5 Replies Latest reply on Nov 11, 2013 9:33 AM by czql5v

    Alerts and test virusses.!!!

    czql5v

      Hi All,

       

      I have recently been checking our ePO Alerts and together with our customer they appear to be a little dated, for example our virus alerts only produce an email when a virus has not been cleaned. This however, is good. The only problem is it does not report when a virus has been detected. The only way to find out if a virus has been detected is to use the Reporting section.

       

      The question I have is can I adapt the current Alert to send an email when any virus has been picked up? Also, we wanted to test this theory by introducing a Test Virus, and was wondering if such virus's are available from Mcafee or online so that we could test.

       

      Any information would be greatful.

        • 1. Re: Alerts and test virusses.!!!
          joeleisenlipz

          Automated responses can be modified to meet all sorts of criteria; however, depending on the size and scope of the environment it might not be realistic to spam email alerts for every detection. There are options for throttling and aggregation that you may find useful in that regard.

           

          McAfee, like most major security software vendors, detects the EICAR test string as a threat and classifies it as a 'test' type so it can be easily identified.

           

          Many larger organizations also use software to consolidate Event Data for monitoring and archival purposes. If that type of solution is being used in your environment, you may find that integrating with it and allowing the alerting and reporting to originate there may simplify administration and reduce the need for user access.

           

          --Joel

          • 2. Re: Alerts and test virusses.!!!
            czql5v

            Hi Joe,

             

            Thanks for the response. I will take a look at the throttling and aggregation options in ePO. Can you elaborate on the EICAR test string, specifically where can I get this test virus from and how would I apply it? Assuming I would run it as a file on a machine that is maintained by ePO?

             

            Thanks and Regards.

            • 3. Re: Alerts and test virusses.!!!
              joeleisenlipz

              http://www.eicar.org/86-0-Intended-use.html

               

              Copy & paste the string into an empty text file. When you click Save and Notepad tries to write the file to disk, the On-Access scanner should examine it, and then delete it. Local notifications will depend on policy options, but you should be able to find the event within ePO after it gets uploaded.

               

              --Joel

              • 4. Re: Alerts and test virusses.!!!
                rgc

                Hi Czql5v,

                 

                To get the alerts for the virus detected ( test virus or any virus detected by VSE with clean or delete status0, You need to duplicate the automatic responses

                "Malware detected and not handled"  and change the name to "Malware detected and handled" and edit the query and click Next =

                In the filter tab:  Threat Handled change the status to True.

                 

                Then follow the steps as per the Kb59742

                https://kc.mcafee.com/corporate/index?page=content&id=KB59742

                 

                Steps as below.

                 

                 

                • Download the file directly from www.eicar.org.
                • Use a text editor to create the file:
                  1. Open a text editor such as Notepad.
                  2. Copy the string below into the new file:

                    X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

                    NOTES: The third character is the capital letter "O", not the digit zero.

                  3. Save the file as eicar.com.

                 

                Once the virus is detected by VSE and status is deleted, then open the agent monitor and click on send events and check the status,

                EPO console = Reporting = Threat Event Log.

                 

                 

                Regards,

                RGC

                 

                Message was edited by: rgc on 11/10/13 2:48:33 AM CST
                • 5. Re: Alerts and test virusses.!!!
                  czql5v

                  Hi All,

                   

                  Thanks very much for you responses. I will attempt to download the test virus and test the Alerts.

                   

                  Thanks everyone.