8 Replies Latest reply on Feb 4, 2009 3:09 PM by jsuuronen

    decipher notifications

      I get alot of "Virus Detected and Not Removed" events received from ePo. but how do I find out where they are coming from? The notifications are kinda hard to understand.:eek:

      How Do I find the affected machines?:confused:

      ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
      Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

      Number of events: 78326
      Source computer IP addresses: 10.1.35.14:25, 217.10.142.247, _, Actual threat names: Cookie-RU4, Cookie-Spylog, Cookie-Atdmt, RemAdm-VNCView, Cookie-Zedo, Common Standard Protection:Prevent termination of McAfee processes, Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings, Cookie-Untd, Cookie-ProMarket, Cookie-Insightexpres, Anti-virus Standard Protection:Prevent mass mailing worms from sending mail, Cookie-Omniture, Cookie-Adrevolver, Generic Downloader.h, Generic Downloader.g, Cookie-AdBureau, Cookie-Pointroll, Cookie-Trafficmp, Targeted Scan, Common Standard Protection:Prevent common programs from running files from the Temp folder, Cookie-Revenue, Exploit-ByteVerify, Cookie-Yadro, Common Standard Protection:Prevent modification of McAfee Scan Engine files and settings, Cookie-Advertising, Cookie-Nextag, Cookie-Cars, Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings, Cookie-Hotlog, Common Standard Protection:Protect Mozilla & FireFox files and settings, Cookie-Tribalfusion, Cookie-Overture, Cookie-Tickle, KERNEL32.LoadLibraryA, Cookie-AdDynamix, Cookie-RealMedia, Cookie-Burst, VBS/Psyme, OAS, Cookie-Questionmarke, Cookie-Roiservice, Cookie-Bravenet, Cookie-Linkshare, Cookie-Yieldmanager, Cookie-SearchPortal, Generic BackDoor, Cookie-Statcounter, On-Demand Scan, BackDoor-DNM.dldr, Cookie-Valueclick, FakeAlert-AB!lnk, Common Standard Protection:Prevent modification of McAfee files and settings, ?, Virtual Machine Protection:Prevent modification of VMWare Workstation files and settings, Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions, Cookie-Hitbox, Cookie-SpecClick, Adware-OneStep, Cookie-Liveperson, Tibs-Packed, Unknown rule, Cookie-Fastclick, Cookie-Casalemedia, Cookie-Bluestreak, Cookie-Doubleclick, Common Standard Protection:Protect Internet Explorer settings, Cookie-Atwola, Cookie-Eyeblaster, AutoUpdate, Cookie-Gemius, Cookie-Imrworldwide, FakeAlert-AB, Cookie-2O7, Cookie-Mediaplex, FakeAlert-AB.dldr.gen.b, Actual products: GroupShield Exchange, PortalShield, VirusScan, McAfee Agent, ePO Server

      For additional information, see the Notification Log in the ePolicy Orchestrator console.

      ePolicy Orchestrator Notification Rule: Virus detected and not removed Rule Defined At: Directory
      Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.

      Number of events: 70144
      Source computer IP addresses: 10.1.35.14:25, 190.55.172.100:6668, ePO_FS-CH-AV, Actual threat names: Common Standard Protection:Prevent common programs from running files from the Temp folder, Anti-virus Standard Protection:Prevent mass mailing worms from sending mail, OAS, Cookie-2O7, Common Standard Protection:Prevent termination of McAfee processes, Virtual Machine Protection:Prevent modification of VMWare virtual machine files, FakeAlert-AB!lnk, Common Standard Protection:Protect Internet Explorer settings, Common Maximum Protection:Prevent launching of files from the Downloaded Program Files folder, Adware-WebSearch, Generic Downloader.e, Cookie-SpecClick, JS/Tenia.d, FakeAlert-AG.gen.a, FakeAlert-AB, Common Standard Protection:Prevent modification of McAfee files and settings, Common Standard Protection:Prevent modification of McAfee Common Management Agent files and settings, Cookie-Pointroll, BackDoor-DNM.dldr, Common Standard Protection:Protect Mozilla & FireFox files and settings, Tibs-Packed, Puper, Anti-virus Standard Protection:Prevent IRC communication, W32/Rontokbro.gen@MM, Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings, Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions, AutoUpdate, Generic.dx, Actual products: GroupShield Exchange, PortalShield, VirusScan, McAfee Agent, ePO Server

      For additional information, see the Notification Log in the ePolicy Orchestrator console.
        • 1. RE: decipher notifications
          tonyb99
          looks like you've totally knackered these notifications....

          disable them and start again

          turn off cookie notifying unless you really want it (Cant imagine why anyone would even store cookie events)

          start with the basic template they already provide and set for individual events not groups unless you want an unmanageable mess of crud as the response.

          if you get too many start thinking about thresholds
          • 2. RE: decipher notifications
            here is an example of one that i have setup.. maybe someone else will post theirs as well? i would be curious to see what other alerts folks have configured - always looking to improve my setup..

