Endpoint Protection

Good afternoon,

A few weeks back we went into our Virus & Spyware policy under the SONAR tab and changed the Host file change detected from Log to Prompt.
Immediately afterwards we began receiving Critical: Network Virus Detected emails regarding our VPN client.
We got tired of these as they are false positives and went back into the policy and changed the setting back to Log.
The emails continue to keep coming in.  I have verified the change on multiple occasions.

Any ideas?  As always, thanks for your assistance.

BB

Could it be coming from clients who were offline abefore you made the policy change? They came back online and are now sending their logs. For the clients that are sending them, does their policy match what's in the SEPM?

Policy serial number is the same on SEPM & at SEP clients?

Not sure if 100% related or if anyone has seen this regarding SONAR, but recently installed some of the latest windows updates, and that decided to tie up 25% of our total bandwidth from the External Communications Settings under the Submissions tab "Allow Insight lookups for threat detection (recommended)".  No threats were detected but constant non stop communication with Symantec servers.

I can see what the client policy is (appears to be current) but cannot determine in SEPM how to locate the actual policy serial number to compare it.

From the clients page in the SEPM, select whichevergroup the clients arei n that you want to check and select the Details tab up at the top. The policy should be reflected here.

The policies from the most recent alerts match.

What next?