Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 9315 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Too Many DLPAlert Emails

TEWhite

We are using Sophose Enterprise Console 5.1.0.1839 and we keep receiving DLPAlert emails with the following subject lines:

1. The number of out-of-date computers has exceeded the critical level.

2. The number of computers with errors has exceeded the critical level.

3. The number of computers that differ from group policies has exceeded the critical level.

These emails do us no good. We only have about 40 computers in our organization and it only takes a couple of computers to set off these alerts. We have looked for ways to adjust the configurations of these alerts to be more useful, but have found none.

Any ideas?

:38559


This thread was automatically locked due to age.
  • 0

    Hello TEWhite,

    dunno what DLPAlert in this context stands for.

    These emails do us no good

    Email alerting has to be configured (it's neither on by default nor will it work out of the box as SMTP server and recipient have to be specified before it can) - may I ask why you did so and what you expected? Apart from this the alerts are sent in conjunction with the dashboard (Tools->Configure Dashboard...  for adjusting the levels, which has also a button that takes you to Configure Email Alerts...).  

    HTH

    Christian

    :38575
  • 0

    Perhaps I titled this post poorly.

    What we are looking for is some way to get the SEC to ignore/sideline certian error codes or out of date computers, since we know in advance that those error codes don't require any action and that certain computers in our organization are left off for very long periods of time.

    (It would be nice if there were some sort of way to set up rules for what constitutes an error or an out-of-date computer.)

    I don't want to turn off emailing altogether, because I do want to be emailed when any error occurs that requires my attention.

    Simply having the SEC emailing me that a certian number of computers in my organization have errors or are out of date doesn't help me to know when my attention is actually required.

    Thank you for your time.

    :38711
  • 0

    Hello TEWhite,

    as you've seen you can adjust a few things (levels, number of events, time since last update - applies to SUM) but that's probably not what you are looking for.

    Frankly, creating sophisticated rules for 40-odd computers is an overkill. Admittedly the Protection alert (connected out-of-date) is sometimes trigger-happy, doesn't take the updating interval from the policy into account and in addition RMS doesn't always correctly disconnect a client. To make a better decision SEC would have to keep a history of Message Times, perhaps correlating them with updating errors - but even then it'd be likely far from perfect.

    I'd suggest you just don't request an email for out-of-date conditions. Apart from that it is possible to ignore/suppress specific error codes - which ones are you interested in and which ones would rather not want to see?

    Christian

    :38807
  • 0

    One error that seems to come up rather frequently is:

    ERROR: Could not find a source for updated packages [0x00000071]

    We're pretty sure these errors are caused when Sophos updates are interrupted at the client and they typically go away the next time the client connects and runs updates...

    :38831
  • 0

    Hello TEWhite,

    We're pretty sure these errors are caused when Sophos updates are interrupted

    pretty is no absolutely :smileywink: and I fail to see what kind of interruption that could be - perhaps a network hiccup, I've also seen it when an active VPN connection firewalls local network access at the moment, but these should be rare. Agreed that most of these are transient and resolve themselves shortly after. And in case of persisting problems you should notice the out-of-date status anyway.

    I won't recommend suppressing this error but have a look at the following threads: Error Message Suppression in Enterprise Console and SEC 4.5.1.0 - Blacklisting/Suppressing Error Codes. There are two procedures mentioned: filtering on the endpoint and filtering in SEC. Dunno if the former is possible at all for AutoUpdate errors so you'd have to try if it works with the ErrorAlertFilters table. In your case the values would be 'ALC' for Source and 113 for Number.

    HTH

    Christian

    :38847