Endpoint Protection

 View Only

  • 1.  Risk event reporting

    Posted Apr 15, 2009 10:46 AM
    Hi,

    When there is a virus event the admins receive an email and it also appears in weekly reports.
    The information we get is like what I've posted below.
    But it does not include many of the details like:
    Is it an email or a file from the server or internet?
    If it is a file where is it located?

    I have not been able to find a way to pull up those details in any report AND, in the old corp version, I use to be able to get the details from the client in the management tool. Endpoint does not seem to have that feature.

    Is there any way of getting these details? And or get them into a report?


    Thanks
    Paul
    -----
    "At least one security risk found:

    Risk name: AngryIPScanner
    Event time: 2009-04-14 16:18:30 GMT
    Database insert time: 2009-04-14 16:22:21 GMT
    User: SYSTEM
    Computer: LENOVO-B62CA860"



  • 2.  RE: Risk event reporting

    Posted Apr 15, 2009 12:49 PM
    Hi, on the SEPM console, Monitors, Logs Tab, Log type Risk, and on the Time Range where the infection is inlcuded, click button view Log. It's pretty much complete.

    Btw, we use Symante Threat Reporter for the Risk alerts that is sent to the email, it's really very good. But dont know if you can avail this service.


  • 3.  RE: Risk event reporting

    Posted Apr 15, 2009 01:55 PM
    Okay - I see details. Great.

    Now why can't I get that into a report or email? Or can I?

    It does seem that SEP has all this options to log and report and alert but it is was too complicated.

    Thanks
    Paul


  • 4.  RE: Risk event reporting

    Posted Apr 15, 2009 02:25 PM
    Hi,

    I think you can configure the report to be sent to your email via scheduled reports.

    For the single virus event notifs, I haven't tried it. But, I just run through our SEP did you create condition for the risk event? It's via Monitors, Notifications Tab, Notification Conditions, then add a condition.


  • 5.  RE: Risk event reporting

    Posted Apr 15, 2009 02:40 PM
    No, the email alerts don't do that. I've got two or three threads here on that very topic.
    Yes, IF you have console access and have TIME, you can dig and find that info, but the point was, it's needed in the email body.
    Not a report, not an attachment. I may not be at my desk - or may not have time.
    The notifications conditions is to trigger those email alerts that don't have the info we want.
    So all it does is say "something was found somewhere on this computer".
    You have to get into the console and dig through reports for the details.
    Not good.
    Maybe if the console was faster.......... it would help, but the point is, I may not have console access or the time. With the details of what file, where the file was, etc. -I can myself determine HOW it got in and at times, how to block or defeat it!
    (Yes, I'm that good.................LOL)
    Sorry - wish there was better news, but you've hit on the issue I've been attempting to get changed for some time.

    That Intel alerting that came with SAV 7.x, 8.x, 9.x and 10.x  was wonderful.


  • 6.  RE: Risk event reporting

    Posted Apr 15, 2009 02:53 PM
    Thanks for the info ShadowsPapa, we are currently using Symantec Threat Reporter v7.2.6 and its really great, here's a sample alert that we receive.

    for SAV

    Virus found:Downloader on xxxxx

    IP Address:        xx.xx.xx.xx
    User:              user
    Alert Date/Time:   2009-04-16 02:10:43
    DB insertDate/Time:2009-04-16 02:23:04
    Source:            real time scan
    File/Path:         C:/Documents and Settings/user/Local Settings/Temporary Internet Files/Content.IE5/WPUB8HER/thread%20sucks[1].jpg
    Actual Action:     Left alone
    Servergroup:       Servergroup
    Parent Server:     SAVSRVR
    Client Group:     

    for SEP

    Virus found:Bloodhound.SONAR.1 on xxxxx

    IP Address:        xx.xx.xx.xxx
    User:              user
    Alert Date/Time:   2009-04-12 23:31:39
    DB insertDate/Time:2009-04-15 00:48:58
    Source:            AV - Heuristic Scan
    File/Path:         c:\Documents and Settings\User\Temp\gsm browser.bat
    Actual Action:     Left alone
    Servergroup:       ServerGroup
    Parent Server:     SEPSRVR
    Client Group:      My Company/Client/Workstations


  • 7.  RE: Risk event reporting

    Posted Apr 15, 2009 02:54 PM
    But I think Symantec Threat Reporter is not sold as a product but as a service.


  • 8.  RE: Risk event reporting

    Posted Apr 15, 2009 02:55 PM
    Notifications leave a LOT to be desired compared to SAV.

    The Single Risk Event notification works but does not include details like the file name and path.  The New Risk Found notification includes an MHT attachment with the details, but the drawback is you need a special viewer for Windows Mobile, Blackberry and iPhone devices.  Also, the New Risk Found notification has some buffereing going on so you will not be notified on every single virus found.

    Can we add this to our wishlist for the next release of SEPM to change the Single Risk Event notification to include details in plain text?


  • 9.  RE: Risk event reporting

    Posted Apr 15, 2009 03:00 PM
    Yes it would be nice to get those details in an email - or even a report sent to me - but emails would be easier.

    I haven't found anything regarding a product called Symantec Threat Reporter. It would have to be something which came free with Endpoint users as any added cost could not be justified.

    Which brings it back to Symantec.

    Oddly - you can set up separate emails within the Outlook or Internet email areas. And they have more detailed options.

    Paul