1 2 Previous Next 11 Replies Latest reply on Sep 29, 2010 12:46 AM by Attila Polinger

    McAfee Event Log Reporting

      Im getting a ton of event log errors:

       

      "Would be blocked by access protection rule  (rule is in warn-only mode) (Anti-virus Maximum Protection:Protect phonebook files from password and email address stealers"

      what do i need to do to turn these off?

        • 1. Re: McAfee Event Log Reporting
          rmillersd619

          Check your access protection settings.

          Go to the Policy Catalog, select your Virusscan product, select category: Access Protection Policies, select your assigned policy for this category, edit settings.

           

          Down the left side next to Access Protection Rules you'll see two boxes next to each other, select Anti-virus Maximum Protection in the left side box, check the right box and make sure nothing is ticked next to "Protect phonebook files from password and email address stealers". If you notice at the top of the right side box you see Block/Report/Rules that is the header for what is listed below (they aren't lined up cleanly). I've attached a screen shot of what you should be seeing.

           

          Regards,

          Bob

          • 2. Re: McAfee Event Log Reporting

            I still want those to be in the McAfee log. I don't want them in the event log.

            • 3. Re: McAfee Event Log Reporting
              Attila Polinger

              Hello,

               

              Please open virusscan console, and select Tools - Alerts. In the window that appears uncheck "Access Protection" under "Components that generate alerts". Also check if on the Additional Alerting tab the Local Alerting section has "Log to local application event log" checkbox is set, if so, uncheck that, too, to be sure.

               

              Now I'm not sure if this is also a managed policy settings in ePO for VirusScan, but you can try there too the same.

               

              Attila

              • 4. Re: McAfee Event Log Reporting
                rmillersd619

                Hmmm. The only place to filter what gets forwarded to the server event log is in server settings, event filtering but those are event categories rather than specific rules. If you turn it off for a specific event category then you could be affecting other events of that category type you do want to see.

                 

                Presumably you have determined what is currently triggering the alert is legitmate vs. something actually trying to do harm?

                 

                Regards,

                Bob

                • 5. Re: McAfee Event Log Reporting
                  Erik

                  Hello,

                   

                  Please open virusscan console, and select Tools - Alerts. In the window that appears uncheck "Access Protection" under "Components that generate alerts". Also check if on the Additional Alerting tab the Local Alerting section has "Log to local application event log" checkbox is set, if so, uncheck that, too, to be sure.

                   

                  Now I'm not sure if this is also a managed policy settings in ePO for VirusScan, but you can try there too the same.

                   

                  Attila


                  Attila is right. This is the configuration you are looking for. And indeed the same settings are available in ePO, under the VirusScan Policies > User Interface Policies > Additional Alerting Options > UNCHECK Log to local application event log.

                  • 6. Re: McAfee Event Log Reporting

                    i don't see it, maybe you can point it out to me.

                    • 7. Re: McAfee Event Log Reporting
                      Erik

                      Sorry I meant Alerting Policies, not User Interface....

                      • 8. Re: McAfee Event Log Reporting

                        Even though these are my settings its still giving me a lot of stuff in my event log.

                         

                        picture

                        • 9. Re: McAfee Event Log Reporting
                          Attila Polinger

                          I think if you want alerts in your event log, but not that many, you won't be able to further reduce the number of the with these settings.

                          I recommend these options for you:

                           

                          - uncheck (i.e. disable) the "Log to local application event log", no matter what event severity you have set (also please check distinction between workstation and server policy, whichever you want the new settings to be applied). this stops logging to local event log.

                          - leave alerting options as they are, and go through all Access Protection rules (by workstation and server) and unify their settings as to never use one of the options only, but always use both options (i.e block AND report). This means where you now have "report" checked, you either check "block" as well or uncheck "report". Review the rules so no unnecessary rule is active.

                          - all of the above :-)

                           

                          Attila

                          1 2 Previous Next