How to shut off SEP alerts when a virus is found?
We wanted to test SEP for finding a virus so we used EICAR.
http://en.wikipedia.org/wiki/EICAR_test_file
I copied the EICAR text into a text file and saved it. Immediately SEP stopped it and deleted it. We were happy with that.
The SEP manager also showed this. Also good.
And we got an email alert like we wanted. Also good.
And then we got another alert. And another. And another. Every two minutes it would send out an alert.
We've acknowledged the virus catch in the notifications area. That's green. But it's still sending out alerts. We restarted the server SEP is on. We deleted and recreate the alert notification. No luck -- It's still sending these alerts. Each alert is the same. It's the same time for when it found the virus.
How do we stop these alerts? We finally gave up and took the notifications off but if a real virus comes along we won't get the emails. Is this a flaw in the software or user error on our end?
Comments 19 Comments • Jump to latest comment
Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications
http://www.symantec.com/connect/forums/setting-email-alert-symantec-endpoint-protection-manager-v11
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Hmm.... First two links just lead me to a generic search page, not the actual post.
http://www.symantec.com/business/support/index?page=home&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1348153685978K0t963bDfEW858NDgJ6mb23x11r9783doyH4U
Still looking...
These two pages don't help.
http://www.symantec.com/business/support/index?page=content&id=TECH104580
http://www.symantec.com/business/support/index?page=content&id=TECH104394&locale=en_US
I don't see where the delete EICAR event box is. We just need to stop the alerts.
https://www-secure.symantec.com/connect/forums/setting-email-alert-symantec-endpoint-protection-manager-v11
We are getting alerts. That's not the issue. We just continue to get alerts even after we green light SEP/aknowledge the alert. How do we stop those alerts from continuing to be emailed out? Is this from a setting we configured incorrectly? I would think it sends out an alert (or maybe it really does keep sending out them), but after we recognize that on the server side it should stop sending them. If it's possible, we'd just like one email notification. We don't need them every two minutes.
SEPM email notifications are sent repeatedly for old events
http://www.symantec.com/business/support/index?page=content&id=TECH187656
Multiple Symantec Endpoint Protection Manager email notifications are sent for old events
http://www.symantec.com/business/support/index?page=content&id=TECH144817
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Ah, that's sounding more like.
I don't see where to download that update or a place on the management software side of SEP to check for updates. Can I download that patch somewhere or 'check for updates' somewhere in the manager software?
Hi,
What sepm version are you using ?
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
12.1.1101.401
I found the downloads page and logged in with our serial number. I'm not quite sure which one we need. There isn't a 'check for updates' button/option in the management software?
Hi,
You can download for fileconnect.
any update button are not available in SEPM console ?
Upgrading or migrating to Symantec Endpoint Protection 12.1.1101 (RU1 MP1)
http://www.symantec.com/business/support/index?page=content&id=TECH187753
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Are we on that version already? Or is the RU1 MP1 a different version than the plain 12.1.1101.401?
12.1.1101 is RU1 MP1. You're already on that it seems.
SEP Knowledge Base
Endpoint SWAT
Yes this Problem are resolved on SEP 12.1 RU1 MP1 version.
You need to upgrade your SEPM version.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Ah.... So much for the patch then for this problem. We're still having the unending emails issue.
Have you deleted the alert and re-created?
SEP Knowledge Base
Endpoint SWAT
Hmm... On Programs and Features it looks like we've got....
Symantec Endpoint Protection Manager 12.1.1101.401 <-- This is the same as the RU1 MP1 version?
Symantec Enpoint Protection 12.1.1101.401
LiveUpdate 3.3 (Symantec Corportation) 3.3.2.2
Running on Server 2008 r2.
Is there anything to update/upgrade?
That looks right.
The Beta testing for 12.1.2 beta 2 just became available, although I doubt you want to try this in production.
SEP Knowledge Base
Endpoint SWAT
Yes, we've deleted and recreate the alert. Twice.
It's acknowledged. It's green. Strangely, there's only one alert notification from the original test virus. The other two tests didn't do a notification.
We also restarted the whole server. No luck. When we start a new alert notification for that again it starts sending out email alerts, alerts from the original/first virus test.
Sounds like this known (unfortunately not solved) problem:
Single risk event notifications generate duplicate emails once every three minutes.
http://www.symantec.com/docs/TECH190349
See this thread as well:
http://www.symantec.com/connect/forums/single-risk-event-e-mails-sep-12ru1mp1
Yep, that sounds like our issue too.
It looks like it's been identified for awhile. Any idea when they're going to fix it?
We'd be fine with it just sending out one email and then staying quiet. It can't be that difficult to send an email.
Let's hope in next version of 12.1
SEP Knowledge Base
Endpoint SWAT
Hi,
This is known issue May be SEPM next version SEP 12.1 RU2 Resolved this issue.
Thanks In Advance
Ashish Sharma
SEPM Knowledgebase Documents
Would you like to reply?
Login or Register to post your comment.