9 Replies Latest reply on Sep 13, 2011 1:32 AM by Attila Polinger

    Malware detected and not handled



      Just want some guidelines to handle: Malware detected and not handled


      Ok, if epo is managing say 100 computers I can go to the computer and try to run a manual clean up.


      But if I'm managing +5000 computers worldwide what automation should I implement?


      Thank you in advance,



        • 1. Re: Malware detected and not handled
          Attila Polinger



          I suggest you run a report filtering to "malware detected and not handled" with every possible database field holding useful information: such as event code, event description, file name, malware name, etc. in order to filter off "detections" that are not actual malware, but things like "scan timed out", " password protected file not scanned" etc.


          Then you could run on-demand scans for a while scanning only memory, registry, etc, (but not files), so you can find malware in memory (i.e. activated). In connection with it, you could create automatic responses for malware names ending in !mem. In my opinion this is the real threat that need be handled immediately.



          • 2. Malware detected and not handled

            1million detections, 10% not handled...


            this is not good.


            Should I manually handled 100.000Events?

            • 3. Malware detected and not handled
              Attila Polinger

              Is that 10% a "clean" inability to handle existing infection, or is it varying with several "fake" detections that are like "Unable to scan password protected", "Scan timed out", etc. ?

              Are there detections over network drives (with possibly read access only) ?

              • 4. Malware detected and not handled

                Inability to handle existing infection. Tipically conficker.

                • 5. Malware detected and not handled
                  Attila Polinger

                  I would create a chart where ThreatName is a filter; count the affected computers, and proceed from little to many. And/or look up the findigs and proceed to easy to hard in terms of remediation.


                  Conficker is as far as I know easy to remove because it deos not plant itself under any system process other than svchost. Other threats can be more difficult however.

                  There is the Event Description which might be useful to include in the Columns section in this query, because in some cases that you might see Threat Handled as No and Action Taken as None, it might say to you that "Unable to delete file, will be deleted on next reboot".


                  Otherwise there is not anything more to do centrally than to initiate a full scan.

                  Of course you can harden your VirusScan policy using the knowledge that you obtained through examining the description of the threats found on McAfee (or other) sites or documents. Typically engaging some Access Protection rules in the case of Conficker and perform some patching, etc.

                  • 6. Re: Malware detected and not handled



                         How can I insert Malware detected and not handled file path on the automatic responses mail,  It woek on the ePO 4.0. I can find it on the ePO 4.5

                    • 7. Re: Malware detected and not handled
                      Attila Polinger

                      Yes, on ePO 4.5 P4 it is not possible,seemingly, to insert such a variable (so is on ePO 4.6). On the other hand, you may try running a scheduled automatic query for the same, chances are you can insert this variable therein.

                      • 8. Re: Malware detected and not handled

                        Thank you for your information, But I need more help for "Automatic query" Can you explain a little more detail.

                        • 9. Re: Malware detected and not handled
                          Attila Polinger

                          I'm sorry to have failed to be more precise. I meant defining a server task where you run this query, and it is the server task that you schedule to run, say, hourly each day. and you need to define the query beforehand, as well :-(