I suggest you run a report filtering to "malware detected and not handled" with every possible database field holding useful information: such as event code, event description, file name, malware name, etc. in order to filter off "detections" that are not actual malware, but things like "scan timed out", " password protected file not scanned" etc.
Then you could run on-demand scans for a while scanning only memory, registry, etc, (but not files), so you can find malware in memory (i.e. activated). In connection with it, you could create automatic responses for malware names ending in !mem. In my opinion this is the real threat that need be handled immediately.
1million detections, 10% not handled...
this is not good.
Should I manually handled 100.000Events?
Is that 10% a "clean" inability to handle existing infection, or is it varying with several "fake" detections that are like "Unable to scan password protected", "Scan timed out", etc. ?
Are there detections over network drives (with possibly read access only) ?
Inability to handle existing infection. Tipically conficker.
I would create a chart where ThreatName is a filter; count the affected computers, and proceed from little to many. And/or look up the findigs and proceed to easy to hard in terms of remediation.
Conficker is as far as I know easy to remove because it deos not plant itself under any system process other than svchost. Other threats can be more difficult however.
There is the Event Description which might be useful to include in the Columns section in this query, because in some cases that you might see Threat Handled as No and Action Taken as None, it might say to you that "Unable to delete file, will be deleted on next reboot".
Otherwise there is not anything more to do centrally than to initiate a full scan.
Of course you can harden your VirusScan policy using the knowledge that you obtained through examining the description of the threats found on McAfee (or other) sites or documents. Typically engaging some Access Protection rules in the case of Conficker and perform some patching, etc.
How can I insert Malware detected and not handled file path on the automatic responses mail, It woek on the ePO 4.0. I can find it on the ePO 4.5
Yes, on ePO 4.5 P4 it is not possible,seemingly, to insert such a variable (so is on ePO 4.6). On the other hand, you may try running a scheduled automatic query for the same, chances are you can insert this variable therein.
Thank you for your information, But I need more help for "Automatic query" Can you explain a little more detail.
I'm sorry to have failed to be more precise. I meant defining a server task where you run this query, and it is the server task that you schedule to run, say, hourly each day. and you need to define the query beforehand, as well :-(