3 Replies Latest reply on Jun 20, 2014 10:59 AM by dmease729

    Access Protection User Defined Rule Report

    pdunnigan

      I have ePO 4.5. I have  Access Portection Policie User Defined Rules setup and would like to get a report on what they are stopping on all workstations. Is this possible in ePO?

       

      Thanks

      Pat

        • 1. Re: Access Protection User Defined Rule Report
          rackroyd

          This is more a question for the point-product. Presumably hat would be VirusScan.

          Note, howeer that ePO 4.5 is out of support since end of  December 2013.

           

          Moving to vse group.

          • 2. Re: Access Protection User Defined Rule Report
            llamamecomoquieras

            Hi Pat,

             

            The only way to get that notifications is making sure that you have enable under the event filtering option in ePO under Server Configuration option, the following 3 events:

             

            1092: Access Protection rule violation detected and blocked (Low) 

            1094: Port blocking rule violation detected (Low)

            1095: Access Protection rule violation detected and NOT blocked (Low)

             

            Once you have these events selected, you need to make sure that your user defined rule has the Report option enables.

             

            After you have the previous configuration, you can create an automated response for the previous events 1092, 1094 and 1095 and you will receive an email for each event generated when triggering the user defined rule.

             

            I hope this can help you.

             

            Cheers,

            • 3. Re: Access Protection User Defined Rule Report
              dmease729

              Not sure that the original question was looking at automatic responses.  I do not currently have access to an ePO server, but I have carried out something recently - bear with me on this:

               

              - As per above, event 1092 needs to be enabled so the agents forward these events to the ePO (edit: and obviously, as pointed out above, the 'report' option set in the relevant rules!)

              - Configure a new query looking for events with ID 1092.  I believe if you look at the filters there is a field which contains the name of the access protection rule (you can also use a 'contains' clause).  Pick whatever fields you want, and tweak the query to show what you want to see

              - Create a scheduled server task that runs the query and sends you the results (or you can explicitly configure a report, then run it and send, but I suspect you are after a quick 'this is what we are seeing' return?)

               

              I hope this helps!  As a quick aside, I would have preferred this to have been left in the ePO group as the configuration required relates to the ePO server and the events sent by the ePO agent?  Just my 2p :-)

               

              Message was edited by: dmease729 on 6/20/14 10:59:31 AM CDT