jacortijo 0 Posted June 15, 2015 Share Posted June 15, 2015 Hi all, Our server is a Win2003R2 with the 5.2.26 version of the AV with 11 client licenses. Unfortunately we had to disable the real-time analysis in the server due to compatibility issues with some software we need to use, the RT is enabled in all the clients. My goal is that all workstations report to the ERA about infections they might have and then, ERA "forward" those events to the windows event system or syslog server, so a SIEM tool can collect them and correlate them. I just downloaded the eicar.com test file and I put it on the desktop in the server. After that I run an analysis and ESET found it and deleted it (put it in quarantine). I checked then the event viewer and I couldn't find any event related with the infection. Nothing appeared in the Threat log in ERA either. I attached a screen-shot that shows ERA properly logging the same infection tested in the clients, BUT doesn't show the infection detected in the server. In any case, none of these infections are reflected in the Windows Event Viewer (Application) or even in a syslog server which I also installed locally in the server(KIWI). In summary: - Real-time AV in Client detects the virus and notify ERA correctly. - ERA reflects in the "Threat Log" all the detections occurred in clients only. - ERA Threat Log doesn't show infections occurred in the server. - None of the threat logs in ERA are copied as a Windows Event - None of the threat logs are sent to the syslog server any suggestion? I must be missing something important... :? Thanks a lot in advance. Jose Link to comment Share on other sites More sharing options...
Administrators Marcos 5,074 Posted June 16, 2015 Administrators Share Posted June 16, 2015 Threat detections are not logged in the Event log but in the Detected threats log. If detected by the on-demand scanner, the detection is logged in an On-demand scanner log. Real-time protection on clients will not protect the server. If you're having incompatibility issues, it'd be better to troubleshoot it with customer care rather than disabling it completely. Link to comment Share on other sites More sharing options...
jacortijo 0 Posted June 16, 2015 Author Share Posted June 16, 2015 (edited) Hi Marcos, I couldnt find any record in the Scan Log, is that Log what you called the "On-demand Scanner Log"? (see attachement) I knew about the Threat Log for the realtime detections... but my need is to find a way to reflect those logs in the host Operating System Event Log... or to forward to a SysLog server. I see that some internal events are propagated but not the detections... is it a matter of the version I am using? 5.2.26? is the version 6 more complete in these aspects? Thanks a lot for the reply. Jose Edited June 16, 2015 by jacortijo Link to comment Share on other sites More sharing options...
Recommended Posts