In the Kaspersky module we can see that alot of agents are reporting in detected threats. But what kind of alarms are you supposed to take any action on?
Has Kaspersky blocked the threat or do we need to do anything? I´m specificly asking about the events that are logged as "suspicious" and "remidiated by user"
To monitor our clients with KAV we have the following basic eventlog monitorset that we have applied on clients.
This general idea at first when we started building this monitor set was that we initially only wanted to be alerted when KAV actually finds a virus that could not be quarantined or deleted.
When we applied this monitorset we started to get alot of tickets generated from clients telling us that threats was detected. But tickets are also created when items already has been deleted!?
The screen shot below shows the threats detected by the KAV engine on a machine.
This is the amount if tickets that were created. (3 missing?)
The tickets contained the below information.
Log: Application
Type: Warning
Event: 257
Alert Time: 2013-03-10 03:57:16Z
Event Time: 03:01:02 AM 10-Mar-2013 UTC
Source: KAVComponent
Category: None
Username: N/A
Computer: 115S
Description: KAV: An Anti-Virus threat was detected (Trojan-Downloader.Java.Agent.rg).
Application log generated Warning Event 257 on 115s.hq.whyred
For more information see http://www.eventid.net/display.asp?eventid=257&source=KAVComponent
Log: Application
Type: Warning
Event: 257
Alert Time: 2013-03-10 02:49:45Z
Event Time: 01:53:31 AM 10-Mar-2013 UTC
Source: KAVComponent
Category: None
Username: N/A
Computer: 115S
Description: KAV: An Anti-Virus threat was detected (HEUR:Backdoor.Win32.Generic).
What sort of events would one have to follow up on? And what kind of events are considered to be blocked by KAV?
Would appreciate if anyone else has any input on what to exclude/include from the KAV monitoring. And if anyone has any documentation on existing KAV eventlog messages today.
What we would like is a monitorset that only alerts us when the KAV client needs attention. Not reporting on things that already has been blocked.