            Subject:

            "Virus Detected and Not Removed" - {AffectedComputerNames} - {ReceivedThreatNames}

            Body:

            ePolicy Orchestrator Notification

            Rule: {NotificationRuleName}
            Number of events: {ReceivedNumEvents}
            Affected Computers IP addresses: {AffectedComputerIPs}
            Affected Computer Names: {AffectedComputerNames}
            Actual Threat Names: {ReceivedThreatNames}
            Affected Objects: {AffectedObjects}
            First Event Time: {FirstEventTime}

            For additional information, see the Notification Log in the ePolicy Orchestrator console.
            • 3. RE: decipher notifications
              tonyb99
              mine are much the same eg:

              EPO Threat found and not removed - {AffectedComputerNames} - {AffectedComputerIPs}

              ePolicy Orchestrator Notification
              Rule: {NotificationRuleName}
              Rule Defined At: {BranchNodePath}
              Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.
              Affected computer IP addresses: {AffectedComputerIPs}
              Affected computer: {AffectedComputerNames}
              Actual threat names: {ReceivedThreatNames}
              Affected object: {AffectedObjects}
              Actual products: {ReceivedProductFamilies}
              Event details: {EventDescriptions}
              For additional information, see the Notification Log in the ePolicy Orchestrator console.
              • 4. RE: decipher notifications
                cool, thanks tony.

                right now i have 2 alerts that i primarily use

                detected and not removed
                detected and removed successfully (for comparison)

                i have an alert setup to notify me when the on-access scanner is not enabled on a machine, but so far i have not had luck getting this to work.. do you use it by chance?
                • 5. Thanks Guys
                  Thanks guys that helps alot. ;)

                  I still get alot of jibberish though it seems... Is there a way to have get email notifications that this machine/ip is infected with this virus/malware

                  Or could you send a copy of one of your email notifications so I can see what a normal one is suppose to look like...

                  I used both of your suggestion and this is what I get. :confused:

                  EPO Threat found and not removed - x.x.x.x x.x.x.x.x.x.x.x.x.x.x.x.x

                  ePolicy Orchestrator Notification
                  Rule: New Rule
                  Rule Defined At: Directory
                  Description: Notifications sends an e-mail message when "Virus Detected and Not Removed" events are received.
                  Affected computer IP addresses: x.x.x.x, x.x.x.x.233, x.x.x.x, x.x.x.x Affected computer:-------, ---------, ---------, --------- Actual threat names: Anti-virus Standard Protection:Prevent mass mailing worms from sending mail, Affected object: C:\Program Files\Common Files\McAfee\Engine\avvnames.dat, C:\Program Files\HEAT\CallLog32.exe, DAT, Engine, C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\Current\AUENGINEMETA\AUEngineContentDetection.McS, ----------, C:\Documents and Settings\All Users\Application Data\McAfee\Common Framework\AgentEvents\00000060.txml, C:\Program Files\Common Files\McAfee\Engine\avvclean.dat, C:\Program Files\Common Files\McAfee\Engine\avvscan.dat Actual products: GroupShield Exchange, VirusScan, McAfee Agent Event details: Scan Timed Out, Update Successful For additional information, see the Notification Log in the ePolicy Orchestrator console.


                  Or this


                  ePolicy Orchestrator Notification

                  Rule: Virus Detected and Not Removed
                  Number of events: 100
                  Affected Computers IP addresses: x.x.x.x Affected Computer Names: -------, DELETE Actual Threat Names: Common Standard Protection:Prevent installation of Browser Helper Objects and Shell Extensions, Anti-spyware Standard Protection:Protect Internet Explorer favorites and settings, Affected Objects: \REGISTRY\USER\S-1-5-21-256225738-2272727325-1692859293-8349\Software\Microsoft \Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, C:\Documents and Settings\domlinj\Local Settings\Temporary Internet Files\Content.IE5\K1UBC1IN\premium[1].css\premium[1], C:\Documents and Settings\domlinj\Local Settings\Temporary Internet Files\Content.IE5\C1I7G5YN\premium[1].css\premium[1], \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-1016\Software\Microsoft \Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, C:\Documents and Settings\OneyD\Local Settings\Temporary Internet Files\Content.IE5\C1I7G5YN\premium[1].css\premium[1], \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8DD448E6-C188-4aed-AF92-44956194EB1F}, \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}, \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-1011\Software\Microsoft \Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings, DAT, \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved, HotFix, \REGISTRY\USER\S-1-5-21-1065838518-1447043431-986981630-500\Software\Microsoft\ Internet Explorer\International\CpCache, C:\Documents and Settings\OneyD\Local Settings\Temporary Internet Files\Content.IE5\X621L1KC\premium[1].css\premium[1], SuperDAT First Event Time: 2/4/09 11:55:23 AM

                  For additional information, see the Notification Log in the ePolicy Orchestrator console.


                  :eek::confused:
                  • 6. RE: Thanks Guys
                    it looks like you have throttling setup of some sort. i didn't like how my alerts were being displayed when i had throttling enabled, so i just turned it off and i deal with the spam via filters.

                    a typical email would look like this:

                    subject:
                    "Virus Detected and Not Removed" - <machine name> - Exploit-XMLhttp.d.gen

                    BODY:

                    ePolicy Orchestrator Notification

                    Rule: Virus detected and not removed
                    Number of events: 1
                    Affected Computers IP addresses: <IP address>
                    Affected Computer Names: <machine name>
                    Actual Threat Names: Exploit-XMLhttp.d.gen
                    Affected Objects: C:\Documents and Settings\<username>\Local Settings\Temporary Internet Files\Content.IE5\0B2RY579\b[1].htm
                    First Event Time: 2/3/09 7:40:29 AM

                    For additional information, see the Notification Log in the ePolicy Orchestrator console.
                    • 7. RE: Thanks Guys
                      Now thats what I am looking for... :D

                      Where do I turn off this damn throttling???

                      Thanks in advance.
                      • 8. RE: Thanks Guys
                        login to your epo server and go to notifications -> rules tab

                        click the rule you want to modify, at the top skip to step 3 'set threshholds' and change that to what you prefer. send a notification every event, or the different throttling/aggregation options.