Endpoint Protection

 View Only

  • 1.  In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 07:29 AM

    Team,

    In one log I found “Worst Detection: (Severity 4) Other” . Could anybody explain what is this?

     

    Thanks,

    Sushanta



  • 2.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 07:38 AM

    Can you provide a screenshot?

    You can check this as a starting point:

    Threat Severity Assessment

    https://www.symantec.com/security_response/severityassessment.jsp



  • 3.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 07:39 AM

    HI,

    Can you explain more ..

    also Share Logs screen shot ?



  • 4.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Trusted Advisor
    Posted Oct 23, 2012 08:17 AM

    Hello Sushanta,

    You have provided limited information.

    Could please let us know, what log was it?

    Could you provide us a screenshot or probably the logs you see this in?

    Secondly, I would suggest you to check these Articles:

    Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection http://www.symantec.com/docs/TECH100099

    What Does "Risk was partially removed" Mean? http://www.symantec.com/docs/TECH94475

    Best Practices for responding to "Left Alone" in the virus or threat history log

    http://www.symantec.com/docs/TECH101661

    Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1 http://www.symantec.com/docs/TECH102052

     
    Hope that helps!!


  • 5.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 10:15 AM

    There is a Worst Detection column in the client status log (Monitor > Logs > Computer Status, detailed view or exported csv file). My guess is that's just "historical" stuff. It's not indicating a virus outbreak. In this case, there should be a red rhombus in the corresponding client status log line.

    Possibly it's conforming to the WORSTINFECTION_IDX column in the SEM_AGENT table. See the SEP schema reference guide, page 162:

    http://www.symantec.com/docs/DOC4324



  • 6.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 10:34 AM

    Hi,

    here are the logs ...which i got ...hope it helps!

    what to know about the coloum in bold letters...WORST DETECTION!

    Sequence No. Pattern Date Revision Version Insert Date Time Stamp Client Type Operating System Client Version Policy Version Policy Serial Policy Checksum IPS Serial NO IPS Checksum HI Status HI Reason HI Description Creation Time Status Last time status changed Site Name Attribute Extension Full Name Email Job Title Department Employee Number Employment Status Office Phone Mobile Phone Home Phone Auto-Protect On Infected Worst Detection Last Scan Time Last Virus Time Accepts Content Update Antivirus engine On Download Insight On SONAR On Tamper Protection On Intrusion Prevention On IE Browser Protection On Firefox Browser Protection On Early Launch Antimalware On Major Version Minor Version Restart Required Restart Reason Computer Name Computer Domain Name Current login domain Last download time Number Of Processors Operating System Language Total disk space Total memory Computer description Service pack Processor Type Processor Clock BIOS version TPM device installed Hardware Key Free memory Free disk space Time zone offset Network Threat Protection On Server Name Group Name Domain Name Current User IPS Version Deployment Status
    138494 10/16/2012 21 2012-10-16 rev. 021 10/17/2012 4:47 10/18/2012 2:11 Symantec Endpoint Protection Windows XP Professional 12.1.1000.157 12.1.1989 0B4B-09/21/2012 21:43:52 302   Success Pass Host Integrity check passed   Requirement: "SEP AV Check (No remediation)" passed   Requirement: "rasauto32 Check" passed   Requirement: "Nwsapagent32 Check" passed  ######## Disabled ######## abc                     Enabled No (Severity 4) Other ######## ######## Yes Enabled Enabled - Advanced protection Enabled Enabled Enabled Enabled Enabled Client not reporting status 12 1 No   L-104098-R11 SYMC.SYMANTEC.COM SYMC.SYMANTEC.COM ######## 8 English 305242 MB 2999 MB   Service Pack 3 x86 Family 6 Model 30 Stepping 5 1729 HPQOEM - f Default System BIOS None 405CAC78B3201D44D0EF34954E811C2E 1704 MB 227479 MB 480 Enabled xyz My Company\Production Workstations SYMANTEC a 2012-10-16 rev. 011 No Status Reported.

     

     



  • 7.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 10:37 AM

    HI,

    WORST DETECTION! Coloum not available.



  • 8.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 23, 2012 10:45 AM
      |   view attached

    Hi..

     

    please find the attached logs

    Attachment(s)

    xlsx
    logs_0.xlsx   10 KB 1 version


  • 9.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Trusted Advisor
    Posted Oct 23, 2012 11:01 AM

    Hello,

    This is a Host intergrity OR Enforcer Log.

    Here Host Intirity is passed.

    Host Integrity check passed   Requirement: "SEP AV Check (No remediation)" passed   Requirement: "rasauto32 Check" passed   Requirement: "Nwsapagent32 Check" passed 

    and

    Worst Detection - (Severity 4) Other

    It indicates that since the Host integrity is passed, its severity is lowest.

    Enforcer Activity Log

    Available information includes items such as event time, event type, enforcer name, enforcer type, site, severity, and description.

    Event type

    1. All
    2. Management events
    3. Enforcer events
    4. Enable events
    5. Policy events

    Reference: http://www.symantec.com/docs/TECH179005

    Hope that helps!

     



  • 10.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 24, 2012 03:46 AM

    First time i see this type of log here.... interesting

     

    Has yet to appear in our SNAC log...



  • 11.  RE: In a log it says “Worst Detection: (Severity 4) Other”

    Posted Oct 24, 2012 03:59 PM

    Irrespective of what Mithun says below, that column always seemed to report what is the 'worst infection' detected by SEP during the life time of the workstation.

    The client might be clean now, but sometime before it did have an infection.