Jump to content

Archived

This topic is now archived and is closed to further replies.

jacortijo

ERA doesnt "forward" the threat logs neither to the OS log nor SysLog

Recommended Posts

Hi all,

 

Our server is a Win2003R2 with the 5.2.26 version of the AV with 11 client licenses. Unfortunately we had to disable the real-time analysis in the server due to compatibility issues with some software we need to use, the RT is enabled in all the clients.

 

My goal is that all workstations report to the ERA about infections they might have and then, ERA "forward" those events to the windows event system or syslog server, so a SIEM tool can collect them and correlate them.

 

I just downloaded the eicar.com test file and I put it on the desktop in the server. After that I run an analysis and ESET found it and deleted it (put it in quarantine). I checked then the event viewer and I couldn't find any event related with the infection.

Nothing appeared in the Threat log in ERA either.

 

I attached a screen-shot that shows ERA properly logging the same infection tested in the clients, BUT doesn't show the infection detected in the server. In any case, none of these infections are reflected in the Windows Event Viewer (Application) or even in a syslog server which I also installed locally in the server(KIWI).

 

In summary:

- Real-time AV in Client detects the virus and notify ERA correctly.

- ERA reflects in the "Threat Log" all the detections occurred in clients only.

- ERA Threat Log doesn't show infections occurred in the server.

- None of the threat logs in ERA are copied as a Windows Event

- None of the threat logs are sent to the syslog server

 

any suggestion? I must be missing something important... :?

 

Thanks a lot in advance.

Jose

post-7275-0-60474000-1434407160_thumb.png

post-7275-0-28661700-1434407168_thumb.png

Share this post


Link to post
Share on other sites

Threat detections are not logged in the Event log but in the Detected threats log. If detected by the on-demand scanner, the detection is logged in an On-demand scanner log. Real-time protection on clients will not protect the server. If you're having incompatibility issues, it'd be better to troubleshoot it with customer care rather than disabling it completely.

Share this post


Link to post
Share on other sites

Hi Marcos,

 

I couldnt find any record in the Scan Log, is that Log what you called the "On-demand Scanner Log"? (see attachement)

 

I knew about the Threat Log for the realtime detections... but my need is to find a way to reflect those logs in the host Operating System Event Log... or to forward to a SysLog server. I see that some internal events are propagated but not the detections...

 

is it a matter of the version I am using? 5.2.26? is the version 6 more complete in these aspects?

 

Thanks a lot for the reply.

 

Jose

post-7275-0-14719300-1434462745_thumb.png

post-7275-0-21144500-1434462748_thumb.png

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...