ERA 6.4 quarantine report

[avielc 54]

Hi everyone,

I'm trying to create a weekly report that reports the threats I see under the "threats section of the web console

Usually these threats are typed as " Trojans" I'd like to make the template get me information for the last 7 days.

But for some reason, Quarantine section has no option of that kind + trying to mix different filters isn't seemed to be allowed.

 

Please assist.

[MichalJ 434]

You need to use a different set of symbols for that. Instead of "quarantine" you have to use symbol type "antivirus threat".

The data you are searching is available by default in the report template "Report: Threat events in last 7 days" which you can find under "Reports". You can also place it to the dashboard, or edit it, to remove columns you are not interested in.

[avielc 54]

2 hours ago, MichalJ said:

You need to use a different set of symbols for that. Instead of "quarantine" you have to use symbol type "antivirus threat".

The data you are searching is available by default in the report template "Report: Threat events in last 7 days" which you can find under "Reports". You can also place it to the dashboard, or edit it, to remove columns you are not interested in.

Hi @MichalJ, Thanks for the quick reply.

I'm afraid that under that report I get an empty page. Nothing appears there.

 

Is something wrong? attaching an example:

[MichalJ 434]

What you see in the "Threats" section of ESET Remote Administrator? Are those threats really happening recently (in the last 7 days)? Also, are they reported by "Antivirus" or by other components?

Edited February 21, 2017 by MichalJ

[avielc 54]

2 minutes ago, MichalJ said:

What you see in the "Threats" section of ESET Remote Administrator? Are those threats really happening recently (in the last 7 days)? Also, are they reported by "Antivirus" or by other components?

Yes,

Here is a screenshot of the threats window

[Marcos 5,069]

The threats were detected on Feb 14 which is exactly 7 days ago. Just in case, trigger an alert by downloading the eicar test file from http://www.eicar.org/download/eicar.com to ensure that a fresh threat alert is generated and then create the report again.

[avielc 54]

I tested what you said by simply altering the amount of days to a few more back, 

You're right, that's kinda odd, seems Quarantine, is a different category, (which I have used instead)

and it reports an extra entries I don't see on the threats list, could you tell me why is that? (related to the restorable information)

Adding a screenshot of the Quarantine report which doesn't appear on the previous screenshot.

 

[avielc 54]

Anything guys?

[MichalJ 434]

We have to understood what is your question? Was the question why the quarantine was not 1:1 to threats? Is this correct? You have not shared details of your threats section. 

[avielc 54]

2 hours ago, MichalJ said:

We have to understood what is your question? Was the question why the quarantine was not 1:1 to threats? Is this correct? You have not shared details of your threats section. 

Hi Michal,

Sorry for not being too clear with my question.

Yes, I don't understand why Quarantine gives different information compared to the "Threats" section.

I've added a screen shot (two posts up) with "Quarantine" report, while You have the "Threats" report screenshot, two posts above that.

If you, or anyone else can please clarify why one is different than the other, i'd really appreciate it.

[MartinK 378]

Highlighted quarantine record has "Time of first occurrence" in January, which is not covered by provided list of threats - any chance this threat is available in case date filter is modified accordingly?

[avielc 54]

Not sure I follow you @MartinK

that case was still reported on the 13th, and on the 15th you also have a case which doesn't appear on the "Threats" info.

Why is that like this? what makes this information different than the other?

[Marcos 5,069]

Unfortunately we don't see a full list of threats that were detected. I can only assume that there were some detected by email protection which doesn't quarantine malicious attachments unlike other protection modules (scanners).

[MartinK 378]

One related issue was identified and resolved recently (by modules update) -> problem was that threats detected during scan (= not by real-time protection) were not properly logged on client (and thus not reported to ERA).

This can be verified in case you have access to this machine. When you open log files in EES/EAV client, check whether this threat is reported in "Detected threats" or "Computer scan". In case it was affected by mentioned bug, it will be reported in second one.

[avielc 54]

On 2/24/2017 at 10:38 AM, MartinK said:

One related issue was identified and resolved recently (by modules update) -> problem was that threats detected during scan (= not by real-time protection) were not properly logged on client (and thus not reported to ERA).

This can be verified in case you have access to this machine. When you open log files in EES/EAV client, check whether this threat is reported in "Detected threats" or "Computer scan". In case it was affected by mentioned bug, it will be reported in second one.

Hi Martin, Thanks for the extra info.

I'll need to have a look to see if that's the case here.

Is there going to be a fix to such issue? (assuming this the the case with all those missing updates (you can compare between the two screenshots i've provided in previous posts, they are parallel in terms of taken time.

 

Thanks.