1 Reply Latest reply: Feb 15, 2013 5:55 AM by ThomasN RSS

    Reporting on Reinfected Systems

    Greg_Steele

      Is anyone aware if through ePO I can build a query that will report on systems that have become re-infected with malware over a short amount of time?

       

      For example, if a systems is infected on Monday with malware and then is re-infected a couple of days later. I am trying to capture this use case with an objective of providing more education to the end users of these machines. So far, I have been unsuccesful in capturing the second infection.

       

      ePO 4.6.4

      MA 4.5 P3

      VSE 8.7.4

      AS 8.7

        • 1. Re: Reporting on Reinfected Systems
          ThomasN

          Well, there is a way of doing it, even if it is not teribly elegant.

           

          Create a tag that you name for instance INF1 and one that you name INF2, and with name INF3 (May be extended further if you want to)

           

          Create a query (Inf1Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does NOT have the INF1 tag (or the INF2  and INF3 if you extend it)

          Create a query (Inf2Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does have the INF1 tag, but not the INF2 tag, or INF3 tag

          Create a query (Inf3Query) that Runs once every 24 hours and that looks for any systems that have had a malware detection in the last 24 Hours and that does have the INF2 tag, but not the INF1 tag or the INF3 tag

           

          Create a servertask that runs the queries in the following order, and that performs the following tasks.

           

          Inf3query

          Apply tag INF3

          Clear tag INF2

          Clear Tag INF1

           

          Inf2query

          Apply tag INF2

          Clear tag INF1

          Clear tag INF3

           

          Ing1query

          Apply tag INF1

          Clear tag INF2

          Clear tag INF3

           

           

          You may extend this up to 7 days if you want to have a more thorough overview of how many times pr week the clients are infedcted, or bring it down to 2 days/tags if you only want to know that the client has been infected multiple times.

           

          On for instance Sunday you need to create a query to do some cleanup.

           

          There you can chose to just remove all the tags to get a "clear slate" starting on monday

          Or you can remove the tags for computers that have not had any infections in the last 2 days (to cater for no people on in the weekend)

          Or only the computers that have reached INF3 (or inf2) , etc

          Basically just choose what you want out of it.

           

          In reqards to a display of it just create a bolean query that shows clients that have the INF2 tag (for the limited version) or the Inf2,inf 3, inf4, etc (for the "upgraded version)

          Or you can create several counter to show how many computers are at each level.

           

          As I said it is not terribly elegant, but it does give you the results.

           

          /Thomas