Announcement

Collapse
No announcement yet.

Better/ detailed EM warnings. Untraceable warnings.

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Better/ detailed EM warnings. Untraceable warnings.

    I know this has been asked before.
    How can I receive a more detailed email regarding warnings?
    Like .. This morning I got 2 emails (1st: 07:24, 2nd: 08:33):
    "EM Warning: New Infection Detected!"
    You are receiving this e-mail because you are using Endpoint Manager product.

    2020-04-30 05:23:36. New Infection Detected on device #####.

    Follow the <link> to see details.

    Best Regards,
    EM Team


    Here in this email I would like to see how urgent this warning is!
    What kind of threatlevel and what kind of malware has been detected.
    Also a direct link to delete/whitelist the threat.

    Not first having to login, and search for the affected device.

    Now, I clicked the link and I'm directed to the Malware overview.
    But... the last stated item is for over 8 days ago!!
    So this is not the item stated in this email!
    Now I have to search what could be the trigger.
    The other tabs: 'Threat history' and 'Autorun items' are empty. But 'Quarantined files' shows one item from this morning.
    So now I'm still wondering if this is the warning because I got 2 seperate warnings.
    But, now it's getting more confusing:
    If I open the 'Quarantined files', and click on the file, ( in this case named 'appselector.exe') , I can see on what devices this file has been found.
    And if I select that ('Device list'), only one (!) device is listed where this file is installed on.
    But,...... thats a whole other device from another customer. This device, where I got 2 EM warnings from, isn't mentioned here.

    So, long story, but the bottom line is:
    Can the EM messages be more specific and detailed about the threat? Better would be with direct links for actions (like whitelist/ delete/ scan/...)
    And how can I search for these warnings because I can't trace them back!

    1.jpg


    2.jpg


    3.jpg


    4.jpg

    So, after all this checking, I still haven't found out what the 2 emails were referring to.

    Am I doing something wrong?

    Regards



  • #2
    Correcting myself:
    The 'Quarantined files' is an overview of all the quarantined files and will show all the files from all the customers.
    So this is by design and correct I see. My mistake.

    But.. I still haven't got a clue what was the trigger.

    Now I just got another Email, regarding another client. I also get redirected to the 'current malware list' and no entry regarding ths device. (last entry for this device was from 15 dec 2019)

    I really think a lot of these misunderstandings can be taken away with a more detailed email and direct links for actions.
    This is not 'admin-friendly'.
    Last edited by ailan; 04-30-2020, 08:04 AM.

    Comment


    • #3
      Hello @ailan,

      We have created a support ticket in regards to your report and will reach you via your forum registered email for further correspondence.

      Comment


      • #4
        Hi SethHD and Colin,

        Thanks for the message.
        I just received the following mail:
        Hello,

        Thank you for contacting ITarian Support Team.

        We thank you for providing details about your query. Our product management team is aware of your request and is working to prioritize it with the others received. We will provide you an email notification for any updates regarding this request and its timeline once it is prioritized on the road-map for a delivery.

        Regards,
        Colin
        ITarian Support




        Can you tell when we can see this function? (I've asked ths question also nearly a year ago. see: https://forum.itarian.com/forum/msp-...4358#post34358)
        I still haven't found out where the triggers were coming from this morning. No details in the logs.
        So, only thing I can do is do a full scan on the computers.

        These are one of the most basic functionalies for a security product. Now I only get a warning, but can't see from where or what.

        So please can you implement those 2 things asap?:
        -easier navigation to see all the threats.
        -more detailed email/warning with direct links to the entrylog and direct links to take action (like clean, scan, whitelist)

        Thanks and regards.

        Comment


        • #5
          Update,
          From yesterday, I'm still getting a lot of email warnings regarding 'New infection detected!'.
          1.jpg

          So what are the steps to find out what was found, when and where?

          If I click the link in the email, I'm redirected to the 'Current Malware list'. Just like I stated in the first post.
          This is what I see (I sorted the entries by date):
          6.jpg

          Notice I only have 1 entry from today. The 2nd entry is from nearly 3 days ago!

          Ok, I check the Notifications tab:
          7.jpg

          Hereby the warnings:

          8.jpg
          3.jpg

          I only see 2 malware detections..

