Virus email alerts generated by PM rather than client

alsimmo
alsimmo W/ Alumni Posts: 36 Security Scout

Hi,

 

Is there a way to force the clients to notify Policy Manager that a virus has been detected which in turn emails a recipient rather than it taking place on a client?  At the moment the clients notify a recipient which isn't great so am looking for solutions to this issue.

 

I thought that this was in the pipeline but haven't seen any documentation on this.

 

FPMC -version 12

Workstations - version 11.50-60

 

Any feedback would be great.

 

Thanks,
Al

Comments

  • gerema
    gerema W/ Alumni Posts: 18 Junior Protector

    Hello,

     

    There are two ways to avoid sending email alerts from client:

    1) Configure report scheduling in Policy Manager Web Reporting.

    2) Configure forwarding alerts to syslog (PMC > Tools > Server configuration > Syslog) and then set up email notification for chosen syslog events.

  • alsimmo
    alsimmo W/ Alumni Posts: 36 Security Scout

    Hi Marina,

     

    Thanks for your reply.  I think the second option is best for us and am testing now.

     

    The problem is that I can't generate any logs on the syslog server.  I have tried the following

    - Referenced the syslog server by name and IP (PMC > Tools > Server configuration > Syslog)

    -Changed the potocol type (PMC > Tools > Server configuration > Syslog)

    - Disabled firewalls

    - Used multiple alerts to determine if alerting is working at all (Policy Domain > Settings > Alert Forwarding)

    - Have tested on two syslog servers and can't generate any logging for FPMC.

     

    Is there anything else I could try?

     

    Regards,

    Al

  • DavidCES
    DavidCES W/ Member Posts: 27 Cyber Knight
    There should be an easier way to just send alerts from PM by email! I thought I had set it up by configuring the mail server settings in server configuration.
  • gerema
    gerema W/ Alumni Posts: 18 Junior Protector

    First, only new alerts are forwarded to syslog, so please ensure that alerts were received by PM from client after you configured forwarding to syslog.

    Second, could you please ensure that other apps are able to send alerts to syslog from the same machine to exclude connectivity issues?

  • gerema
    gerema W/ Alumni Posts: 18 Junior Protector

    Hello David,

     

    In server configuration you can only configure server alerts sending, not the client ones.

  • DavidCES
    DavidCES W/ Member Posts: 27 Cyber Knight
    But isnt the point of having a server so that you can have things centralized? So having clients individually sending alerts doesnt make sense.
  • gerema
    gerema W/ Alumni Posts: 18 Junior Protector

    Using email as a delivery channel is not provident when we are speaking about thousands of alerts potentially arriving to PMS. That is why syslog or SIEM integration is preferred option as you can use them not only for accumulating but also creating business rules for notifying administrator in emergent situations.

  • alsimmo
    alsimmo W/ Alumni Posts: 36 Security Scout

    Hi Marina,

     

    I'm testing the process by using the F-secure EICAR_Test_File script so can make changes and then test.

     

    I'm still not having any luck with the syslog and have tested another application to generated the logs which worked.  To confirm, the syslog is generated by the FPMC server and not the client.  Is it worth installing the syslog server directly on the FPMC server?  Is this supported by F-Secure?

     

    Regards,

    Al

  • DavidCES
    DavidCES W/ Member Posts: 27 Cyber Knight
    It would be fine for some of us, especially if there were filters. Give us the option.
This discussion has been closed.