Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 6181 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outstanding Alerts on the Dashboard

RWSysEngr

Hi,

I need some help trying to remove a machine's alert from the Dashboard.

The machine was reported as infected with a Trojan virus in August but after taking the necessary actions (updated the client and ran a scan on it), it still appears on the dashboard with the same alert.  Can someone please teach me how to resolve it as everytime we try to run a report, the same machine appears with the same detection last August.

Thanks!

:17471


This thread was automatically locked due to age.
  • 0

    HI,

    If you right click on the machine in SEC and choose "Resolve Alerts and Errors", does anything appear in the list of alerts?

    Can you action anything?

    Also at the client, does the alert appear in the quarantine manager or is that empty?

    Regards,

    Jak 

    :17475
  • 0

    Hello,

    right-click the computer (or select it and use Actions from the menu bar) -> Resolve Alerts and Errors ... there you should be able to acknowledge the alert and the computer should disappear from the Computers with Alerts list. Note that you either have to acknowledge the alert from the console or the client has to report that the threat has been dealt with or "vanished". You should also check the Errors tab in Resolve ....

    Christian

    :17485
  • 0

    unfortunately, when I do that, nothing appears on the popup screen for me to acknowlege the alert or error...

    :17533
  • 0

    The Resolve popup should contain any outstanding threat (whether cleanable or not) as well as scanning and removal errors. If it doesn't the computer should also not be listed under Computer with alerts. Could you perhaps show us some screenshots?

    As you've mentioned Report - reports always display all alerts (within the selection criteria) whether outstanding or not. If a threat has been dealt with you'll see at least two lines for it like:

    05/10/2011  08:03:16 Mal/Generic-L COMPUTER Group  Cleaned up
    05/10/2011  08:03:02 Mal/Generic-L COMPUTER Group       Block

    Christian

    :17549
  • 0

    Hi,

    When you say "Dashboard", I assume you are talking about the alert appearing in the computer list against the client?  The dashboard is really just the top summary section you can expand and collapse.

    The alert will appear in the list view against a computer in response to the threat ID entry in the computersanddeletedcomputers table:

    If you run the SQL command:

    select lastthreatinstanceid

    from ComputersAndDeletedComputers

    where name = 'computername'

    Note: Replace [computername] with the name of the machine in question .  This I assume will point to a threat id in the Threats table?  Note: There is a Threats table and a ThreatsArchive table the ones in Threats are typically outstanding, they get moved across into ThreatsArchive once they are no longer outstanding.

    Running:
    select * from threats as t with (nolock)

    inner join computersanddeletedcomputers as c with (nolock)

    on c.id = t.computerid

    where name ='computername'

    and

    t.outstanding = 1

    Will list you the outstading threats for the machine, again replace [computername] with the name of the machine in question

    If you find the threat in the threats table you could as a last resort mark it as outstanding = 0 with a SQL command:

    update threats set outstanding = 0 where threatinstanceid = NUMBER

    where "NUMBER" is the threat id returned in the above query.

    As the pointer in the computersanddeletedcomputers table is still there would will still get the alert graphic, to clear that you could then run:

    update ComputersAndDeletedComputers set lastthreatinstanceid = null

    To run the SQL commands above I would suggest downloading and installing SQL Server Management Studio and execute the commands using that against the SOPHOSX database.  I would also recommend takiing a backup of the database before modifying anything.  If you can't get the tool.  There is a tool called backupdb.bat in the DB directory under the Enterprise Console directory,  that will create you a backup.  You can run the above SQL queries on the command line also using SQLCMD.exe.  To do so:

    sqlcmd -E -S .\sophos -d SOPHOS47 -Q "Enter the above query here"

    Where:

    .\sophos represents a local SOPHOS SQL instance.
    SOPHOS47 is the name of the SOPHOS database for SEC 4.7.  If you have 4.5 it would be SOPHOS45, likewise SEC 4 would be SOPHOS4 .

    I hope that helps.  If you don't feel confident updating the database please just post the results from the first 2 select queries here.


    Regards,

    Jak 

    :17553
  • 0

    this is actually weird....

    last time, when I right click on the computer name and click on Resolve Alers and Errors, the popup window comes out blank....no computer is listed at all....after a couple of days, the dashboard has given me an entirely different picture....from 1,300 nodes that appeared as outdated the past two days, only 300+ were left and when I right click on the computer name and click on Resolve Alers and Errors, the popup window comes out with all the names of the computers with Alerts and Errors thus, all I need to do is either clear or acknowlege the errors.....

    can someone please tell me what may have happened?

    Thanks!

    :17599
  • 0

    issue came back again just now....see here the blank window when I click on Resolve Alerts and Errors

    :17601
  • 0

    Could you post a screenshot of the dashboard as well?

    Christian

    :17603
  • 0

    Hi,

    Do you use sub-estates?

    Are you logged into the "Default" one when seeing this?

    Jak 

    :17641