Automated responses can be modified to meet all sorts of criteria; however, depending on the size and scope of the environment it might not be realistic to spam email alerts for every detection. There are options for throttling and aggregation that you may find useful in that regard.
McAfee, like most major security software vendors, detects the EICAR test string as a threat and classifies it as a 'test' type so it can be easily identified.
Many larger organizations also use software to consolidate Event Data for monitoring and archival purposes. If that type of solution is being used in your environment, you may find that integrating with it and allowing the alerting and reporting to originate there may simplify administration and reduce the need for user access.
Thanks for the response. I will take a look at the throttling and aggregation options in ePO. Can you elaborate on the EICAR test string, specifically where can I get this test virus from and how would I apply it? Assuming I would run it as a file on a machine that is maintained by ePO?
Thanks and Regards.
Copy & paste the string into an empty text file. When you click Save and Notepad tries to write the file to disk, the On-Access scanner should examine it, and then delete it. Local notifications will depend on policy options, but you should be able to find the event within ePO after it gets uploaded.
To get the alerts for the virus detected ( test virus or any virus detected by VSE with clean or delete status0, You need to duplicate the automatic responses
"Malware detected and not handled" and change the name to "Malware detected and handled" and edit the query and click Next =
In the filter tab: Threat Handled change the status to True.
Then follow the steps as per the Kb59742
Steps as below.
- Download the file directly from www.eicar.org.
- Use a text editor to create the file:
- Open a text editor such as Notepad.
- Copy the string below into the new file:
NOTES: The third character is the capital letter "O", not the digit zero.
- Save the file as eicar.com.
Once the virus is detected by VSE and status is deleted, then open the agent monitor and click on send events and check the status,
EPO console = Reporting = Threat Event Log.
Threat Handler=True.PNG 29.0 K
Thanks very much for you responses. I will attempt to download the test virus and test the Alerts.