disappointed w/ notifications

I am somewhat disappointed so far with the notification system.

method 1
I can setup email alerts directly from the client when there is a threat or event alert warning.

This option works great until I receive 200 email's because one Trojan on one machine keeps recreating itself and getting caught by the real-time scanner.


method 2
setting up a notification per hour based on last threats

This option would be great if it would only pull the actually "last threats" instead of every last threat from my entire log which consist of an entire year worth of data. I really don't need to know if clientA had a threat 3 months ago.




Is there a way to receive 1 notification when someone has a threat. I address said threat and all is well... if this isn't something that can be done then is there anything I can do about receiving 200 emails from one client? I am getting emails every single minute and when I use notification manager I get emails once per hour but I get threats that aren't even threats any longer.

 

Throtttle the method 1 notification to once every 2/4/6/8/10/12/24 hours?

My virus notification is set up as so:

Trigger Type: New Log Event
Priority: P1
Throttle: Not Used (the throttle is controlled by 5 occurances in 60 minutes here)
Threat Log Level 4: 5 occurances in 60 minutes for >= 1 computers.

 

Hello,

Which Notification rule are you using? If you use the possible virus outbreak rule, it should not show previous messages at all. It sounds like you are sending reports, which does compile all the data for a period of time.

 

I made a new rule.. it's entirely possible I have this all setup incorrectly...

trigger type: client state
priority: p1
parameters: Amount >= 1 of filtered clients; Problem condition (Has Last Threat Event)

 

I am trying a new client log rule now to see if that works for me...

 

I have used a modified Possible virus outbreak rule and just modified it to:

Threat Log;
Level 4 - Above + Diagnostic;
1 occurrences in 10 Minutes, Amount >= 1 of filtered clients

I set this up just for testing and then used the eicar test file. For my testing, it collected all the notifications and sent them after the 10 minutes were up and then not again after that unless there was a new one. I would suggest using a similar method.

 

Is there anyway for the notification to provide more data? I am using this as a means of documentation and it doesn't say anything about the threat id or the actually type of threat etc..

 

click "show me options" next to the message box to see available options?

There might be more documented on kb.eset.com?


Aren't you keeping the ERAS data for 12 months on the server? (other thread). Isn't that enough documentation?

 

I have document and address every threat and warning event. This typically means either making some type of template and cut and paste each threat forward that threat to the appropriate department in this case probably our desktop support people for a resolution. Then process the return document after they have a resolution.

It is much easier for me to simply forward an email each time and keep up with the responses instead of other types of documentation.

 

Is it possible to include the Threat or Event ID in the subject header or in the message itself?

 

I don't think so at present. You may want to check out ERAS/ERAC 4 beta (posted in 'other eset products' forum). AFAIK the first public beta was released Friday?

Perhaps it's more robust.