4 Replies Latest reply on Jun 18, 2015 7:15 AM by btadams

    What is YOUR "on-access detection" message?

    mrbeatnik

      The VSE On Access General Policy allows you to put a custom message, when a detection occurs.

      Historically, we had a quite alarming message, to try to get the message across to users - something like "VIRUS ALERT! A virus was detected, please review... blah blah".

       

      Since deploying patch 4, there have been more BO alerts (let's not discuss that here) and so the message has not been appropriate - it wasn't considered that this message was seen for all types of alerts.

      We have now changed the message to be more "generic".

       

      However, what message do YOU use? How do you best get the user to decide what action should be taken (clean/delete/no action/contact support)?

        • 1. Re: What is YOUR "on-access detection" message?
          Peter M

          I moved this to VSE for a quicker response.

          ---

          Peter

          Moderator

          • 2. Re: What is YOUR "on-access detection" message?
            wwarren

            I've seen messages that steer people toward calling helpdesk, or even individuals.

            I've seen messages that say something like "Don't move, we're coming to you - if we're not there in 5 minutes continue with other work but leave this message alone".

             

            In most cases that I recall, there's no message provided for the User, it's suppressed. If you're getting an On Access Scanner detection, it means there is malware we know about - and it means we've denied access to the file; whether the action taken by us results in "cleaned" or "deleted" or "Clean failed/Delete failed", there was a "denied access" that occurred first. So you can be confident that particular threat is not active - but, it could be a clue that some other malware we _don't_ know about just tried to drop malware we _do_ know about.

            I suspect that's why I've seen messages like the 2nd example.  Detection notifications are worth following up on; it seems like a question of Data Information Security vs. the cost to maintain the desired level of confidence in that security.

             

            I would say much more on this about what I'd really like to have happen if I had a say in educating Users about information security, but that's off topic.

            • 3. Re: What is YOUR "on-access detection" message?
              Pmaquoi

              sorry for my english

               

              we have decided for our domains (9000 WKS 1200 SRV) to never display a message for a OAS action. it's denied and it's ok like that. We are following each alert from the epo in real time and we will act if necessary. Displaying a message for OAS is a time consuming process for everyone as the user panics, then call the helpdesk etc.....

              • 4. Re: What is YOUR "on-access detection" message?
                btadams

                Our message states that malware has been detected, and to contact our SOC. It should always be up to the SOC to determine how to proceed.