6 Replies Latest reply on Feb 17, 2016 1:26 PM by sliedl

    McAfee Enterprise Firewall email issue

    jjensen86

      Every hour we receive an email with the subject "No change in Virus Data" that also has a body of "No change in virus data."

      Where can I modify it so the email does not get generated or only generated if there is an actual threat.

       

      Any help is appreciated,

      Jeremy

        • 1. Re: McAfee Enterprise Firewall email issue
          sliedl

          Run this command on the CLI:

          $> acat -e "event AUDIT_R_ALERT and alert_actions email"

           

          You'll see audit events that similar to this:

           

          Feb 17 11:36:55 2016 CST  f_auditbotd a_server t_alert p_major

          pid: 3110 ruid: 0 euid: 0 pgid: 3110 logid: 0 cmd: 'auditbotd'

          domain: Abot edomain: Abot hostname: sw1.fwdomain.com event: alert triggered

          alert_name: Type Enforcement alert_type: Attack num_events: 1

          start_time: Wed Feb 17 11:36:55 2016 end_time: Wed Feb 17 11:36:55 2016

          sacap_filter: (event AUDIT_R_DDT || event AUDIT_R_DIT || event AUDIT_R_DOM)

          alert_actions: email

           

          "Alerts" on the firewall are triggered by audit events; the 'sacap_filter' (Sidewinder audit capture filter) you see there is the audit filter that the auditbot daemon (auditbotd) watches the audit stream for and then triggers an alert_action if an audit event happens which matches that filter.

           

          These alerts are configured in two places in the GUI under Monitor and then "Attack Responses" at v8 (called "IPS Attack Responses" at version 7) and "System Responses" (both versions).  You are matching something from one of those two places.  In my test I matched an Attack Response named "Type Enforcement" (you can see after the "alert_name" there is a field called "alert_type" and mine says "Attack;" the other type is "System.")

          • 2. Re: McAfee Enterprise Firewall email issue
            jjensen86

            I've disabled the Attack Response "Type Enforcement"  However here is my issue.  If the event being generated is in fact from Type Enforcement.. now i won't see whenever somebody tries to make a change to the firewall via CLI and doesn't have permissions.  As that type of event is also a Type Enforcement.  So is there any way to disable specific "Type Enforcement events" and leave the attack type as enabled?

            • 3. Re: McAfee Enterprise Firewall email issue
              sliedl

              I used the 'Type Enforement' Attack Response only as an example.  You need to run the commands I gave you to determine which Response is triggering the email on your system.

              • 4. Re: McAfee Enterprise Firewall email issue
                jjensen86

                Running the above command does not show me any events at the time these emails are being generated.  The email is generated every hour.  So i don't believe this is an Attack Response / System Response.  I believe it to be something else.

                 

                if i run mail -f username

                 

                I am able to see the details of the message but the smtp wasn't setup yet so all the emails were saying host unknown.  The emails go back to 2013.  So I'm attempting to clean out the mailbox and see what the new one looks like...

                • 5. Re: McAfee Enterprise Firewall email issue
                  jjensen86

                  I figured it out.  Under Maintenance - Updates there is the A/V signatures.  That would be the email that is generated every hour.  I'll disable email notification on that.

                  • 6. Re: McAfee Enterprise Firewall email issue
                    sliedl

                    Oh, yes!  I forgot about the other places you can input an email address, namely for any third-party updates on the firewall (like A/V updates).


                    At version 7 you can configure an email address for A/V updates under Policy -> Application Defenses -> Virus Scanning (the 'Enable Email Notification' box).  At version 8 this is set under Maintenance -> Updates -> click 'A/V updates' at the top (it is selected by default).  Remove the email address you have specified there.