Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 801 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to filter out the SSH/Updater-B from reports

jsouza
We run a monthly report for all viruses and then use that data. The SSH/Updater-B made the report over 900 pages and I think it is timing out to the database and failing to export because it is too big. We running Enterprise Console ver5.1.0.1839 and the report is: " All Computers, All Virus/Spyware Events, Last Month Week; sorted by Date. "
:35245


This thread was automatically locked due to age.
  • 0

    Hello jsouza,

    as you've found out you can only specify one inclusion using a pattern but no exclusion.

    There is no easy solution unless you want to (permanently) purge the, BTW, SHH/Updater-B entries from the database (which I don't suggest). It should affect "only" the September (and perhaps October) reports.

    You could work around this problem by adjusting the period so that (most of) the SHH events are excluded - although you might miss a few other alerts. Depending on how you use the data it might also be possible to split the reports around the time of the FP and apply the filtering to the exported data before merging them.

    Christian

    :35257
  • 0

    Hi,

    If you've completely recovered from the FP and don't wish to keep any records for it.  I.e. You've maybe followed:

    http://www.sophos.com/en-us/support/knowledgebase/118324.aspx to export a list of files affected incase you need to take any action...  you could just clear the database of these alerts.  

    The following 4 SQL commands could be run against the SOPHOS 'core' database.   

    Note: For a list of database names per versions see: http://www.sophos.com/en-us/support/knowledgebase/17323.aspx,

    so you know the name of the database to run the commands against.  I.e. if you're running SEC 5.1, it would be SOPHOS51.

    USE SOPHOS51
    GO
    DELETE FROM dbo.Threats WHERE ThreatName LIKE N'Shh/%'
GO

UPDATE dbo.ComputersAndDeletedComputers SET LastThreatInstanceID = dbo.ComputerLastOutstandingThreatInstanceID( ID )
GO

DELETE dbo.ThreatsArchive WHERE ThreatName LIKE N'Shh/%'
GO

DELETE dbo.ThreatEvents WHERE ThreatInstanceID NOT IN (
    SELECT ThreatInstanceID FROM dbo.Threats) 
    AND ThreatInstanceID NOT IN (
       SELECT ThreatInstanceID FROM dbo.ThreatsArchive
    )
GO

    As always, it would be a good idea to take a backup of the database first:

    http://www.sophos.com/en-us/support/knowledgebase/110380.aspx

    Regards,

    Jak

    :35281