Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2981 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

infected PC not get reported in console 4.5

1976saint

Hi All,

In what circumstances would an infected PC not get reported in the console (normaly they do). I ask as we had a PC which caught Virus/spyware 'Mal/PDFJs-P' but it didn't appear on the console. I've checked the log on the PC and in console and the trojan was immediatey deleted.We're running 4.5 console and a mix of 7.6.20 (which this computer was) and 9.5.4's.

If this is the case would it not get reported?

Regards.

:5923


This thread was automatically locked due to age.
  • 0

    Hello 1976saint,

    First and foremost: The PC is not infected - that is, in almost all cases. It's a common misconception that a detected threat signifies infection. SAV's major task is to prevent infection. A removable medium could be called infected, a formerly unprotected PC might in fact be infected (although not necessarily even if a threat is found somewhere on disk) and a protected PC might get infected by a new strain. But usually these are rare cases.

    The question is better asked the other way round. - when is an alert sent to SEC? If you have set your AV policy to automatically clean up threats you won't be alerted most of the time (sometimes you briefly see a client appearing and disappearing). Only threats which require "special action" are reported. It might be somewhat confusing that even with automatic cleanup enabled you get alerts for cleanable threats.

    The Alert and Event History report probably lists quite a number of threats you have "never seen".

    BTW: How did you find out - did the user report the pop up?

    Christian

    :5925
  • 0

    Hi Christian, yes it was reported as from the pop-up. Thanks for the explanation, Regards.

    :5977
  • 0

    Hi Christian,

    Just add one other condition, if you don't have auto-clean enabled but the users jumps in themselves to their quarantine and 'cleans', then the alert clears on the console. It does stay in the history though and is reportable. I'm not 100% sure but if the user simply 'acks' or 'clears' from the quarantine, does it vanish too from console?

    Matt

    :6029
  • 0

    Right, Matt, "local action" will also clear the alert from SEC. If a user authorizes e.g. a PUA it will vanish.

    Christian

    :6071
  • 0

    Tricky to say if that's an oversite of the management system or not. Can think or many pros and cons for both arguments.....

    Matt

    :6073
  • 0

    Just pick up on one thing there Christian:

    "If a user authorizes e.g. a PUA it will vanish"

    This would cause a policy compliance failure though and show in the console in another section. Once policy compliance is re-established i.e. console comply, the PUA would reappear on next use or next scheduled scan.

    Matt

    :6079
  • 0

    I'd say it is deliberate - the View: drop down says potential problems -> outstanding alerts. As you need Power User rights I guess it is assumed that "authority is delegated".   

    Christian

    :6085
Unfiltered HTML