3 Replies Latest reply on Apr 13, 2011 12:03 AM by Attila Polinger

    automatic responses do not work

      Hello,

       

      I understand very little English.Try to tell the problem. I use mcafee epo4.5.Automatic responses do not work.

      I want to come to threat information, e-mail address.email server settings is ok. and work. Test mail is ok.

      automatic responses settings is ok. Malware detected and not handled status enable.

       

       

       

      Response details

      Name: Malware detected and not handled
      Description: Sends an e-mail notification when "Malware detected and not handled" events are received.
      Event: Event group: ePO Notification Events
      Event type: Threat
      Status: Enabled
      Aggregation: Trigger this response for every event.
      Grouping: Do not group aggregated events.
      Throttling: This response will be triggered at most once every 2 hours.
      Actions: 1: Send Email

       

      Where is the problem.

      Thanks for your help.

        • 1. Re: automatic responses do not work
          Attila Polinger

          Hello,

           

          automatic responses need an event to be uploaded to ePO database. If no such event occurs or you filter those events by chance, the automatic response never triggers.

          You can check if you filter for trivial "malware detected and not handled"-type events or not in Configuration-Server-Event Filtering.

           

          Attila

          • 2. Re: automatic responses do not work

            Thank you for the reply.One e-mail arrived. I create a smooth filtering.

            Recommend Do you have a filter?

            thanks.

             

             

            receive mail.

             

            ePolicy Orchestrator Notification

            Response Name: Malware detected and not handled Event Type Name: Threat Defined at: My Organization System Location: GlobalRoot\Directory\....

            Description: Sends an e-mail notification when "Malware detected and not handled" events are received

             

            Number of events: 1

            Source IPV6 addresses: 192.168.x.x

            Source IPV4 addresses: 192.168.x.x

            Threat Names: Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings Detecting Product Names: VirusScan Enterprise

            • 3. Re: automatic responses do not work
              Attila Polinger

              Seeing this email it looks like it is a result of acess protection rule triggered, I would not consider this the type of event you are curious at.

               

              We have a filter for the events because if all events were enabled to be received then the database would soon get filled up with operational events such as service start and stop, update start and stop etc. Even with filtering we have several operational events (supposedly because they might have got a different event code that we filter for).

               

              My practice is that I directly query the database (ePOEvents table) for event types and then collect event codes that need be filtered. Also it is useful to create ePO queries or automatic responses where a filter condition is to be provided.

               

              Be informed that event filtering is doen via a evtfltr.ini file which resides in ePO installation folder. This file apparently gets modified when you modify event filtering settings, but you can modify this file by yourself by editing it as a text file and appending event codes that canot be filtered throuigh the gui.

               

              Attila