          So this is not consistent with all the emails I got

          I still don't have a clue and overview what's going on..

          So I try to do a search in 'Security Dashboard'-> Event view.
          Here I see a lot of events. Even from devices and events where I haven't got a email warning from!
          4.jpg

          But to begin with I'm still trying to figure out the detected infections. So I'm going to filter only on 'Malware detections'.
          5.jpg

          Also, I see other entries from devices where I haven't received a mail.
          But, I can't trace the received messages and detections here.

          And searching through all the logs is a pain and very illogical: notice the above pics: a lot of entries are logged in 24H and others in 12 H notations.
          That to begin with is very confusing and makes searching very hard!

          And in the event views: the layout that can't be widened is a very big problem: The collumns for devicename, and more, from the filepath and filename are way too short to have a quick overview.
          I know I can hover over the entries, but if you want to have a quik glance in all the entries, this is very time consuming.. You have to hover over every item, and wait until it is reveled. And if you want to record it for yourself to inspect the files you have to copy-paste it to some other place.

          So, I only want to say that there are a lot of improvements needed.
          A better navigation, the logs are not consistant and acurate from what I have in my consoles.

          As an endpoint-platform this product is unusable for me at this point because I can't find the detected warnings I received in email and I can't rely on what I see in the different logs.
          Creating these emails, snorring throug every different log takes too much time for a product like this.


          Am I the only one who can't find and work in this?

          I'm still trying to like this platform, but like I posted earlier:
          please don't add newer functionalities, but focus on the(se) basic things. They are not working like it should be.
          For now, this is unusable to troubleshoot.


          Can anyone post how to inspect the received warnings properly?
          Not a link to the manuals because I've already seen them. Like you ss from my long post above, on the regular places I can't find the regarding entries.
          Please post them here so that we all can learn. Not via private email or meeting.
          Attached Files

          Comment


          • #6
            Did you remove the infections?

            Comment


            • #7
              Hi Uandit,

              No, Because I can't see if it's a valid file/program or not.
              I can't retrace the origin of the detected files; that's the most frustrating thing this moment.

              I'm going to scan all the mentioned systems manually and check the logs.

              But that's not the way it should be.

              Comment


              • #8
                I somehow missed the first post and read it. I completely agree with you about the tedious steps it takes to figure out the device/infection details. Yesterday, I dealt with 2 trojan viruses from work, which we use a different RMM and A/V. My Inbox got flooded with emails until I dealt with and cleaned off the infection (hence my previous post...sorry if it wasn't relevant to your concerns). However, in order to deal with the infections, I simply logged into the RMM, looked up the machine name, and scanned from the RMM. The infection was not completely removed as it was cleverly designed to use a legitimate Microsoft exe with a modified dll. So that part I had to manually remote on the machine and remove it.

                I say all that to say, it is much easier to deal with infections from that RMM than this one, which I use for my personal customers. It's always tedious am I am in agreement there should be more thought into the process of: detecting the infection, relaying the info to us, and more accessible way of getting the details about the machine and infection.

                Looking forward to Itarian's response to this...

                Comment


                • #9
                  Hi Uandit,

                  No problems. Good to hear that you also have these thoughts regarding this product and note it here in this thread.

                  I do recommend that more admins like us, who are having the same feeling towards the inability to properly work with this platform because of the lack of intuitive navigations and communication methods, leave a comment here.

                  The more reactions, the better.

                  An endpoint protection tool that's inconsequent, misses malware detections, doesn't shows/logs the infections and is difficult to interact with, is not very useful.

                  The product has the potential, so I'm still trying to make use of it. But I think the focus is wrong here. (in every update I see new introduced functions, but the very basic and needed functionality is still ill implemented.)

                  So, to all other admins/ mps's, please leave a comment here if you feel the same.

                  Comment


                  • #10
                    Frankly, I find the security subsystem to be a bit of a mess and hard to use.
                    Its like nothing hangs together.
                    Example:
                    On my dashboard its says I have 13 infected devices.
                    I click the link and it shows me 13 devices.
                    If I click the device it shows me device details and nothing about the infection.
                    But nothing about the infection.

