7 Replies Latest reply on Jul 15, 2010 12:22 AM by Attila Polinger

    Automatic responses in ePO 4.5

      Hello,

       

      We recently migrated to ePO 4.5 from ePO 4.0. This was an in place upgrade. when the migration completed, we saw that the notification rules did not get migrated and there was no option to export from the ePO 4.0 and import it to ePO 4.5.

       

      So we recreated all the rules in "automatic responses" in ePO 4.5 , however it does not work. It is not sending any emails for virus detection rule and it only sends email for "Software deployment failed" rule.

       

      The response is also little weird.

       

      Anyone has had this problem? Please suggest.

       

      Thanks and Regards,

      Lal

        • 1. Re: Automatic responses in ePO 4.5
          Attila Polinger

          Hello Lal,

           

          unfortunately the migration of Responses and Notifications were not supported as stated in ePO 4.5 readme.htm. I suppose you have not recorded the settings of your past Responses of Notifications and now have started anew.

           

          Would you please detail what Notification needs you have actually so we can help troubleshooting?

           

          Attila

          • 2. Re: Automatic responses in ePO 4.5

            Hi Attila,

             

            Thank you very much for your prompt response like last time.

             

            I had noted down the settings before migrating however the queries are different and there are some additional settings in ePO 4.5.

             

            I would appreciate if you could please help.

             

            If you want the screenshots of the settings I can upload it as a word document.

             

            Thanks,

            Lal

            • 3. Re: Automatic responses in ePO 4.5
              Attila Polinger

              Hi Lal,

               

              yes, screenshots in a Word doc would be fine. I also would recomend to detail in a few substantive words, what you want to achieve in each response (like "I'd like to get notified when a virus was detected that was not cleaned", etc.)

               

              Thank you.

               

              Attila

              • 4. Re: Automatic responses in ePO 4.5

                Hi Attila,

                 

                Please find the attached screenshot for details.

                 

                I just have taken screenshots of two automatic responses settings at our end.

                 

                For the query "Virus detected and not handled" I have tried "Centralized alerting, malware detected and virus detected and not removed", but none of them seem to send a notification.

                 

                The only notification we get is for software deployment failed and I have checked the settings for  "Actions to send email", they both are the same for both virus detected and software deployment notifications.

                 

                Please suggest.

                 

                Thanks and Regards,

                Lal

                • 5. Re: Automatic responses in ePO 4.5
                  Attila Polinger

                  Hi Lal,

                   

                  I would narrow down the problem to two possible reasons (that occurs to me now): first is the email sending and the second is the event response problem.

                   

                  Email sending: I assume that sending email works from within ePO 4.5 but perhaps not for these particular response recipients. Please set up email sending for a test and send email to both parties (one at a time) that you have as recipients on this response and check if they receive it.

                   

                  Event response problem: please check if such events are actually created in the database (and for the nodes in the region that you used). Create a query from Events and use the filter "Threat handled = false" only. Change the scope from Western Region to My Organization, etc. Use these individually and together in the same report to better screen the events.

                  (Perhaps every threat is "handled" in the category "malware detected". Try adding "Malware detected by heuristics", too.)

                   

                  (You might want to make sure that you have the latest reporting extension checked in for VirusScan, before anything else. Its 1.1.0.146 on my system).

                   

                  You can also remove throttling and reinstate it after the response works.

                   

                  Attila

                  • 6. Re: Automatic responses in ePO 4.5

                    Hi Attila,

                     

                    Thanks for your email.

                     

                    Before we got your email we were trying to isolate the problems.

                     

                    I tried emailing only one of the email addresses and it still did not work.When we tested with port 25 and the exchange server settings, both myself and my colleague received the email. It is only the "automatic responses" which we do not receive.

                     

                    After altering the query filters like what you recommended by just having only "threats removed --> False" it seems to send us one or two emails. But still not as perfect asit was in ePO 4.0.

                     

                    It is catching its own McAFee DAT, XML, Log files having virus and not showing the name of the threat even though I included that field in the query.

                     

                    Thanks,

                    LAL

                    • 7. Re: Automatic responses in ePO 4.5
                      Attila Polinger

                      Hi Lal,

                       

                      as for the own files having infection: these might just be "Scan Timed Out" events (for which a virus name is not recorded, understandably), which you can check if you add the Event Description to the Detailed report and when you run the report that fetches such records, you click on one of them. If that really is a scan timing out, then you could add this event code to the filter as "not equals".

                       

                      I remember having seen errors regarding email sending problems in orion.log. Please when you try to test send emails and you do not receive it from within ePO, check out this log in the \Program Files\McAfee\ePolicy Orchestrator\Server\Logs directory.

                       

                      Also, if you have chance, run the report query directly against the ePO database (in an SQL client) to see if it really has more hits than in the ePO response, or equally as many.

                       

                      Attila