4 Replies Latest reply on Sep 21, 2010 10:01 AM by jstanley

    Threat detected

    eddymac

      Hello;

       

      What is the best practice to act once a threat is detected from EPO server, if i have a new threat detected and its appear in my dashboard ?

        • 1. Re: Threat detected
          jstanley

          Depends largely on the threat, the product and the reaction. For example a threat detected by VSE but handled (so virus detected and removed) would really not require any action; however, a virus detected and not removed may. In the event of a threat being detected and not removed I'd say the next step would be to check the local VSE on-access scan log on the machine and just in general look for signs of infection. You could also have it run a complete on-demand scan.

           

          One of the primary goals on the threat reports is to give you the ability to spot trends. For example if you suddenly have a large spike in the number of detections even if the detections are being cleaned it could indicate that you are in an outbreak.

           

           

          Message was edited by: Jeremy Stanley on 9/20/10 1:56:38 PM CDT
          • 2. Re: Threat detected
            eddymac

            Thanks Jeremy, but how can i confirm that the threat is removed, i ran the on demand scan on a machine and it shows 0 detected, how can i set the automatic response, once a threat is detected it should be removed ?

            • 3. Re: Threat detected
              tonyb99

              The threats are detected and dealt with by VSE, this then passes the info on what it has done to epo to display on your reports.

              By the time you see the detection it should already have been cleaned/deleted. Any where this has not happened ( which you can see from your reports if you choose to include these fields) you may then need to look at why ( locked file/process etc)

              1 of 1 people found this helpful
              • 4. Re: Threat detected
                jstanley

                I would not recommend an automatic response for this scenario as their are to many variables involved. If you ran a complete scan and the scanlog does did not detect anything and you have no indication the machine is infected then I'd say the machine is not infected.

                 

                If you got a "virus detected and not removed" event it should indicate a file and a path. If you look at the machine directly does the file referenced in the threat event exist on the client machine? If not as Tony mentioned it may have already been cleaned.