I'm trying to setup alerting for workstations and servers, however, I want to get some clarification first.
In the past, we've received alerts from our security vendor (they manage our firewall and ips) that they see traffic coming from one of our machines to a destination IP, like a trojan phoning home. I've never seen or heard from any user of any alerts popping up. If On-Access is enabled, shouldn't a message box pop-up with an alert? If threats are set to be cleaned, then deleted, are those threats logged on the local machine, then 'imported' or logged on ePO?
Here's what I'm trying to do and questions I have:
1. Setup an alert that emails us when a threat is discovered. At present, I've setup an Automatic Response to do so and I think this is correct. I'm guessing that this action will be taken if a threat is discovered during on-access or on-demand scan, correct? It's hard to be confident that this will work based on the above.
2. Shouldn't a message box pop-up on a client machine if a threat is detected?
3. Is there a reason why threats wouldn't be detected through on-access process?
4. What information is relayed back from the client to ePO?
I've recently gone through the best practices for VSE, devices are getting new dat updates daily (no failures), and I belive I have accurately configured VSE policies.