Video Screencast Help

How to shut off SEP alerts when a virus is found?

Created: 20 Sep 2012 • Updated: 20 Sep 2012 | 19 comments

We wanted to test SEP for finding a virus so we used EICAR.

http://en.wikipedia.org/wiki/EICAR_test_file

I copied the EICAR text into a text file and saved it.  Immediately SEP stopped it and deleted it.  We were happy with that.

The SEP manager also showed this.  Also good.

And we got an email alert like we wanted.  Also good.

And then we got another alert.  And another.  And another.  Every two minutes it would send out an alert.

We've acknowledged the virus catch in the notifications area.  That's green.  But it's still sending out alerts.  We restarted the server SEP is on.  We deleted and recreate the alert notification.  No luck -- It's still sending these alerts.  Each alert is the same.  It's the same time for when it found the virus.

How do we stop these alerts?  We finally gave up and took the notifications off but if a real virus comes along we won't get the emails.  Is this a flaw in the software or user error on our end?

Comments 19 CommentsJump to latest comment

Ashish-Sharma's picture

Symantec Endpoint Protection Manager: EICAR events don't send Email Notifications

 
How to test Symantec Endpoint Protection (SEP) Clients forwarding their Quarantine Items to Central Quarantine Server with EICAR
 
Check this thread

Thanks In Advance

Ashish Sharma

rmoc's picture

Hmm.... First two links just lead me to a generic search page, not the actual post.

http://www.symantec.com/business/support/index?page=home&profileURL=https%3A%2F%2Fsymaccount-profile.symantec.com%2FSSO%2Findex.jsp%3FssoID%3D1348153685978K0t963bDfEW858NDgJ6mb23x11r9783doyH4U

Still looking...

These two pages don't help.

http://www.symantec.com/business/support/index?page=content&id=TECH104580

http://www.symantec.com/business/support/index?page=content&id=TECH104394&locale=en_US

I don't see where the delete EICAR event box is.  We just need to stop the alerts.

https://www-secure.symantec.com/connect/forums/setting-email-alert-symantec-endpoint-protection-manager-v11

We are getting alerts.   That's not the issue.  We just continue to get alerts even after we green light SEP/aknowledge the alert.  How do we stop those alerts from continuing to be emailed out?  Is this from a setting we configured incorrectly?  I would think it sends out an alert (or maybe it really does keep sending out them), but after we recognize that on the server side it should stop sending them.  If it's possible, we'd just like one email notification.  We don't need them every two minutes.

Ashish-Sharma's picture

SEPM email notifications are sent repeatedly for old events

Fix ID: 2681891
Symptom: Multiple outbreak email notifications are sent during the damper period. Notifications may contain events that are older (30 days) than the triggered event.
Solution: SQL queries were modified to filter out old events and prevent notifications during the damper period

http://www.symantec.com/business/support/index?page=content&id=TECH187656

Multiple Symantec Endpoint Protection Manager email notifications are sent for old events

http://www.symantec.com/business/support/index?page=content&id=TECH144817

Thanks In Advance

Ashish Sharma

rmoc's picture

Ah, that's sounding more like. 

I don't see where to download that update or a place on the management software side of SEP to check for updates.  Can I download that patch somewhere or 'check for updates' somewhere in the manager software?

Ashish-Sharma's picture

Hi,

What sepm version are you using ?

Thanks In Advance

Ashish Sharma

rmoc's picture

 12.1.1101.401

I found the downloads page and logged in with our serial number.  I'm not quite sure which one we need.  There isn't a 'check for updates' button/option in the management software?

Ashish-Sharma's picture

Hi,

You can download for fileconnect.

any update button are not available in SEPM console ?

Upgrading or migrating to Symantec Endpoint Protection 12.1.1101 (RU1 MP1)

http://www.symantec.com/business/support/index?page=content&id=TECH187753

Thanks In Advance

Ashish Sharma

rmoc's picture

Are we on that version already?  Or is the RU1 MP1 a different version than the plain 12.1.1101.401?

Brɨan's picture

12.1.1101 is RU1 MP1. You're already on that it seems.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

Yes this Problem are resolved on SEP 12.1 RU1 MP1 version.

You need to upgrade your SEPM version.

Thanks In Advance

Ashish Sharma

rmoc's picture

Ah....   So much for the patch then for this problem.  We're still having the unending emails issue.

Brɨan's picture

Have you deleted the alert and re-created?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

rmoc's picture

Hmm... On Programs and Features it looks like we've got....

Symantec Endpoint Protection Manager 12.1.1101.401   <-- This is the same as the RU1 MP1 version?

Symantec Enpoint Protection 12.1.1101.401

LiveUpdate 3.3 (Symantec Corportation) 3.3.2.2

Running on Server 2008 r2.

Is there anything to update/upgrade?

Brɨan's picture

That looks right.

The Beta testing for 12.1.2 beta 2 just became available, although I doubt you want to try this in production.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

rmoc's picture

Yes, we've deleted and recreate the alert.  Twice.

It's acknowledged.  It's green.   Strangely, there's only one alert notification from the original test virus.  The other two tests didn't do a notification.

We also restarted the whole server.  No luck.  When we start a new alert notification for that again it starts sending out email alerts, alerts from the original/first virus test.

greg12's picture

Sounds like this known (unfortunately not solved) problem:

Single risk event notifications generate duplicate emails once every three minutes.

http://www.symantec.com/docs/TECH190349

See this thread as well:

http://www.symantec.com/connect/forums/single-risk-event-e-mails-sep-12ru1mp1

rmoc's picture

Yep, that sounds like our issue too.

It looks like it's been identified for awhile.  Any idea when they're going to fix it?

We'd be fine with it just sending out one email and then staying quiet.  It can't be that difficult to send an email.

Brɨan's picture

Let's hope in next version of 12.1

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

Hi,

This is known issue May be SEPM next version SEP 12.1 RU2 Resolved this issue.

Thanks In Advance

Ashish Sharma