3 Replies Latest reply on Sep 22, 2010 10:08 AM by scoutt

    Multiple responses to a single task

    scoutt

      I have some automated responses setup and they all send multiple emails about the exact samething at the exact same time. One for instance is the OnDemand scan. I have it set to email me if it found items. That works fine, but it sends 2 emails per 1 task. I changed the aggregation set to send me an email once every 1 minute. So it sends the same email 3 minutes apart but the eact same time for the detection is in both emails.

       

      Category : Task ended

      Virus Detected: none

      Event :   1038
      Event Action : none
      Event Description : Scan found infected files.
      Affected Object : 
      Detection occured at : 09/16/10 16:20:52 UTC

      Affected Computers :  MXM73505RQ
      Affected IP Addresses :  10.43.40.37

      Detection Method : VirusScan Enterprise

      ePolicy Orchestrator Notification Rule:

      For additional information, see the Notification Log in the ePolicy Orchestrator console.

      I got that exact same email 2 minutes apart. Why is it sending it twice? And anyway to change that UTC time? it is not even the correct time. it shows 4:20pm while the email was sent at 9:20 am. The servers times are good and updated daily. Same with the users PC's. all times are correct.

       

      The filter is set to Threat  Event ID == 1038

      Screen shot of the aggregation settings. Nothing special set.

       

      I believe the responses are generated form the Threat event log on the server. This event was in the log onyl once, so why did I get 2 responses?

       

      We have 4.5 build 937 patch 3 I believe

        • 1. Re: Multiple responses to a single task
          scoutt

          Nobody have any idea?

          • 2. Re: Multiple responses to a single task
            Attila Polinger

            Please check that the client is not sending two events of the same kind, therefore resulting in two events in the database for the same Event ID, thus justifying the duplicate emails.

             

            Might sound crazy but I suspect there could be two events generating one of which like that: "Infected files were found"and the other "Scan found and cleaned infected files" or the like.

             

            You can check all the events for this particular client in the database around the timestamp you cite here and then if my theory is true, you can decide to suppress one of the events.

             

            Attila

            • 3. Re: Multiple responses to a single task
              scoutt

              Thanks Attila,

               

              But, I only have one auto reponse that deals with OnDemand Scans. The event log only shows 1 per machine (event id 1038) when I filtered the results, so it is not the logs that are doubled, but the generated response is. As I said in my previous post, the email generated reports are doubled from the exact same log it found.

               

              I have attached a screen shot showing the emails. The body of the emails are exact, but the time it was sent to me is 3 min apart. OnDemand scan is only an example, I also get them for trojans/virus's found as well.

               

              These are the only auto repsonses I have enabled.

               

              Adware Detection, Buffer Overflow, KeyLogger, Non-compliant computer detected, OnDemand Scan, P2P Detection,
              Port Blocking Rule, Rootkit Detection, Scheduled Task, SpyWare Detection, Tojan Detection, Unwanted Programs
              Virus Detection

               

              Those are all my own. I disabled the Malware response that came default.