Video Screencast Help

Notification Disappears - Can't Find Problem As A Result

Created: 04 Feb 2014 | 11 comments

This may be an easy questoin to answer, but I don't know where to start looking, other than logs. However, the logs are all blank in this case.

Here is the scenario: I log on to a workstation with SEP, Symantec pops up a notification in the lower-right by the system tray to inform me a threat has been discovered. Before I get my cursor to it to check and see what's going on, the notification goes away. Now there are no "lingering" notifications to check, so all I can do is open the SEP client and check the logs. I've checked Virus & Spyware, Proactive Threat, Network Threat, and Client Management logs, but none of them have any log content other than update notifications. Nothing to indicate any malware or other threat was detected.

Where did my notification go? This is on a Domain Controller and it's probably not a good thing that it found a threat!

Operating Systems:

Comments 11 CommentsJump to latest comment

Brɨan's picture

Yea it's a quick pop up with an OK button correct?

Capture_7.JPG

What version are you running? This was a bug in some older versions where that box would come up but no risks were actually on the machine. I've seen this a few times myself, still actually.

I believe it's this:

Symantec Endpoint Protection detected risks while you were logged out

padding: 1px;padding-bottom: 3px ;font: 12px Arial; text-align: left;">Article:TECH105373 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 0px;font: 12px Arial; text-align: left;">Created: 2008-01-11 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Updated: 2013-11-05 padding: 1px;font: 12px Arial; text-align: left;"> |  padding: 1px;font: 12px Arial; text-align: left;">Article URL http://www.symantec.com/docs/TECH105373

Note: This behavior has been modified in Symantec Endpoint Protection 12 Release Update 1 (RU1) Maintenance Patch 1 (MP1) so that this pop-up appears only for administrative users.  Additional changes were made in Symantec Endpoint Protection 12.1.4.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Rafeeq's picture

Does it say threat was found or traffic has been blocked from IP XXX..?

Did you run a full scan and checked the scan logs?

USECredit's picture

_Brian: I don't think there was an OK button, but it went away within a few seconds of me logging on. So I wasn't looking at the screen until it started to go away. I just remember that it said it had found a threat, but I don't think there was an IP address or anything.

Rafeeq: I haven't run a scan since the notification, only checked the logs. A scan ran overnight, I assumed this would be in reference to that scan.

Thanks for the responses!

Brɨan's picture

Did it look like this?

Capture_8.JPG

What version of SEP?

As stated in the article above, this may be a bug which has been fixed in some later versions of 12.1

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

USECredit's picture

It looked more like a Windows or action center notification, with the rectangular yellow box that sometimes says click to dismiss.

I wish I had a screenshot, but since it's gone I can't reproduce. However I have seen this before, so it would be nice to be able to track these down. This shot is basically what it looked like (except the one I'm talking about is specifically from Symantec):

actioncenternotifications.jpg

The client is 12.1.2015

Brɨan's picture

So something like these?

Untitled_7.jpg

If so, it's warning you that a component of SEP is off. This is from the Windows Security Center

You can configure this in the AV policy on the Miscellaneous tab

This is just a brief alert from Windows but you can check SEP System log for further info or open the GUI and it will tell you.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

USECredit's picture

No, please understand this is not a Windows notification. It looks like one, and I used the screenshot as an example, but the notification is "specifically from Symantec." It specifically told me about a threat that Symantec Endpoint Protection had discovered.

Brɨan's picture

Than other than being from Auto-Protect or IPS/firewall, I couldn't say with certainty without seeing a screenshot.

The Risk logs show AV incidents, the Security log will show IPS issues.

If they're not showing anything, it's hard to say at this point

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

USECredit's picture

That's what I was afraid of. It's too bad that it does this because if you aren't looking for the 5 seconds this message is on the screen, you'd never know it happened. If I run across it again I'll try to get a screenshot, then I can post another question. Thanks for helping.

Brɨan's picture

That's just so weird. Any notification from SEP will come from the icon in the task tray but it usually doesn't disappear unless you acknowledge it. Usually the logs will give you an indication as well of something wrong.

Can't say I've seen something like this before...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.