Hi Rjmccorkle,

AMS2 is a legacy component.  It was useful in older versions of SAV, but was supercededd by the Reporting Server included with SAV 10.1.  Under most circumstances, I would recommend moving away from AMS2 and using Reporting as it does everything that the old AMS does, but better.

As Reporting Server does not operate in NetWare-only environments, AMS2 is the only option available.  Here are a few articles that may help:

No Alert Management System (AMS) alert actions are available after installing Symantec AntiVirus Corporate Edition 10.0 on a NetWare server
How to configure AMS to send email alerts when Symantec AntiVirus Corporate Edition detects a risk  (have you tested with eicar files-?)
AMS no longer alerts on certain detections and Symantec AntiVirus reports threats as "Security Risk" instead of "Risk"

Is there any error in the AMS log file in SYS:SYSTEM-?

Can you supply information about your exact version of NetWare 6.5 (what SP-?) and SAV (what release-?  The latest, SAV 10.1.9.9000 is the only version I recommend for use on NetWare servers. )  Also let the forum know exactly how you have AMS configured to work....

Thanks and best regards,

Mick

This change creates consistency in the manner that Symantec AntiVirus reports detections from Auto-Protect and from on-demand scans. Before this change, Symantec AntiVirus reported certain threats as a Risk when the threat was detected during an on-demand scan. Symantec AntiVirus now reports all threats as a Security Risk.

Configure AMS

To receive all alerts that are related to detected threats, you must configure all three of the following alert types:

Virus Found
Risk Repaired
Risk Repair Failed

Note: The Risk Repaired and Risk Repair Failed alerts do not work as expected in all versions of Symantec AntiVirus 10.0.x. These problems do not occur in Symantec AntiVirus 10.1.x.

AMS sends a Risk Repaired alert or a Risk Repaired Failed alert for detections with a Risk Type of "Security Risk." The type of alert that AMS sends depends on the result of the Remediation Action after the detection.

Thanks for the quick replies Mick and Sandip, and my apologies for my slow one, our people are breaking their computers slightly faster than I can fix them.

We are using Netware 6.5 SP8, SAV 10.1.8.8 and we are indeed a Netware only network. We have about 65 computers, a private non-profit foster care agency.

I had configured alerts for Virus Found, not the others. I just configured alert settings for Risk Repaired and Risk Repair Failed, both a network Popup and an email. The TEST button successfully sent messages. According to the System Console on my primary (one of 2) control computers, about half of the clients have had Risks since I got the system up and limping last June. That control computer kept erroring out of the MSC when I tried to do the AMS configs so I went to my backup one. It shows the same list of clients but their STATUS values are all set to "Enabled" rather than "Risk Found!" or "Securtiy Risk Found!" as in my primary computer for some of the clients. I don't know if that is a symptom of other problems or normal that 2 computers reading the same server show different STATUS. At least the secondary computer let me configure the alerts.

I'll see what happens over the next week with the new types of alerts set.

Mick, do you think it would be worth my time to try to change to the 10.1.9.9 version? Does it do any better at catching the FakeVirusAlert programs like IS2010? The last time I tried to get the AMS to work I had to bring the whole network down and do a full reinstall of SAV because I had forgotten to check one box during the second configuration on the server and I REALLY don't want to sweat through another weekend like that.
Thank you very much for your help,
Bob

Hi Bob,

One suggestion: there's no need to wait for a real infection / detection to test if the alerts are working.  Are you familiar with the eicar test file?  This is a small, harmless file that AV programs like SAV will detect.  It can be downloaded for free from eicar.org: auto-protect and full systems scans should find it.

The reason I recommend MR9 over MR8 is that the latest release contains an abend (NetWare abnormal end) fix.  Ideally all servers should move to MR9 to avoid that: I recommend putting it on your "to-do" list.  With the past experience under your belt, hopefully the MR9 upgrade won't require much time or headaches.

Those Misleading Applications / FakeAV / Smitfraud  programs are big business.  The criminals behind them have a strong financial incentive to get their IS2010 and similar programs onto unexpecting computers and keep tthem there.  The following article is not limited to SEP: it contains some very good information and good links, especially to Symantec's recent report on Rogue Seurity Software.  Does Symantec Endpoint Protection protect me from fake anti-virus programs?

Every day Symantec adds signatures against more of these programs, but it's a constant race as dozens of clones and rebrandings are released daily.  MR8 and MR9 use the same signatures: I recommend making sure that definitions throughout your non-profit are kept up-to-date and that all users are educated on how to avoid these things.  Most cannot install unless the user provides some interaction (clicks something on the screen).  The writers of these things often have it set so that when their "Install Bogus AV?" message is displayed, clicking either "Yes" or "No" will both install it.  Users should open Task Manager and kill the process for iexplore.exe instead.

Thanks and best regards - let the forum know if your recent changes have worked!

Mick

Hi Mick,
Thanks for the help, especially keeping it down on my level of expertise (database programmer forced to do all things computer or my clients wouldn't be able to use my databases; 5 installs of Netware since 1989, all of them very scary). After some research, I generated a copy of the EICAR file in Notepad on my computer and SAV caught it as soon as I did a Save As. It did not send out the Popup notices to my primary or secondary computers nor did it send an email. I saved it a couple of times, cleared the risk status in Symantec System Center for my computer, saved the EICAR file again and at least it changes the STATUS to "Risk Found!" in System Center for my computer (using the primary computer; the secondary computer still shows all clients'  STATUS as "Enabled" maybe we can try to tackle that issue next when you get bored with the AMS mess). So, now we know the AMS isn't responding and we can easily test it, any suggestions on what to try to make it work?

I have been telling my clients to unplug their computer's power cables when they get these FakeAV things, then call me, though it is usually too late by the time they know about them. My brother-in-law got one and he swears he had only been on the QVC site. I read that legitimate sites are starting to get hacked by the FakeAV companies, making it even harder to avoid them. I find it ironic that some of the forums have AV techs giving "verbal" instructions to people that are relatively simple (go here, delete file called "xyz.dll", go there, delete "abc" entry) and it sometimes removes the threats and the same instructions have been passed around for the last 6 monts, but we haven't been able to translate that set of instructions into something the computer can understand.

Maybe on the next long holiday weekend I'll try to bump up to MR9. We only have 1 server running and I don't want to monkey with it unless there is plenty of time to fix the "upgrade".
Thanks again for your help,
Bob

I just realized that I did not put a subject in my previous post and its subject might be misinterpreted as things are working. They aren't.

Using the EICAR file as a test does not cause AMS2 to send out notifications. Any ideas?
Thanks,
Bob