Endpoint Protection

 View Only
Expand all | Collapse all

Email virus alerts have less info compared to SAV 10

  • 1.  Email virus alerts have less info compared to SAV 10

    Posted Mar 23, 2009 05:01 PM
      |   view attached
    In SAV 10.1.7.7000 I had alerts configured to email me when SAV found a threat on a computer and the info I received looked like what is below:

    Virus found:

    Alert: 27644

    Virus name: Trojan.Packed.NsAnti

    Computer: COMPUTERNAME

    IP address: 10.10.10.10

    File/Path: F:/itsduel.exe

    User: USERNAME

    Alert date/time in reporting server time: 2009-03-20 01:48:48

    Database insert date/time: 2009-03-20 01:53:11

    Source: Auto-Protect scan

    Description:

    Actual action: Quarantined

    Server group: AME-LIL-10.1

    Parent server: NOSAPP02

    Client group:

    This alarm was generated at 2009-03-20 01:55:08 (Reporter Host Time).

    This alarm was generated by Randy, with the following filters:

    Server group: AME-LIL-10.1

    Client group: *

    Parent server: *

    Computer: *

    Virus name: *

    Source:

    The alerts that I have setup for SEP MR4 MP1a look like what is below:

     

    Message from:

    Server name: amevmsepm01

    Server IP: 10.10.10.10

    At least one security risk found:

    Risk name: W32.Downadup!autorun

    Event time: 2009-03-23 12:25:48 GMT

    Database insert time: 2009-03-23 12:32:20 GMT

    User: SYSTEM

    Computer: DGWATHOMAS02

    IP Address: 10.?.?.?

    Domain: Default

    Server: amevmsepm01

    Client Group: My Company\AME\DGW

    Action taken on risk: Cleaned by deletion

    The main thing that bothers me is the alerts from SEP do not contain the File/Path that was infected. 

    Attached is a screenshot of the settings for the "Single Risk Event" notification/alert I am using.

    Does anyone know how to get File/Path info included in the alerts?



  • 2.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 24, 2009 11:20 AM
    Is the SEP alert from a SEP client or are you forwarding the SAV10x logs to SEPM?


  • 3.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 24, 2009 12:26 PM
    I agree with you and have a rant in here myself from a couple months back - the email alerts don't contain squat.
    SEP gives nothing on the file name or location - and that file path tells me everything I need to know - how it got in, what sort it is, etc. I KNOW I can get that info from the SEM console and logs, but often times, I'm not there, or I'm at home, etc. and I need that info in the email. Not have to go digging for it. I could tell almost everything I needed from the email.

    So my request would be:
    please, Symantec, give the details about the file and path, everything, in the email itself, don't make me go digging for it. I don't have that much time ;-)
    SAV did it, should be easy to tell SEP to go into verbose mode with the emails.



  • 4.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 24, 2009 12:34 PM
    I've already submitted this as an enhancement request (back when ShadowsPapa's old thread was still fresh).  I would suggest that everyone who feels this way do likewise:

    http://engweb.symantec.com/enhancement/



  • 5.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 25, 2009 07:43 AM

    Is the SEP alert from a SEP client or are you forwarding the SAV10x logs to SEPM?

    It's from a SEP client.  From the looks of the other two replies it sounds like this is just how SEP works for now and that I will need to submit a enhancement request.



  • 6.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 25, 2009 08:40 AM
    That is the native SEP email alert.
    The native SAV email alerts are more verbose, much more important information.
    The native SEP alerts - those with no SAV involvement at all, are pretty stripped down.
    SEP is more like "hey, mister, you have a problem, better go dig into it - lotsa luck, I ain't gonna tell ya anything".

    The old SAV was like "buddy, you have a problem and here is all the information you will ever need to figure it out right at your fingertips"

    LOL - hint-hint  ;-)


  • 7.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 25, 2009 10:08 AM
    The main thing that bothers me is the alerts from SEP do not contain the File/Path that was infected. 

    On the start page of SEP Manager there is an "Action Summary by Detection Count"

    If you click on "Newly Infected" or "Still Infected" you can from this report see the path to the infected file.


