At the moment i am using the malware detection history . Put that in a excel every day and cross reference them. (with smart handlers that detect when computers come more then 1 in the list).
I want to automate the process that i see in a report or query that a computer within a month that gets infected more then 2x that EPO reports it to me . Like in a diagram or just send me a email.
Because i wanna reimage that machine.
Also is it possible to see what mcafee didnt clean?
I guess I am still trying to understand what exactly it is that you are wanting?
You could use the VSE: Computers with threats Detected per Week
You could duplicate this report and adjust it as needed, for instance, you could change it to report "event generated time = Day" and add the "Threat Handled".
This would look something like:
PC???? (Computer Name)
April 17, 2014 (Date of Detection)
True: 10 (Handled)
False: 1 (Handled)
This data would indicate that you had 11 total threats, 10 were handled correctly 1 was not. Thus you would need to image it,
You could change the "event generated time" to weekly or even monthly.
This however doe's not automate the E-mail response to you....However it does allow you to see users who frequently become infected.
This said, why not just set up an auto response only when a threat is not handled? Ignore when they are, however have it send you a message when "Handled=FALSE" thus only notifying you of Failed cleans. ....
All of this said, I would really recommend following the direction I gave you in a previous post about Malware / Spyware blocking. I have been running 8 Plus years, and as long as I have these enabled and setup correctly I have a wonderful out of box experience....very little issue
Not sure if this helps....
HI pwolfe ,
Thank you for your reply.
To answer your questions i am looking for a report that will give me workstations that have been infected more then 3 times in 1 month.
So lets say computer A is infected on 1 januari but also on 20 and 23 januari. Then the report will give me these result.
But the report will not show me computers that have been infected only once.
I will look into the VSE: Computers with threats Detected per Week report . Thankyou !
As regaring my previous post where you replied i cannot do this because we are repackaging msi and use temp for to run it from.
Enable: Anti-Spyware maximum protection - "Prevent all programs from running files from the Temp folder"
Enable: Anti-Spyware maximum protection - "Prevent execution of scripts from the Temp folder"
Enable: Common Standard Protection - "Prevent common programs from running files from the Temp folder"
Enable: Common Standard Protection - "Prevent installation of Browser Helper Objects and Shell Extensions"
But thanks again for your replies!
Not sure if this will give you any ideas on the install of MSI's with those settings enabled, however we package and deploy both MSI's & .exe Setup files. I have 2 ways around this.
First, add the calling process, and the msi or .exe to the exclusion list, (This is does not always work, however does most of the time), we are not a Microsoft shop, we are Novell OES 11 & Zenworks site. So I add all of the Novell & ZCM/Zenworks exe's to the allowed list for each exclusion. This works most of the time. As I deploy my MSI's & EXE's using zenworks, and as long as I add the .exe or .msi to the exclusion as well it usually is fine.
Second, our VSE 8.8 "access protection" policy has been set as follows:
Enabled - Enable access protection
as %95 of my users are "Standard Users" on workstations they have no rights and they can not stop the mcafee services anyways, as by default you need admin rights to do so, thus allowing me to administratively. As we use Zenworks I just add the following to my installers. (all installers run as a local system with admin rights or admin account for rights)
- sc stop mcshield - With Wait until completed
- Run setup.exe or Msi - With Wait until completed
- sc start mcshield - With Wait until completed
By doing this McAfee is disabled during the install, this also allows faster installs as the "Access Scanner" will not scan this install.