In the Kaspersky module we can see that alot of agents are reporting in detected threats. But what kind of alarms are you supposed to take any action on?
Has Kaspersky blocked the threat or do we need to do anything? I´m specificly asking about the events that are logged as "suspicious" and "remidiated by user"
To monitor our clients with KAV we have the following basic eventlog monitorset that we have applied on clients.
This general idea at first when we started building this monitor set was that we initially only wanted to be alerted when KAV actually finds a virus that could not be quarantined or deleted.
When we applied this monitorset we started to get alot of tickets generated from clients telling us that threats was detected. But tickets are also created when items already has been deleted!?
The screen shot below shows the threats detected by the KAV engine on a machine.
This is the amount if tickets that were created. (3 missing?)
The tickets contained the below information.
Log: ApplicationType: WarningEvent: 257Alert Time: 2013-03-10 03:57:16ZEvent Time: 03:01:02 AM 10-Mar-2013 UTCSource: KAVComponentCategory: NoneUsername: N/AComputer: 115SDescription: KAV: An Anti-Virus threat was detected (Trojan-Downloader.Java.Agent.rg).
Application log generated Warning Event 257 on 115s.hq.whyredFor more information see http://www.eventid.net/display.asp?eventid=257&source=KAVComponentLog: ApplicationType: WarningEvent: 257Alert Time: 2013-03-10 02:49:45ZEvent Time: 01:53:31 AM 10-Mar-2013 UTCSource: KAVComponentCategory: NoneUsername: N/AComputer: 115SDescription: KAV: An Anti-Virus threat was detected (HEUR:Backdoor.Win32.Generic).
What sort of events would one have to follow up on? And what kind of events are considered to be blocked by KAV?
Would appreciate if anyone else has any input on what to exclude/include from the KAV monitoring. And if anyone has any documentation on existing KAV eventlog messages today.
What we would like is a monitorset that only alerts us when the KAV client needs attention. Not reporting on things that already has been blocked.
Would really appreciate if someone had some input on these questions, or at least could point us in the right direction
I have been asking for this for a while, submitted tickets for ways to do this, etc.. Have always been told that there is not a way to do this. Very frustrating because what you say is correct, I only want to know when KAV requires my attention, not when it is doing its job. I have already submitted this as a feature request a few months back...anybody from Kaseya????
I hear ya mactech.... I have disabled our notifications for the moment because it generated to much false positives and manual check ups.
I was told by Kaseya that the alerting process for KAV has been considerably revamped in the next version and will soon be under a Controlled Release proces in the next few weeks. So hopefully the flaws has been overlooked and adjusted in the next version.
To be continued....