5 Replies Latest reply on Jun 24, 2010 8:27 AM by kami88

    EPO 4.5 Automatic Responses

      Hi all,

       

      A few weeks ago we moved from EPO 4.0 to 4.5.

      In EPO 4.0 we received emails when a virus was detected on a client with the antivirus software installed.

      Now in EPO 4.5 we don't receive those mails anymore.

      I tried to create an automatic response but i only receive mails like this:

       

      -------------

      ePolicy Orchestrator Notification
      Response Name: Malware detected and not handled
      Event Type Name: Threat
      Defined at: My Organization
      System Location: GlobalRoot\Directory\Inactive Agents
      Description: Sends an e-mail notification when "Malware detected and not handled" events are received.

       

      Number of events: 1
      Source IPV6 addresses: X
      Source IPV4 addresses: X
      Threat Names:
      Detecting Product Names: VirusScan Enterprise
      Target File C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Db\Agent_F002.xml
      none

      -------------

       

      how can I get this back? that I receive emails when a virus is detected?

       

      Any help is welcome!

       

      Thanks

        • 1. Re: EPO 4.5 Automatic Responses
          jmcleish

          How about creating a respone like this one:

           

          Event group: epo notification events
          event type: threat

           

          Filter:
          defined at - system is in group or subgroup /my organisation
          threat category: belongs to malware detected or
          belongs to malware detected using heuristics

           

          Aggregation:
          trigger a response for every event

           


          actions:
          send email

           

          enter email address for recipients
          subject:
          {threatName} detected on {analyzerHostName}

           

          Body:
          Virus detected on
          Computer: {analyzerHostName}
          IP: {listOfAnalyzerIPV4}
          Time: {detectedUTC}

           

          File Name: {targetFileName}
          Threat Name: {threatName}
          Action Taken: {threatActionTaken}

           

          Product:{analyzer}
          Dats: {analyzerDATVersion}
          Engine: {analyzerEngineVersion}
          Detection Method: {analyzerDetectionMethod}

           

          Source host name: {sourceHostName}
          Source IP: {sourceIPV4}
          Source process name: {sourceProcessName}
          Source UserName: {sourceUserName}
          -------

          1 of 1 people found this helpful
          • 2. Re: EPO 4.5 Automatic Responses

            Hi,

             

            Thanks for your fast reply!

            I'll try this out, I'll inform you what my result is.

            • 3. Re: EPO 4.5 Automatic Responses

              Hi jmcleish,

               

              I tried your suggestion and now I'm receiving a lot of mails about virus warnings, but also non virus related mails like this:

               

              ==========

              Virus detected on
              Computer:
              IP:
              Time: 06/24/10 06:22:53 UTC

              File Name: \REGISTRY\MACHINE\SOFTWARE\McAfee\McTray
              Threat Name: Algemene standaardbeveiliging:Voorkomen dat bestanden en instellingen van McAfee Common Management Agent worden gewijzigd
              Action Taken: deny create

              Product:VIRUSCAN8600
              Dats:
              Engine:
              Detection Method: OAS

              Source host name:
              Source IP:
              Source process name: C:\windows\Explorer.EXE
              Source UserName:

               

              ==========

               

              Or this:

               

              ==========

               

              Virus detected on
              Computer:
              IP:
              Time: 06/24/10 06:43:06 UTC

              File Name: C:\Lotus\Notes\NCDaemon.exe
              Threat Name: Common Standard Protection:Prevent termination of McAfee processes
              Action Taken: deny terminate

              Product:VIRUSCAN8700
              Dats:
              Engine:
              Detection Method: OAS

              Source host name:
              Source IP:
              Source process name: C:\Lotus\Notes\nsd.exe
              Source UserName:

               

              Do you have a suggestions for this? Can I filter those messages out because this is nothing about a virus..

               

              Thanks!

              • 4. Re: EPO 4.5 Automatic Responses
                jmcleish

                Sorry- I have this one runing on my servers, so have not had these.

                 

                Try changing the

                 

                threat category:

                 

                belongs to malware detected or
                belongs to malware  detected using heuristics

                 

                to

                 

                Threat type

                 

                equals and add in the names of the detections .

                 

                (just like the filter in the default query "all threats detected in the last 7 days")

                 

                and threat name value is not blank.

                1 of 1 people found this helpful
                • 5. Re: EPO 4.5 Automatic Responses

                  Ok thanks! I'll try this out