatEventID}
          Threat Handled: {threatHandled}
          Event Description: {eventDesc}
          Affected Objects: {targetFileName}

           

          Having the alerts configured that way provides the most amount of information to quickly remediate an infected computer. And one thing worth mentioning is to have your McAfee Agent configured to have those computers check back into ePO at least every 60 minutes. Your ePO server will not send out an alert until after the affected computer sends its event history up to ePO, which in our office occurs every 60 minutes.

           

          Let me know if any of that helps you or not.