Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications

Article:TECH104580  |  Created: 2008-01-03  |  Updated: 2014-07-22  |  Article URL
Article Type
Technical Solution



Why does the SEPM (Symantec Endpoint Protection Manager) not send email notifications for events triggered by the EICAR test string?

Email notifications have been configured, but when testing with the EICAR test string, an email notification is not sent.



There may be several causes.


  • The event may not have reached the SEPM yet. Verify first that the EICAR event appears in the SEPM console Monitors > Logs > Risk Logs.
  • The damper setting for the notification may be preventing a series of EICAR detections from generating individual notifications, i.e. multiple EICAR detections within the damper period of a "single risk event" notification will generate only one notification for that period. Note also that if you do not see any "single risk event" notifications to acknowledge in the SEPM (under "View Notifications") this is by design. "Single risk" notifications are the only ones that cannot be configured to write a notification to the database -- they will, however, send email or run a custom batch file.
  • Database maintenance may be deleting EICAR events before the notification task can process them.  
    To prevent this: In older versions of the SEPM, go to Admin > Servers > Local Site > Properties > Database tab, and uncheck "Delete EICAR events".  In newer versions, go to Admin > Servers > localhost > Edit Database Properties > Log Settings, and uncheck "Delete EICAR events" in the Risk Log Settings section. 
  • The notifications may be corrupt. Try recreating them.

    See also:
    Symantec Endpoint Protection Manager: How is Database Maintenance scheduled?    

    How to Configure Symantec Endpoint Protection Manager to Send Email Alerts


Legacy ID


Article URL

Terms of use for this information are found in Legal Notices