F-Secure 12.10 - virus detection as a trigger

Hi,

is it possible to set some additional action to be triggered in case of virus detection? To be more precise - i've got a script that i'd like to be run on each virus detenction - how can this be done? And if it can't be done - is virus detection reported somewhere? Like, for example, windows event viewer?

Find more posts tagged with

Comments

Tigger

Thanks 🙏

freedomsarge

@MJ-perComp - the company policy says to force shut down that PC and reinstall it ASAP. So cutting the connectivity is just an additional protection - though i know it may be a little bit too... hardcore for most companies

@Vad - thank you, that's what i was looking for!

Vad

Here is the example of virus detection event.

MJ-perComp

"Not a good idea" I would say.

1) a found malware is a blocked malware. No need to worry after this point.

2) Even in regular work many malware is found and killed from Temorary Internet Files. You would not like your users to be cut of the network on every event! don't forget you need to go there to reactivate them.

3) False Positives happen. But F-Secure is very quick in handling those. This happens throu the reputation network. By cutting network connectivity you would loose any control over the system. It can neither be updated, unquarantined, nor can the "fixed detection" be provided by ORSP.

Finally. What would you win by cutting conectivity? A system that has successfully protected itself from malware will be taken out ouf business and the user is stopped from working, maybe even loose documents he is just working on. OTOH systems that don't even realize that they are corrupted stay online. A "conficker" infection in your organization would render all systems unusable except the one that failed to detect the malware.

If you still want to implement something use the F-Secure Firewall and activate the ruleset "Network Quarantine" that will restrict the traffic to PMS/F-Secure and you keep the system under controll.

freedomsarge

I want to disconnect the PC from company network by disabling all network interfaces:

Get-NetAdapter | Disable-NetAdapter -Confirm:$false

and disaply a message to user:

$wshell = New-Object -ComObject Wscript.Shell
$wshell.Popup("Virus detected - all network connections have been disabled.")

MJ-perComp

Every detection is recorded to Event.log as well. So if you are not keen on immidiate action a scheduled JOB that checks the eventlog might do the job.

Just to serve my curiosity: what exactly do you want to do after a detection in that script?

freedomsarge

Not really - i don't want to run the scan manually from the script - i want it to be triggered by the "Virus and spyware scanning" that runs in background. So i can set up a scheduled task in windows using a GPO - but i need to know how to recognize this event So a screenshot from Event Viewer with such event would be all i need

MJ-perComp

I think this is what you are looking for:

https://community.f-secure.com/t5/Business/On-demand-scanner-fsav-exit/ta-p/20254

from inside a script

freedomsarge

Hi Vad,

thank you for the information - so i can create a windows scheduled task triggered by this event - could you please give me some details about it? Unfourtunately i don't have any PCs after such detection (we reinstall them ASAP).

Vad

Hello freedomsarge,

Triggering of additional action is not supported in current versions.

By default, virus detection is reported to Policy Manager, to event viewer Application log as a Critical event, and to c:\Program Files (x86)\F-Secure\Common\LogFile.log.

In addition, you can configure sending a email notification.

Best regards,

Vad