1 of 1 people found this helpful
If you use tags to trigger the ODS scan task like this:
1. Receive event ".
2. Assign tag "Infected".
3. Client task to run immediately on all systems with "Infected tag".
You can then trigger using an event upon scan complete to remove the tag "Infected" using automatic Response.
If you can provide the export of the rule and this is not what your doing I can help you, just let me know what version of ePO your rule export if from
Thanks for the input. I had already created something similar to that but it had some undesirable results. Here is what I did and what happened
1. Automatic response made upon the event of malware from an OAS
2. Action of the automatic response was to add a tag to the system called "infect system" and then a second action to wake up the computer.
3. A client task for an ODS was created assigned to the root of the EPO tree. It had a filter assigned that said only run on systems with TAG "infected system", and run immediate.
The result was close, everything worked as intended but with one issue. Once the action has been tripped once, the ODS would not run anymore. Even though it has the response "run immediately" it would not run again if a new virus detection occured say a month later. It saw that it already ran that task.
Any thoughts. Again the end result for me is to have this happen
1. Virus detection occurs on computer
2. An ODS scan we created immedaitely runs and does a full system check
The result I have gotten with the two techniques are
1) the Run Task now function it would run multiple ODS at the same time if more than one file was detected
2) the Tag way would only ever run once even though it was set to run immediately.
Anyone else ever able to accomplish this.
You will need to create a second automatic response that removes the "infected system" tag once you receive the event ID for ODS complete. Doing this put your system back in a no tag state, so the next time it get's infected it will go through the add "Infected System" tag process and kick off the ODS scan again.
Oh, I got it. The issue is that the task must be removed, the computer must check in and remove the scan from the device, then it can be readded and run. I wasn't waiting for the computer to check in one time to remove the task wouldnt run since it saw it already had. It working great now.