8 Replies Latest reply on Oct 24, 2011 4:48 AM by bostjanc

    VSE 8.8. - deleting cookies

    bostjanc

      Greetings!

       

      After we have deployed VSE 8.8 in our company I have noticed in EPO it keeps deleting a lot of Cookies is this normaly? Why are thoose cookies dangerous?

       

      C:\Users\***\AppData\Roaming\Microsoft\Windows\Cookies\Low\IPQFY6FQ.txt\00000000 .ie

        • 1. Re: VSE 8.8. - deleting cookies

          As cookies are basically a method of tracking your web use, some will be detected by VSE if cookie scanning is enabled.

           

          You can disable cookie scanning in "On-Access General Policies" (in 8.7, not sure if it's the same in 8.8) if you don't want to scan them.

          • 2. Re: VSE 8.8. - deleting cookies
            bostjanc

            Well... The only thing that bothers me, that theese events are showing in EPO threat event log.

            Is it possible to filter them? I would like filter just for cookies, not also for all the other things...

            • 3. Re: VSE 8.8. - deleting cookies
              petersimmons

              I would highly recommend you edit the queries to remove events where

              threat type = cookie and

              threat type = access protection

               

              Those aren't virii and they should probably be treated differently than regular events.

              • 4. Re: VSE 8.8. - deleting cookies
                bostjanc

                Is it possible to do this in event filtering? I haven't found anything with cookie detection there

                • 5. Re: VSE 8.8. - deleting cookies
                  petersimmons

                  From a risk perspective I think it would probably be okay to filter them at the event forwarding level. At the moment I don't see great harm in deleting cookies and then just not reporting on it. My personal preference would be to collect them and then delete them after a short period of time. That way I could see if there are semi-dangerous web sites my users are visiting. But that's my view.

                  • 6. Re: VSE 8.8. - deleting cookies
                    bostjanc

                    Petersimmons thank you for your reply.

                    If you have time, I would be very kind if you could provide any quick step-by-step how to achieve that cookies are not displayed in audit log. As I have mentioned before I did not find any settings for hidding cookies in even filtering.

                    • 7. Re: VSE 8.8. - deleting cookies
                      petersimmons

                      vse_filter.png

                       

                       

                      This is an example of the typical filters I use to eliminate noise and get straight to virus events. Unfortunately the events table inside ePO has almost 20 years of history. So there are things that need filtering. But this type of filtering should give you a good handle on the true threats you want to take a look at.

                      1 of 1 people found this helpful
                      • 8. Re: VSE 8.8. - deleting cookies
                        bostjanc

                        Peter.

                        Thank you very much for your reply.

                        Another thing or suggestion from you would be more then appreciated.

                        I have managed to prepare the query you have suggested, but I have two more wishes.

                         

                        -Is it possible that this query would be run once a 10days and send the report to some mailing group?

                        -I have choosen a PIE CHART but I see it is not visible good enough cause 99,999% are uncompliant and thoose 0,11% which are compliant are not show, well you need to click the compliant word on the right side of window too see those.

                        Can you suggest me what would be the best approach for charts. I would like to receive a report only from thoose who had viruses not also from others who are not compremised.

                         

                        (see the attachment bellow)

                         

                        with best regards,

                         

                        Message was edited by: bostjanc on 10/24/11 10:47:16 AM GMT+01:00

                         

                        Message was edited by: bostjanc on 10/24/11 10:48:36 AM GMT+01:00