F-Secure 12.10 - virus detection as a trigger

Hi, 

 

is it possible to set some additional action to be triggered in case of virus detection? To be more precise - i've got a script that i'd like to be run on each virus detenction - how can this be done? And if it can't be done - is virus detection reported somewhere? Like, for example, windows event viewer? 

Tigger

Best Answer

  • VadVad Posts: 1,050 F-Secure Employee
    Accepted Answer

    Virus_detection_event.png

    Here is the example of virus detection event.

    UkkoTigger

Comments

  • VadVad Posts: 1,050 F-Secure Employee

    Hello freedomsarge,

     

    Triggering of additional action is not supported in current versions.

    By default, virus detection is reported to Policy Manager, to event viewer Application log as a Critical event, and to c:\Program Files (x86)\F-Secure\Common\LogFile.log.

    In addition, you can configure sending a email notification.

     

    Best regards,

    Vad

  • Hi Vad, 

     

    thank you for the information - so i can create a windows scheduled task triggered by this event - could you please give me some details about it? Unfourtunately i don't have any PCs after such detection (we reinstall them ASAP). 

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    I think this is what you are looking for:

     

    https://community.f-secure.com/t5/Business/On-demand-scanner-fsav-exit/ta-p/20254

     

    from inside a script

  • Not really - i don't want to run the scan manually from the script - i want it to be triggered by the "Virus and spyware scanning" that runs in background. So i can set up a scheduled task in windows using a GPO - but i need to know how to recognize this event :) So a screenshot from Event Viewer with such event would be all i need :)

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    Every detection is recorded to Event.log as well. So if you are not keen on immidiate action a scheduled JOB that checks the eventlog might do the job.

    Just to serve my curiosity: what exactly do you want to do after a detection in that script?

  • I want to disconnect the PC from company network by disabling all network interfaces:

    Get-NetAdapter | Disable-NetAdapter -Confirm:$false 

     

    and disaply a message to user: 

    $wshell = New-Object -ComObject Wscript.Shell
    $wshell.Popup("Virus detected - all network connections have been disabled.")

  • MJ-perCompMJ-perComp Posts: 1,098 Superuser

    "Not a good idea" I would say.

     

    1) a found malware is a blocked malware. No need to worry after this point.

     

    2) Even in regular work many malware is found and killed from Temorary Internet Files. You would not like your users to be cut of the network on every event! don't forget you need to go there to reactivate them.

     

    3) False Positives happen. But F-Secure is very quick in handling those. This happens throu the reputation network. By cutting network connectivity you would loose any control over the system. It can neither be updated, unquarantined, nor can the "fixed detection" be provided by ORSP.

     

    Finally. What would you win by cutting conectivity? A system that has successfully protected itself from malware will be taken out ouf business and the user is stopped from working, maybe even loose documents he is just working on. OTOH systems that don't even realize that they are corrupted stay online. A "conficker" infection in your organization would render all systems unusable except the one that failed to detect the malware.

    If you still want to implement something use the F-Secure Firewall and activate the ruleset "Network Quarantine" that will restrict the traffic to PMS/F-Secure and you keep the system under controll.

    Ukko
  • @MJ-perComp - the company policy says to force shut down that PC and reinstall it ASAP. So cutting the connectivity is just an additional protection - though i know it may be a little bit too... hardcore for most companies :) 

     

    @Vad - thank you, that's what i was looking for! 

    Ukko
  • TiggerTigger Posts: 1
    Thanks 🙏
This discussion has been closed.