Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

In a log it says “Worst Detection: (Severity 4) Other”

Created: 23 Oct 2012 | 10 comments

Team,

In one log I found “Worst Detection: (Severity 4) Other” . Could anybody explain what is this?

Thanks,

Sushanta

Comments 10 CommentsJump to latest comment

.Brian's picture

Can you provide a screenshot?

You can check this as a starting point:

Threat Severity Assessment

https://www.symantec.com/security_response/severit...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ashish-Sharma's picture

HI,

Can you explain more ..

also Share Logs screen shot ?

Thanks In Advance

Ashish Sharma

Mithun Sanghavi's picture

Hello Sushanta,

You have provided limited information.

Could please let us know, what log was it?

Could you provide us a screenshot or probably the logs you see this in?

Secondly, I would suggest you to check these Articles:

Interpreting the log files for Symantec AntiVirus Corporate Edition and Symantec Endpoint Protection http://www.symantec.com/docs/TECH100099

What Does "Risk was partially removed" Mean? http://www.symantec.com/docs/TECH94475

Best Practices for responding to "Left Alone" in the virus or threat history log

http://www.symantec.com/docs/TECH101661

Explanation of Action field values in Symantec Endpoint Protection 11 and Symantec AntiVirus 10.1 http://www.symantec.com/docs/TECH102052

 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Sushanta's picture

Hi,

here are the logs ...which i got ...hope it helps!

what to know about the coloum in bold letters...WORST DETECTION!

Sequence No. Pattern Date Revision Version Insert Date Time Stamp Client Type Operating System Client Version Policy Version Policy Serial Policy Checksum IPS Serial NO IPS Checksum HI Status HI Reason HI Description Creation Time Status Last time status changed Site Name Attribute Extension Full Name Email Job Title Department Employee Number Employment Status Office Phone Mobile Phone Home Phone Auto-Protect On Infected Worst Detection Last Scan Time Last Virus Time Accepts Content Update Antivirus engine On Download Insight On SONAR On Tamper Protection On Intrusion Prevention On IE Browser Protection On Firefox Browser Protection On Early Launch Antimalware On Major Version Minor Version Restart Required Restart Reason Computer Name Computer Domain Name Current login domain Last download time Number Of Processors Operating System Language Total disk space Total memory Computer description Service pack Processor Type Processor Clock BIOS version TPM device installed Hardware Key Free memory Free disk space Time zone offset Network Threat Protection On Server Name Group Name Domain Name Current User IPS Version Deployment Status
138494 10/16/2012 21 2012-10-16 rev. 021 10/17/2012 4:47 10/18/2012 2:11 Symantec Endpoint Protection Windows XP Professional 12.1.1000.157 12.1.1989 0B4B-09/21/2012 21:43:52 302   Success Pass Host Integrity check passed   Requirement: "SEP AV Check (No remediation)" passed   Requirement: "rasauto32 Check" passed   Requirement: "Nwsapagent32 Check" passed  ######## Disabled ######## abc                     Enabled No (Severity 4) Other ######## ######## Yes Enabled Enabled - Advanced protection Enabled Enabled Enabled Enabled Enabled Client not reporting status 12 1 No   L-104098-R11 SYMC.SYMANTEC.COM SYMC.SYMANTEC.COM ######## 8 English 305242 MB 2999 MB   Service Pack 3 x86 Family 6 Model 30 Stepping 5 1729 HPQOEM - f Default System BIOS None 405CAC78B3201D44D0EF34954E811C2E 1704 MB 227479 MB 480 Enabled xyz My Company\Production Workstations SYMANTEC a 2012-10-16 rev. 011 No Status Reported.
Ashish-Sharma's picture

HI,

WORST DETECTION! Coloum not available.

Thanks In Advance

Ashish Sharma

greg12's picture

There is a Worst Detection column in the client status log (Monitor > Logs > Computer Status, detailed view or exported csv file). My guess is that's just "historical" stuff. It's not indicating a virus outbreak. In this case, there should be a red rhombus in the corresponding client status log line.

Possibly it's conforming to the WORSTINFECTION_IDX column in the SEM_AGENT table. See the SEP schema reference guide, page 162:

http://www.symantec.com/docs/DOC4324

Ian_C.'s picture

Irrespective of what Mithun says below, that column always seemed to report what is the 'worst infection' detected by SEP during the life time of the workstation.

The client might be clean now, but sometime before it did have an infection.

Please mark the post that best solves your problem as the answer to this thread.
Mithun Sanghavi's picture

Hello,

This is a Host intergrity OR Enforcer Log.

Here Host Intirity is passed.

Host Integrity check passed   Requirement: "SEP AV Check (No remediation)" passed   Requirement: "rasauto32 Check" passed   Requirement: "Nwsapagent32 Check" passed 

and

Worst Detection - (Severity 4) Other

It indicates that since the Host integrity is passed, its severity is lowest.

Enforcer Activity Log

Available information includes items such as event time, event type, enforcer name, enforcer type, site, severity, and description.

Event type

  1. All
  2. Management events
  3. Enforcer events
  4. Enable events
  5. Policy events

Reference: http://www.symantec.com/docs/TECH179005

Hope that helps!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cus000's picture

First time i see this type of log here.... interesting

Has yet to appear in our SNAC log...