Endpoint Protection

We have a couple of different servers that we configured custom policies for.  We are quarantining files as a first action on these servers.  We would like notifications sent to the individuals who manage these two servers if a file is quarantined.  I have been trying to add this notification under Add Notification Conditions (New risk detected...), but I am not seeing the notifications come through. 

I essentially typed in the server name in the server field (all that was available in the dropdown is "all" and our sepm management server) and selected "quarantine" for action taken.  What am I missing?

Did you configure the SEPM to use an SMTP relay server?

Under Admin >> select your server >> Edit the server properties >> Email Server tab

Yes.  That is set up correctly, because we have notifications that go out for out-of-date defs, etc.  So it must be that I set up this notification incorrectly?  I would type the server name(s) into the Add Notification server field if I wanted the notifications to be sent for files quarantined only on that server, correct?

No. The "Server" filter field would be the name of your SEPM. If you click the ellipses box another window will open and you'll be able to select it. It's best to just leave at the default.

You want to add the server name into the "Computer" filter field, like so:

Yes.  That's what I tried initially. 

See the attached PNG for the settings I have tried.  The only thing I can think of is that I did not use the FQDN of the server.  I used the name as it appears in the sep management console.  Again, I want any quarantine files on this one particular server to trigger a notification to be sent me only.

That setup looks fine to me. There may be some additional debug/error info in the scm-server-0.log file.

Are you getting these for other machines and you've confirmed that the client did "quarantine" a file?

Everything looks correct to me also, but can you generate new risk (though it's false positive) in the system to trigger the notification?

Yes.  I have generated a new risk with the EICAR file and it quarantined it.  I also changed action to all in the notification field and it still didn't send me an email. 

I think it's happening due to EICAR test file not due to SEPM. I will suggest you to go through these articles.

Need to remove EICAR test string from Quarantine Permanently.

http://www.symantec.com/docs/TECH144025

The antivirus test file eicar.com can be executed with File System Auto-Protect enabled

http://www.symantec.com/docs/TECH130969

I also agree that the last screenie of the settings you posted, looked correct.  I'd be more inclined to target the group in which these endpoints reside rather than by name though.

On a related note though, have you tried disabling the "Delete EICAR events" option?  This can be found under:

ADMIN -> Servers -> DB Server (localhost if using the embedded DB) -> Edit Database Properties -> Log Settings, the the Risk Logs Settings area

I suspect that might be messing with your tests.