4 Replies Latest reply on Mar 5, 2012 8:15 AM by Dvanmeter

    Automatic Response rule to detection


      Hoping someone can point me in the right direction.  I am wanting to make an automatic response that works like this


      1.  A virus detected in a host machine that has agent 4.6 and the threat  Is cleaned or not cleaned, doesnt matter

      2.  An ODS scan is already created in EPO and not assigned to any group or computers, this scan does a full drive scan or a modified drive scan.

      3.  When the EPO server received the detection from the host client it initates the ODS scan created.


      Now I have gotten this to work very well, just one problem.  If more than one file is detected during an OAS then the scan occurs for each event..


      What I would like is for only one ODS instance to occur no matter how many files are detected during the OAS.  So my guess is to use the triggering events to control this.  I am having a bit of problems figuring this one out.  I dont care if the computer detects 1 or 50 events in a 2 hour period, But I want to ensure only 1 ODS is run in that 2 hour period. 


      Any ideas or recommendations?

        • 1. Re: Automatic Response rule to detection

          If you use tags to trigger the ODS scan task like this:


          1. Receive event ".

          2. Assign tag "Infected".

          3. Client task to run immediately on all systems with "Infected tag".


          You can then trigger using an event upon scan complete to remove the tag "Infected" using automatic Response.


          If you can provide the export of the rule and this is not what your doing I can help you, just let me know what version of ePO your rule export if from


          - Stephen

          1 of 1 people found this helpful
          • 2. Re: Automatic Response rule to detection

            Thanks for the input.  I had already created something similar to that but it had some undesirable results.  Here is what I did and what happened


            1.  Automatic response made upon the event of malware from an OAS

            2. Action of the automatic response was to add a tag to the system called "infect system" and then a second action to wake up the computer.

            3.  A client task for an ODS was created assigned to the root of the EPO tree.  It had a filter assigned that said only run on systems with TAG "infected system", and run immediate.


            The result was close, everything worked as intended but with one issue.  Once the action has been tripped once, the ODS would not run anymore. Even though it has the response "run immediately" it would not run again if a new virus detection occured say a month later.  It saw that it already ran that task.


            Any thoughts.  Again the end result for me is to have this happen


            1.  Virus detection occurs on computer

            2.  An ODS scan we created immedaitely runs and does a full system check


            The result I have gotten with the two techniques are

            1)  the Run Task now function it would run multiple ODS at the same time if more than one file was detected

            2) the Tag way would only ever run once even though it was set to run immediately.


            Anyone else ever able to accomplish this.


            Message was edited by: Dvanmeter on 3/2/12 5:02:43 PM CST
            • 3. Re: Automatic Response rule to detection

              You will need to create a second automatic response that removes the "infected system" tag once you receive the event ID for ODS complete. Doing this put your system back in a no tag state, so the next time it get's infected it will go through the add "Infected System" tag process and kick off the ODS scan again.

              • 4. Re: Automatic Response rule to detection

                Oh, I got it.  The issue is that the task must be removed, the computer must check in and remove the scan from the device, then it can be readded and run.  I wasn't waiting for the computer to check in one time to remove the task wouldnt run since it saw it already had.  It working great now.