Solved

Detection Reporting and Alerts

  • 4 March 2012
  • 3 replies
  • 72 views

Hello,
 
I am testing the SecureAnywhere Endpoint product. I selected to be alerted "immediately" when there is a detection, and then I downloaded the EICAR test file. The file was detected and removed, but I don't see any detections listed in the console and I did not receive an email. How is detection data reported back to the console, and when should i expect to be notified in the event of a detection?
icon

Best answer by Kit 5 March 2012, 17:35

View original

3 replies

Userlevel 7
Endpoint data reporting works on the same basis as detection distribution and collection.  One important thing to be aware of in that case is that there are millions of source of data hitting us, while the same data is being distributed to the same millions of agents.  Data coming to us can take up to two minutes normally to reach the main database system, however in some circumstances this time frame can be longer.  As I am not at the office over the weekend, I could not tell you what the current turnaround is.  Regardless of inbound time, outbound information from the main database system to the agent is a latency of a second or two at most.  Since the outbound information and accurate detection is of such high priority, it will always take precedence over inbound information.
 
That being said, when things are working 100% optimally, a detection on an agent that has unfettered network access to our cloud will take between one and five minutes to reach the console. Obviously, in the Real World, it can take a touch longer depending on numerous aspects like network access, system load (we adjust as needed, but that adjustment is not instant).
 
If you feel that it is taking too long (for example, it ends up taking hours instead of minutes), please feel free to contact our Enterprise Support Team, as we will support you even with only a trial in use.
Hi Kit,
 
I'm not seeing detection data making to the console at all. I've tried to different things:
1) With real-time protection enabled, create an EICAR test file. This immediately gets removed and then a full scan is automatically run to find any remaining traces. 
2) With real-time protection disabled, create an EICAR test file, then run a manual scan. Again, the file gets detected and quarentined. 
 
In either case, I did not see the detection listed in the web console, nor did I receive an email regarding the detection. Am I missing something?
 
Thank you!
Userlevel 7
The good news is that Yes, we were both missing something.
 
EICAR is handled as an Agent-Local Detection (ALD), so it will never trigger on the console.
 
Items that are ALD's and all cached re-detections will not show on the console unless the state cannot be brought to clean or the cache is hit too hard and/or too often.  With cached detections, this means that if badfile.exe is detected, it will trigger a console alert.  The detection information is thereafter cached, so if the machine goes clean, then it is detected again later while it is cached, it will not trigger an alert.  However if it is detected, then the secondary scan detects it again, the machine has not gone clean, and this will trigger a console alert.  Also, if it is detected, then clean, then repeatedly redetected and cleaned successfully, it will trigger an alert due to the repeated redectections when they pass a threshold defined for the severity of the infection.
 
One of the easiest ways to test for console alerts is to create a faux threat and manually define it as a threat on the console.  When a scan is done on the agent, it will receive the determination override and proceed to act on it, plus should trigger the alert on the console.  If you would like assistance with this process, contacting the Enterprise Support team would be the best bet, as that functionality is best handled by that team.

Reply