CPM Report - Top 25 most recent virus

(imported topic written by sminisini91)

Hi,

The default report provided with CPM “Top 25 most recent Viruses” only has the name and detection time, i managed to get the infected file in there but i also want the action taken to appear in the report and email sent.

So far I got:

"(html "

" & “New Virus Detected” & html "

" & html "

" & "Computer Name: " & item 0 of it as string & html "

" & "Virus Name: " & item 1 of it as string & html "

" & "Infected File: " & item 3 of it as string & html "

" & "Detection Time: " & item 2 of it as string & html "

“) of (name of item 1 of it, tuple string item 1 of item 1 of item 0 of it, tuple string item 0 of item 1 of item 0 of it, tuple string item 5 of item 1 of item 0 of it) of ((item 0 of it, values of item 1 of it) whose (item 0 of it = (it as time) of tuple string item 0 of item 1 of it) , computer of item 1 of it) of (maxima of (it as time) of tuple string items 0 of values of results of it, results of it) of property 1 of fixlet 21 of bes site whose (name of it = “Trend Core Protection Module”)”

but i’m unsure how to get the action taken.

thanks

(imported comment written by Lee Wei)

sminisini,

Nicely done with the report.

Looks like you are missing 2 pieces of info.

  • The message format as being returned from the analysis.
  • The lookup table for the different field. That will contain the code for “Action Taken”

The format of the analysis is as follows:

Date, Virus Name, Scan Result, Scan Type, Not Used, Infected File

I will send you an email with the lookup table for Scan Results and Scan Types.

Lee Wei

(imported comment written by sminisini91)

Thanks Lee

I now have meaning alerts by email for Virus infection, something like:

New Virus Detected

Computer Name: XXXXXXX

Virus Name: WORM_Generic.DIT

Infected File: E:\Autorun.inf

Detection Time: 29 Jan 2010 12:06:00 -0200

Scan Type: Real Time Scan

Scan Result: Passed a potential Security Risk

also the report includes the action taken now.

Thanks

(imported comment written by Lee Wei)

Again excellent job sminisini.

Do you want to attach and share your report? :slight_smile:

Lee Wei

(imported comment written by sminisini91)

Lee,

here is the report attached.

Thanks

(imported comment written by mholder91)

The virus detection notification and its lack of detail has been an on-going issue for us and we’ve explored many options on how to provide more detail in the e-mail alerts. Nothing really panned out until now. This customized report is EXACTLY what we’ve been looking for for the last 2 months. I think many CPM customers would be very happy to have this more detailed report and it might even be beneficial to offer this as an out-of-the-box option with CPM. Thanks very much, Sminisini!

(imported comment written by Jim_Hansen91)

Hi sminisini,

Thank you very much for taking the time to work through this and define such an excellent report. I will take a look at this in a bit more detail and see what we can do about making this a canned report. In the meantime, what other report types are people looking for? Feel free to either share here or contact me directly. Either way, this would be an excellent way for us to work on improvements to the product to make it better for you!

Regards,

Jim

(imported comment written by Leigh91)

Spot on, thanks Sminisini - report is what we’ve been after since moving from Bigfix AV to Trend - saves time having to refer back to the CPM dashboard looking for the infected file and remediation action.

(imported comment written by Leigh91)

Spot on, thanks Sminisini - report is what we’ve been after since moving from Bigfix AV to Trend - saves time having to refer back to the CPM dashboard looking for the infected file and remediation action.

(imported comment written by whowey91)

This is an excellent report.

One wish, is there anyway to add the current userid to the report?

(imported comment written by jessewk)

unfortunately the user is not logged as part of the infection event.

(imported comment written by sminisini91)

Hi Whowey

I’ve attached a new version of the report which has the user name included in the email alert. I have not included the user name in the normal report as it would only report the currently logged in user and that may be different to the one that was logged in at the time of infection.

(imported comment written by burdenuik91)

Hi sminisini, great addition to a very useful report…just testing the new report and having a problem with the output. Scheduled to run when the report changes, report is emailed but no content appears apart from the name of the report - have attached a screenshot.

Recently upgraded to v8 and running Outlook 2007…have you had success running the same software?

(imported comment written by sminisini91)

Hi burdenuik

I haven’t tested the report in v8 yet, have you tried the latest report (with the username) or the original one? The report with the username may not be the best to use.

Thanks

(imported comment written by burdenuik91)

OK, have tested the first report - this works and displays the following:

New Virus Detected

Computer Name: TESTPC

Virus Name: Eicar_test_file

Infected File: C:\Documents and Settings\test.user\Local Settings\Temporary Internet Files\Content.IE5\ALOSEGWX\eicar[1].com

Detection Time: 19 Oct 2010 12:16:00 +0100

Scan Type: Real Time Scan

Scan Result: Quarantined

Reimported the latest report, this is now not being triggered. Upgraded to 8.0.627 yesterday ; @ (

(imported comment written by eenglish)

Very nice report…thank you! I was wondering if it can be edited to not include “Passed a potential Security Risk” items…so basically only include fails such as clean fail, delete fail, move fail…that type of thing. Also we have company names setup as retrieve properties…would a value of a specific retrieve property that stated Company Name be able to be added easily? Any help with this would be great. Thanks for all you have done.

Cheers!

(imported comment written by sminisini91)

Hi

I’ve modified the report (email and normal report) so it doesn’t include the “Passed a potential security risk” messages. I’ve also integrated the BES property “Location By Subnet” as an example on how you could integrate your custom retrieved property in the report.

This report has not been tested in version 8 nor has it been tested with the scheduled tasks however I would think this report would work fine in v7.

Thanks

(Please email me directly if you need help changing the property to your own custom one).

// Update:

The attachment doesn’t seem to be uploading…

(imported comment written by SystemAdmin)

I know this thread is several months old, but I’d be very interested in getting the last version of the report mentioned. The one that wouldn’t upload. Or if there is something newer, that would be great. Thanks!

(imported comment written by SystemAdmin)

Has anyone done the same thing for Spyware or Web Reputation?