1 2 Previous Next 10 Replies Latest reply on Apr 15, 2010 7:31 AM by bostjanc

    sending e-mails on detected viruses

    bostjanc

      Hi there!

       

      We are using epo 4.5 and viruscan enterprise 8.7.

      A user has received a pop-up message that mcafee scanner found a trojan and has deleted. How can I set up, that our sys department will receive messages in this cases?

      Can someone tell me step-by-step.

       

      Thank you a lot!

       

      With best regards,

        • 1. Re: sending e-mails on detected viruses
          goppetm

          Hello bostjanc,

           

          I will try to give you a short overview.

          I don't have to mention that the communication between your clients and your ePO server is working.

           

          1.) Make sure that you configured a mail server

          Menu - Configuration - Server Settings - Email Server

           

          2.) Make sure that your ePo server is allowed to send mails to your configured Email server.

           

          3.) You can send mails only to persons configured in the ePO server.

          You can configure a user here:

          a) Menu - User Management - Contacts (for users where no ePO login account is needed)

          b) Menu - User Management - Users (users generated here will be displayed in the contacts as well)

           

          4.) Now you can generate your automatic response

          Menu - Automation - Automatic Response - Actions - New Response

          1 Description:

          a) Name: Choose a Rule name

          b) Description: Choose aDescription

          c) Language: Choose a Language

          d) Event: Event group: "ePO Notification Events"

                        Event type: Threats

          e) Status: I suggest to disable the response as long as you finished configuring

          2 Filter

          a) Defined  at: choose the location where the rule should be applied to

          b) Choose Threat  Category (e.g. belongs to "malware detecion" or belongs to malware detection using heuristics)

          3 Aggregation

          a) Caution! If you do not use aggregation and throttling you can generate a DOS attack to your mail server by sending many mails in case of a massive file infection on a client or server

          4 Actions

          a) Choose "Send Email"

          b) Choose your reciepients, subject and your body by inserting text combined with the given variables

           

          5.) Save your automatic response and do not forget to activate it!

           

          You can check the server task log to see any responses sent.

           

          Regards, Tim

          • 2. Re: sending e-mails on detected viruses
            bostjanc

            Tim!

             

            Thank you: http://dagobah.biz/flash/thank_you.swf

             

            With best regards

            • 3. Re: sending e-mails on detected viruses
              bostjanc

              Tim Goppelt

               

              If I have understood you right, your step-by-step instructions will help me to create a rule which will send me an e-mail only in case if virus has been detected and removed. I would also like to be informed by e-mail when the threat hasn't been removed (in other word: someone is spreading virus in company, you should run and hide).

               

              I saw that Mcafee already has a template of automation response called: Malware detected and not handled soo I am also testing that rule at moment.

               

              But I have one more question. I would like to be informed exactly which file has been infected. (for example C:\program files\pdfcreator.exe) but I didnt find this variable options in action tab.

               

              Currently i have set up an e-mail too look like this:

               

              Mcafee found threat:

              The most importing thing to know --> what has been done; if it was removed or not: {listOfThreatActionTaken}
              Which computers are/were infected: {listOfTargetHostName}
              How many viruses were there: {count}
              The name of viruses: {listOfThreatName}

              Which files was infected: ????????????????????

               

              What else would you suggest to put in e-mail for good administrator observing?

               

               

              Message was edited by: bostjanc on 4/14/10 9:55:27 AM GMT+01:00

               

               

              Message was edited by: bostjanc on 4/14/10 9:57:36 AM GMT+01:00

               

               

              Message was edited by: bostjanc on 4/14/10 10:05:02 AM GMT+01:00
              • 4. Re: sending e-mails on detected viruses
                goppetm

                Habe you tried this one.

                Target files: {listOfTargetFileName}

                 

                 

                We are using the following parameters. But sometimes (for many detections) this can be a little bit confusing.

                 

                Affected system(s): {listOfAnalyzerHostName}

                System(s) lokated at: {listOfNodeTextPath}

                Affected IP address: {listOfAnalyzerIPV4}

                Sum of affected system(s): {distinctCountOfAnalyzerHostName}

                Alert: {listOfEventDesc}

                Alert summaiton: {distinctCountOfEventDesc}

                Target files: {listOfTargetFileName}

                Sum of target files: {distinctCountOfTargetFileName}

                McAfee-Product: {listOfAnalyzer}

                Threat or rule: {listOfThreatName}

                Detection time list: {listOfDetectedUTC}

                 

                Regards, Tim

                • 5. Re: sending e-mails on detected viruses
                  bostjanc

                  Thank you for your reply. I will give it a try.

                   

                  With best regards,

                  • 6. Re: sending e-mails on detected viruses
                    bostjanc

                    Hi Tim!


                    I am about to finish this e-mail actions. Only one more question. is it possible to get information which user is logged on that computer.

                    That will help us to react very fast if we know who is the user of the computer where virus was.

                    With best regards,

                    • 7. Re: sending e-mails on detected viruses
                      goppetm

                      Sorry, we do not use this information in our notifications and we never tested it. But have you tried {listOfTargetUserName} yet?

                      But if nobody is logged on to a system or the OnDemand scan found an infection the logged user will be the <localsystem> or the account you run your McAfee services.

                      By the way talking about logged users in my opinion McAfee changed the behaviour of logging the last logged on users. If a system is running with currently no logged on user and the agent sent props to the server the last logged on user property is empty. This behaviour changed from ePO 3.6.1 to ePO 4.5.

                       

                      Regards, Tim

                      • 8. Re: sending e-mails on detected viruses
                        bostjanc

                        Thank you for the answer.

                         

                        I noticed when the mail comes, a timestap is 2hours behind. We live in GMT+1 area, and the time on server is set right.Why does this happends and can we change this ?

                        • 9. Re: sending e-mails on detected viruses
                          goppetm

                          In my opinion ePO 4.5 always uses UTC time from the node where the event took place.. Sorry I don't know if this can be changed.

                          But I think this was different in ePO 3.6.1

                          And there are two variales used for detection time in ePO 4.5.

                          {listOfDetectedUTC} and {listOfReceivedUTC} If you use the receivedUTC there can be a delay to the detectedUTC.

                           

                          Regards, Tim

                          1 2 Previous Next