Video Screencast Help

Repeat Notifications about a machine no longer on the network from SPEM

Created: 11 Oct 2012 | 4 comments

Hello,

We keep getting notifcations from SEPM

Subject: CRITICAL: NETWORK VIRUS DETECTED

Risk Risk Type  = Trojan.Tracur Malware

File / Entry

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\SRTSP\Quarantine\APQ8C7.tmp

 This computer is no longer on the network, this pc is unplugged and sitting on the floor next to me.  Been this way for two days, and these messages have a date time of 10/05/2012 13:30:49 yet we are getting these messages now.

We just got over 100 message in 10 minutes. 

We think it has to do with SEPM, we use 12.1

Any ideas? 

Comments 4 CommentsJump to latest comment

Ashish-Sharma's picture

Symantec Aware this issue may be resolved next  SEP 12.1 RU2.

As of now, the SEP 12.1 RU2 is under BETA testing.

Incase, if you are interested in Beta Testing for SEP 12.1 RU2, check this :

https://symbeta.symantec.com/callout/?callid=1D5D3DD349C248E69B13977DA4DBF426

Check this thread

http://www.symantec.com/connect/forums/single-risk-event-e-mails-sep-12ru1mp1

https://www-secure.symantec.com/connect/forums/multiple-notification

Thanks In Advance

Ashish Sharma

 

 

Chetan Savade's picture

Hi,

You should change damper setings for risk outbreak notification.

The damper period specifies the time that must pass before the notification condition is checked for new data. When a notification condition has a damper period, the notification is only issued on the first occurrence of the trigger condition within that period. For example, suppose a large-scale virus attack occurs, and that there is a notification condition configured to send an email whenever viruses infect five computers on the network. If you set a one hour damper period for that notification condition, the server sends only one notification email each hour during the attack.

Reference: http://www.symantec.com/docs/HOWTO55051

Also refer this article: How to Manage Quarantined files.

http://www.symantec.com/docs/TECH106443

How to delete Quarantined items from the Symantec Endpoint Protection Manager.

http://www.symantec.com/docs/TECH106444

Security Response recommendations for Symantec Endpoint Protection settings

http://www.symantec.com/business/support/index?pag...

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Mithun Sanghavi's picture

Hello,

Are you facing issue related to Multiple Email Alert being received every 3 minutes.

Symantec is aware about this issue. The Issue seems to have been resolved in the Upcoming Version of SEP 12.1 RU2

Check this Article:

Single risk event notifications generate duplicate emails once every three minutes.

http://www.symantec.com/business/support/index?page=content&id=TECH190349

Meanwhile could you check with following workaround:

Can you set the value of securitynotifytask.notifcation.interval to 59 in conf.properties?

Default Location of conf.properties: C:\Program Files\Symantec\Symantec Endpoint Protection Manager\tomcat\etc\conf.properties

Add the following line to conf.properties.

scm.securityalertnotifytask.notification.interval=59

This change should create delay in multiple email response.

Check these Threads - 

https://www-secure.symantec.com/connect/forums/multiple-email-notification-when-new-risk-detected

https://www-secure.symantec.com/connect/forums/notifications-every-minute-single-risk-event

https://www-secure.symantec.com/connect/forums/single-risk-event-e-mails-sep-12ru1mp1

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

Delete the machine from SEPM

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.