Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 10 replies
  • Subscribers 4 subscribers
  • Views 23856 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email Alerting: How to exclude encrypted files from error report?

AZ

For our member servers AV&HIPS policy I have all of the notification options checked. The client reports I am now receiving are full of errors pertaining to encrypted files, which is to be expected.

It isn't clear to me if this reporting falls under the 'scanning errors' or 'Other errors'. I'd rather not have to parse out the encrypted file errors from the reports, yet maximum reporting is desired. Is it possible to exclude the encrypted files error from the reporting without having to disable reporting for an entire category?



This thread was automatically locked due to age.
Parents
  • 0
    I'm also receiving hundreds of reporting emails a day related to scans of encrypted files. Very annoying. Is there still no option to exclude these messages from e-mail reports?

    User: XXXXX
    Scan: On-access
    Machine: XXXXX

    Scanning "XXXXXXXXX" returned SAV Interface error 0xa0040212: The file is encrypted.
  • 0 in reply to MarcJavanshad

    Hello MarcJavanshad,

    some similar feature requests have been posted (you could give them votes).

    Scan: On-access alerting is controlled by the AV&HIPS policy, Messaging - Email Alerting is off by default, if you enable it you additionally must tick the two errors categories in order to receive these alerts. Why did you do it, how will these alerts help you? Or put another way: Did you and could you actually ever make use of one of the alerts received - inspected the endpoint, found something that needed repair or even a covert threat?
    Please consider whether you really need these alerts and if not turn them off

    Christian 

Reply
  • 0 in reply to MarcJavanshad

    Hello MarcJavanshad,

    some similar feature requests have been posted (you could give them votes).

    Scan: On-access alerting is controlled by the AV&HIPS policy, Messaging - Email Alerting is off by default, if you enable it you additionally must tick the two errors categories in order to receive these alerts. Why did you do it, how will these alerts help you? Or put another way: Did you and could you actually ever make use of one of the alerts received - inspected the endpoint, found something that needed repair or even a covert threat?
    Please consider whether you really need these alerts and if not turn them off

    Christian 

Children
  • 0 in reply to QC

    QC,

    From your question as to why would you turn on email alerts.  I seem to be missing something. You make it sound useless. I guess my question is, why did sophos give us the option to turn it on, and what good does it do us.

    Kelly

  • 0 in reply to KellyCombs

    Hello Kelly,

    why did sophos give us the option to turn it on
    IIRC email alerting predates SEC, in the beginning there was no management at all, then (with EM Library) you could manage the subscriptions but not the endpoints. Email and SNMP were the only means to get "feedback" from the endpoints.
    [y]ou make it sound useless
    IMO (but it is just my personal opinion) email alerting is of limited use (if you manage your endpoints with SEC). I make it sound useless because I'm really interested in "profitable" use cases. Most of the scanning errors are normal and you'd have to inspect each and every to separate the wheat from the chaff - I doubt that someone is actually doing this (and it's perhaps easier from the console).

    Christian

  • 0 in reply to QC

    In my organisation we have over 6000 devices, laptops, desktops, virtual machines, a citrix farm and many servers all with Sophos installed. These groups of machines are generally managed by different teams and not all of these people have access to the SEC. Email alerting allows us to send potentially useful information to those people that have a particular investment in their own areas.

    Encrypted files are not an issue (we have legitimately encrypted files on the network) but the inundation of email alerts concerning them do hide other more useful alerts.

    We also do not have anyone constantly monitoring the SEC and use such things as email alerts to sit up and pay attention if there is a flurry of virus alerts, for example.

  • 0 in reply to MrPink

    Hello MrPink,

    not all of these people have access to the SEC
    are there technical reasons? SEC provides Roles and Sub-Estates permitting limited management of particular segments by certain users. Admittedly the available rights that can be assigned to a role are perhaps not ideal but Sub-Estates might have some use.

    a flurry of virus alerts
    one reason that I'm not really embracing email alerts is that you get them whether the threat was "satisfactorily" handled or not - and for most detections the former is the case. Similar to the problem with errors where the "common ones" hide the significant.

    Christian 

  • 0 in reply to QC

    We do use Managed Roles and Sub-Estates, but there are a number of reasons not everyone that would benefit from it actually has it. Some of that is about security and the number of people that would need access, more of it is about a kind of lack of interest! We have no official 'Sophos Administrator', I take on that role when I can but only because I'm interested in what's going on. Also, some of these emails are sent to our Information Security team, they don't need or want access to the console but want to know if there are concerns...

    For me, looking at the alerts can give me a quick idea of whether there is a problem or not. I see that many alerts are raised thoughout the day but I can tell if there is a problem purely based on the number of alerts. There is a 'normal' level of noise and then there are exceptional events. I scan them as part of my day anyway, but if there are an exceptional number of alerts I tend to scrutinise them, or go on to the SEC to see what is actually going on.

    Basically, if the number of alerts is overwhelming, other people will not even bother to scan them.

  • 0 in reply to MrPink

    Hello MrPink,

    I see, quite conceivable. Nevertheless -  no official 'Sophos Administrator' with 6000+ devices (let me guess - you have a number of endpoints with stubborn protection/updating issues?) having one would IMO be a good idea. It pays to have some kind of specialist for this software, but this is just my POV.

    Wouldn't your Information Security team be better off with Reports?

    As to the unwanted error notifications (again my opinion, I'm not Sophos): The scanner can't really discern legitimately and maliciously encrypted or password protected files. Therefore as far as alerting is concerned there's deliberately no option to suppress certain errors or error codes, just the (fuzzy) distinction between scanning and other errors. As in your case email recipients often don't (have) access (to) the console and might not be aware that specific errors are suppressed, which ones these are, and what this signifies. So it's either all or none.
    Email alerting dates back to pre-console and pre-management times and was the only way to inform someone other than the local user. No frills and furbelows, when central management arrived it was probably deemed unessential. And nowadays if you want granularity and automation you'd plug your SIEM in the database. There's perhaps not sufficient demand to justify development in this area.

    Christian

Unfiltered HTML