Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Data Status ID Reference

Created: 06 Mar 2013 • Updated: 07 Mar 2013 | 5 comments
This issue has been solved. See solution.

What is Symantec Endpoint Protection meaning when it returns a Data Status ID of Unknown (117239)?

Operating Systems:

Comments 5 CommentsJump to latest comment

.Brian's picture

I believe it means the action taken on an infection (ie. Quarantined, cleaned, deleted, etc)

We use a SIEM and this field always shows the action taken.

Do you have a screenshot? What version of SEP?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

joleary's picture

I am using a SIEM as well to read ePO events and all my SIEM is showing is ThreatActionTaken=117239. Looking up the code I found that it stood for Unknown. I was just curious if anyone knew what part was Unknown, was it Symantec did not know how to HIPS handled the infection or what. All the other Symantec codes are fairly easy to understand. I do not know the version of SEP.

.Brian's picture

Will be tough to say.

My thought would be to go to the client that initially alerted and look at the Risk log. Perhaps there is another entry that goes along with it.

In the past I've seen times where SEP will take action such as "Left Alone" but than will generate another entry where a Quarantine action will take place.

Weird stuff but I've seen it happen.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

joleary's picture

I do have an alert from one second before on the same host that SEP quarantined so maybe it is tied with that. The only reason I did not think that is because of the two different source processes

 

SourceProcessName=Trojan.Gen found on the Unknown Agent .; is the one with ThreatActionTaken of quarantined

and

SourceProcessName=W32.Rontokbro@mm found on the Unknown Agent .; is the one with ThreatActionTaken of Unknown

 

Now while writing this a co-worker in another building told me that Unknow means:

" 1) symantec found a virus and quarantined or took but the exact action taken was not pushed in the Data Feed

2) Symantec saw something but did not take action. "

Just thought I would share that information as well.

SOLUTION
.Brian's picture

That does make sense. I've seen a few of the instances as well.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.