Top
ServerView Resource Orchestrator V3.4.0 Automatic Quarantining Function User's Guide
FUJITSU Software
Chapter 3 Operation Using the Automatic Quarantining Function > 3.1 Operation When Handling Security Risks > 3.1.1 Operation When Security Risks Have Been Detected [Trend Micro VB] [Symantec] [McAfee]
PreviousNext

3.1.1 Operation When Security Risks Have Been Detected [Trend Micro VB] [Symantec] [McAfee]

Procedure

  1. The infrastructure administrator learns that security risks have been detected through email notifications or by checking the system log of the server on which the Resource Orchestrator manager operates.

    Note

    If the antivirus software coordinating with Resource Orchestrator is the following, information regarding detected security risks will not be output to the system log of the Resource Orchestrator manager server.

    • Symantec Endpoint Protection
  2. The Resource Orchestrator manager responds to a notification from the following server and performs corrective action on the L-Server on which security risks have occurred, in accordance with either the settings for action to be taken automatically, or the action selected by the administrator.
    [Trend Micro OfficeScan]

    • OfficeScan 11.0 server

    • OfficeScan XG server

    [Symantec]

    • Symantec Endpoint Protection Manager

    [McAfee]

    • McAfee ePolicy Orchestrator server

  3. The infrastructure administrator checks whether the manager has correctly performed the corrective action by confirming the following.

    • No error messages are displayed on the GUI (ROR console)

    • When an L-Server was quarantined

      From the GUI (ROR console), confirm that the network of the relevant L-Server has been switched to the quarantine network, and the IP address of the L-Server.

    • When an L-Server was restarted

      From the GUI (ROR console), confirm that the relevant L-Server is operating. When restarting has removed the security risk, proceed with operation as when security risks have been removed.

    • When multiple Resource Orchestrator managers are configured

      Identify the Resource Orchestrator manager that manages the L-Server on which security risks have been detected.

      [Trend Micro OfficeScan] [McAfee]

      To identify the relevant manager, check the following message that will have been output to the SYSLOG of the server on which the first manager of Resource Orchestrator operates.

      Send information of SNMP trap to remote manager [Resource_Orchestrator_manager_IP_address]
      [Symantec]

      To identify the manager, check the following message that will have been output on the GUI (ROR console) of the first manager of Resource Orchestrator.

      FJSVrcx:INFO:21143:quarantine L-Server(submgr:Resource_Orchestrator_manager_IP_address):started

    If the above message indicates that an error has been detected, perform the procedure in "3.1.4.1 Corrective Action When Automatic Action Taken When a Security Risk Is Detected Fails [Trend Micro VB] [Symantec] [McAfee]".

  4. When quarantining has been performed, environments on which security risks have been detected can no longer be used.

    In virtual PC environments, users of quarantined virtual PCs can access other virtual PCs by making requests to the infrastructure administrator.

  5. When quarantining has been performed, the infrastructure administrator opens the consoles of the virtual PCs and SBC servers on which security risks have been detected, and performs the following quarantine processing.
    1. Modify the network settings of the OS based on the L-Server IP addresses and the network information confirmed in step 3.
    2. Perform corrective actions according to the manual for the antivirus software and then perform a virus scan.
      Confirm that no viruses are detected.
  6. When quarantining has been performed, log off from the virtual machine.

    When the quarantine processing in step 5 is complete, log off from the virtual machine.

PreviousNext
Copyright 2017-2020 FUJITSU LIMITED