  • 8.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 25, 2009 10:20 AM
    >>The main thing that bothers The main thing that bothers me is the alerts from SEP do not contain the File/Path that was infected.<<

    Exactly, but I suspect someone still doesn't get my/our gripe.
    We don't always have the ABILITY to get to the console! I get email alerts at HOME. I need to be able to see in the alerts. I need to be able to see the alerts on a phone, or a PDA, or whatever. Email does that for me.
    The issue is that we don't have TIME to pull up that SLOW Java console, and dig and click for info. SAV used to give it to us in a single swoop - a single email Done - we knew everything we needed, file name, file path,etc. If the console was simple, fast and easier, fine, but it's slow, and sometimes takes 10 seconds to display the next tab.
    I am a troubleshooter - I diagnose - I can tell you almost anything we need to know from the file name and path. I can tell what it is, how risky it is, and how they got it from the file name and path.
    Having to dig is irritating at the least, and costly in time at the worst. I want the FILE NAME AND FULL PATH in the email. I know I can get it 6 other places but don't care. I want it in the email SAV did it, SEP does not.


  • 9.  RE: Email virus alerts have less info compared to SAV 10

    Posted Mar 25, 2009 01:57 PM
    I completely agree with ShadowsPapa. As said in another post, I'm a lazy admin and "you can get the info if you log into the console" is not an adequate response. If the information is housed in the 'system', then it should be reportable, and if it's reportable, it should be autonomy-enabled. Otherwise, it just serves to create more work for the admin... and if it continues to create more work for the admin... I still think I'll have to head down the path of SQL reporting services, which is unfortunate. I feel like I have to reverse engineer the sem5 schema to get the data and reporting I want. Tsk tsk.


  • 10.  RE: Email virus alerts have less info compared to SAV 10

    Posted Apr 29, 2009 11:03 AM
    I just submitted an enhancement request for this. Another needed feature that Symantec seems to have taken out!


  • 11.  RE: Email virus alerts have less info compared to SAV 10

    Posted Apr 29, 2009 11:58 AM

    I Agree with Shadowspapa as well.   The alerts as they are are not very helpful.  I want to be able to look at them and know what is going on.  I have my alerts set up to let me know if realtime detects more than 10 with in an hour across my organization.  Inevitably these come in when I am on my way home and I get them on my Blackberry.   Since they are likely to be in a different time zone if I could read the report on my blackberry and see what was going on were I could dispatch a local tech to the problem machine to investigate from my car if I needed to and not have to hope everything was good till I got home or have to pull over and pull out a laptop and connect in.

    I submitted a enhancement request on this a while back and was told that they are working on it.  Hopefully one of the upcoming releases with solve the problem.

     



  • 12.  RE: Email virus alerts have less info compared to SAV 10

    Posted Jun 06, 2009 11:54 AM
    I put this into an idea.

    https://www-secure.symantec.com/connect/idea/email-virus-alerts-have-less-info-compared-sav-10

    Please go and agree if you think it's appropriate.


  • 13.  RE: Email virus alerts have less info compared to SAV 10

    Posted Jun 10, 2009 12:21 AM

    Bjohn,

    Thank you for posting this request on the "Ideas" forum. I will check to see if the deadline has passed for adding changes of this size. If it has, I will put it on the list for the next release.

     

    To confirm, you just need file/path of infection? You are not so worried about the side-effects? Side-effects are the additional files and registry entries that a threat will add to the system.

    Regards,


    JimW



  • 14.  RE: Email virus alerts have less info compared to SAV 10

    Posted Jun 10, 2009 10:38 AM
    Here's what an alert from SAV reporter looked like, If the SEPM alert can look close to this, that would be great. Including file/path and action taken.

    Virus found:

    Alert: 77402
    Virus name: Downloader
    Computer: MY Computer
    IP address: MY IP
    File/Path: C:/Documents and Settings/username/Local Settings/Temporary Internet Files/Content.IE5/FA34ALR6/E_J[1].JS
    User: bhoguedb
    Alert date/time in reporting server time: 2009-06-09 16:06:43
    Database insert date/time: 2009-06-09 16:14:01
    Source: Auto-Protect scan
    Description:
    Actual action: Partially repaired
    Server group: Upstate Offices
    Parent server: MY SERVER
    Client group: WS Upstate UPG

    This alarm was generated at 2009-06-09 16:17:01 (Reporter Host Time).
    This alarm was generated by Administrator, with the following filters:
    Server group: *
    Client group: *
    Parent server: *
    Computer: A15-*
    Virus name: *
    Source: