Endpoint Protection

 View Only

  • 1.  Endpoint alerting

    Posted Aug 11, 2010 09:20 AM
    Afternoon,

    We are running 11.0.4014.26 on Windows Server 2008

    I noticed a couple of weird things with the alert emails from SEPM and I hope you guys can help.

    1. When we have an alert email come through the event time and database entry time are an hour behind (I'm guessing because this is showing in GMT and we are currently in daylight savings)

    Email was received at 13:04 and event was generated at 13:00
    Risk name: EICAR Test String
    Event time: 2010-08-11 12:00:09 GMT
    Database insert time: 2010-08-11 12:03:18 GMT

    2. similar to above but sometimes it can take ages for the alert to come through (or even not at all) 

    Email was received at 14:04 and event was generated at 12:59
    Risk name: EICAR Test String
    Event time: 2010-08-11 11:59:55 GMT
    Database insert time: 2010-08-11 12:04:18 GMT

    Both situations are causing my ear to get bent by my boss smiley

    What is the best notification to configure for an email to send out the moment SEPM picks up a risk? Or is there a product like the alerting server in version 10 which can provide this?

    Many thanks.

    Dave




  • 2.  RE: Endpoint alerting
    Best Answer

    Posted Aug 11, 2010 10:04 AM
    i think you configured new alerts, its one alert for every new virus detected.



    Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008040309460648


    http://service1.symantec.com/support/ent-security.nsf/docid/2008032116480748?Open&seg=ent



  • 3.  RE: Endpoint alerting

    Broadcom Employee
    Posted Aug 11, 2010 12:37 PM

    If you want an alert everytime a client reports a threat back to the SEPM then you would need to configure the "Single Risk Event" notification.  It sounds like may you set up the "New Risk Detected" notification.

    Depending on the time it takes from the client to send its logs back to the SEPM (your hearbeat) and the time it takes for the SEPM to process the logs and send the event to your email server, it can take a few minutes for the whole process to complete.  The delay you are seeing most likely between similar events is the damper coming into play.  The damper is there to aggregate similar events so that the system is not flooded and rather sent in a manageable number.

    Hit the "Help" button when you are setting up your email alerts in the Monitors -> Notifications -> Add -> "Single Risk Event" and you will have further details.


  • 4.  RE: Endpoint alerting

    Posted Aug 12, 2010 05:13 AM
    <<<We are running 11.0.4014.26 on Windows Server 2008>>>

    AS per symantec documentations you have to use RU5 or above in windows 2008 ....
    You can migrate to latest version,i.e RU6a
    Migrating to Symantec Endpoint Protection 11.0 RU6



  • 5.  RE: Endpoint alerting

    Posted Aug 12, 2010 06:36 AM
    Hi,

    Thanks very much for your suggestions.

    Out of interest we are using the single risk event but I think the issue was the damper setting (I have changed the setting from Auto to 20mins, seeing in the link that auto was an hour smiley)

    Also I will look to migrate the SEPM to RU6, is there any potential issues I need to be aware of? or is everyone happy with update?

    Cheers

    Dave


  • 6.  RE: Endpoint alerting

    Posted Aug 12, 2010 06:55 AM
    upgrade to mu6 if you are facing any issues, if your sepm is happy and fine lets post pone it..