                    Client calls about an app that got installed virtually.
                    Didnt notice the green frame. Its really easy to miss.
                    I find the app and its listed as unknown. I have no way to upload the application for review directly from the backend.

                    Running a full virus scan on a device now.
                    It found some files listed as virus.
                    In the backend its marked as malware but when I try to get some valkyrie details there are none.

                    Confusing as hell to the point its useless.

                    I really dislike how poor this is setup and integrate.

                    At this point I rather have a different AV program than this.
                    Its not just user friendly I find it hard to find out whats going on.

                    Tried to whitelist a program today but it woudlnt take it.
                    Or I should say the client got pissed and gave up before it would allow the app to be ran.

                    Just not good good business for us.

                    If I have no idea on how to use this then blame your poor interface and integration but feel free to educate me.



                    Comment


                    • #11
                      Update:
                      I'm still getting the same detections over and over again. Multiple warnings a day.

                      1.jpg

                      When opening the link, I get redirected to the 'Current Malware list':
                      3.jpg

                      The first entry on top of the list is from the last device where I got a warning from.
                      Regarding what email I open, even from an earlier warning, this is the list I get.
                      Note the timestamp. So; is this how the list is sorted? By devicename? Is the timestamp the first time that this items has been detected?

                      No clue how to read this.

                      So when I sort on detection date, I get this:

                      2.jpg
                      Last detection is on 2020/05/05.

                      I just want to 'trust' these files, regarding how you read this. So I selected ALL the entries and selected 'Rate as trusted'.
                      Multiple times already.
                      But I still get email warnings about these detected files.

                      Can somebody explain me what's going wrong? I'm missing details and direct links to the detected files.

                      And if it's a known problem. When can we expect an update?

                      Thanks

                      Comment


                      • #12
                        The security subsystem is not very good.
                        Its so hard to understand and find issues.
                        This must be redone.

                        Also, please start using normal virus names so we can find out what it is.

                        Comment


                        • #13
                          Hi Itarian,
                          Are there any improvements regarding loggin and tracing warnings in the upcoming 'Release Notes for June Release (2020-06-04'?
                          I still have these 'daily detected warning-problems'.

                          If not, do you know when this can be expected?

                          Comment


                          • #14
                            Hi Itarian,

                            Still any progress regarding the naviagtion?
                            I still get a lot of emails of detections. But after clicking the link in the email I'm directed to the overview of all the devices.
                            How long will it take to get some details IN THE EMAIL?
                            So you can see how grave the detected threat is and act on it? Not first havong to login, and search manually through the devices and hope to find the detection.
                            I still cant find the detected threats posted in my 1st post, and we're nearly 6 months further!!.
                            Also I still have the feeling that the current focus from the development team lies wrong; can you please fix/implement the long promised functions?
                            -App for Android/IOS to remote into devices
                            -Change the email so that there's more info about the devoce, and the name of the threat/virus/malware and a direct link to the log-entry and action buttons in it?
                            -Better navigation to search through the detections.
                            These are the fundamentals of a security product!!!
                            After the change to a another paid model from your side I think that we as MSP's can expect a decent product where the basics are in order. And now, nearly 10 months further I don't see much improvements regarding these 'old' issues.

                            Can you give an update when we can expect improvements regarding the threat management system?

                            Comment


                            • #15
                              Hi ailan ,

                              We have checked your requests status,

                              I still get a lot of emails of detections.
                              --> This item will be fixed in shortterm.

                              -App for Android/IOS to remote into devices
                              -->We are working on Android to Windows and Windows to Android option right now development in progress and as soon as Android part done we will start IOs version of this capability.

                              -Change the email so that there's more info about the device, and the name of the threat/virus/malware and a direct link to the log-entry and action buttons in it?
                              --> This feature is also in our roadterm. And we are planning to deliver it in midterm.

                              -Better navigation to search through the detections.
                              --> Could you please give more details about this request i couldn't get the use case.

                              By the way as a product management team we are sharing our short term quarterly road map on below link, you can always check the items that we will release on next quarter.
                              https://forum.itarian.com/forum/gene...r-and-december


                              Best regards,
                              Product Management Team
                              Last edited by Elif; 09-25-2020, 05:15 PM.

                              Comment

                              Working...
                              X