Hi,
I got alerts from Symantec with subject "CRITICAL: NETWORK VIRUS DETECTED" about a few machines but when I check the IPS logs manualy for those machines, there are no logs found. I have tried all defined criteria's but no luck. This is something strange for me. Please advice.
1. How long do you have the SEPM configure to store logs?
2. Are the clients connecting to the SEPM to upload logs?
3. If you check a client manually, does the entry show in the Security log?
Thanks Brian,
I am not sure about your last question but I am able to pull past week overall IPS logs so SEPM should store atleast a week logs for those machines too.
Also I can see the detections in risk logs but not in network logs.
So the logs are in SEPM but not on the client? How long are the clients keeping logs for?
Risk logs are in SEPM but not the network logs for those machines detected in alert
Those would be un der NTP >> Attack logs
Yes
But when I check this path NTP>>Attack logs there are no records found for those machines
How long are NTP logs kept?
A month long
Hi Shivam,
The notification that you received means that there ia a "Risk Outbreak" in the network. The message "NETWORK VIRUS DETECTED" doesn't mean that it was detected by IPS. It means that the infection was detected in so many computers (Note: The number of computers is configured by you in the notification condition) and hence it is being considered as a network level threat. These detections are made by AVAS and not by IPS. Hence these detection logs will only be seen in risk log.