1 Reply Latest reply on Aug 18, 2008 10:04 AM by mmroitman

    Infections vs. Dectections

      I am required to run monthly reports based on data from ePO. The main reports that I run are the Viruses Detected by type, Number of infections monthly, and the action reports. When I run these reports there are a number of "unexplained" discrepancies. The number of Actions equals the number of infections. But does not equal the number of viruses detected.

      I understand that in order for ePO/VSE to take an action, there must be an infection. That is why the numbers gel.

      What is the criteria for a detection? What if any actions does ePO take for a detection that is not an infection?

      If we have 1558 Infections and 1569 detections for a month, what is the status of the missing 11 instances. Where can I find out what action has taken place.

      Chris
        • 1. Querys have the same problems.
          I have a problem that looks like yours but as far as I researched McAfee had an "Engeneering problem" when they projected the Database that they can not fix.
          It’s really hard to find consistent Data when you run reports.
          I need to get the number of Infections an Actions daily but apparently there is no way to get this simple and objective data from EPO.
          I am running EPO 3.1 and the only place I found that could return the data I need (before a little customization) is from:
          QUERY – EVENTS – SCANNING EVENTS SUMMARY
          If you run this query you will see the retuned data does not have any logic:

          In my query for example:
          1-All the action columns except Cleaned, are empty: (Removed, Moved, Excluded, Contiued Scan, etc…)

          2- access Scan Started has 29 events and 29 Cleaned
          Severity Event ID Product Name Event Description Total Cleaned
          0 1087 VirusScan On-access Scan started 29 29

          3- Infected file Deleted has 59 Total and 59 of them Cleaned:
          Severity Event ID Product Name Event Description Total Cleaned
          3 1027 VirusScan Infected file deleted. 59 59

          4-I have more “Infected file deleted” than I have “Scan Found Infected File”? The logic behave is to Delete or clean what is found.
          Severity Event ID Product Name Event Description Total
          4 1038 VirusScan Enterprise Scan found infected files. 8914
          4 1024 VirusScan Enterprise Infected file found. ‘5971

          Severity Event ID Product Name Event Description Total
          3 1027 VirusScan Enterprise Infected file deleted. 151743

          And I could give you many other examples.

          I was either trying to extract the Data from the Events table as it has no relation with the other tables so I tought it was the most reliable, but Its impossible to get the actions from there, as it is in an Index format and there is no table to get what these index are.

          If anyone has a Table of ActionID X Actions it could be a solution: Anyone?

          I exposed this case full of details to McAfee Support, they could not give me a solution and cowardly closed the case, giving me no option.

          I hope that EPO 4.0 have this fixed for those who need management data and indicators but I will only hope, not take my chances.

          Regards,
          Michel