Endpoint Protection

We've got a server (Windows 2012) running version 12.1.6 of the SEP client. We ran an outside security scan on the system, which triggered a bunch of pop-up notices from SEP saying a Heartbleed attack was detected. This makes sense, as the security scan is checking for Heartbleed weaknesses, along with other things.

The weird thing is, we went into the SEP client console to check the logs, just to see what it said, and all of the security logs windows are empty. We can't see any indication of the detected events.

To cross-check, I went to the raw logs location ( \\servername\c$\ProgramData\Symantec\Symantec Endpoint Protection\12.1.6168.6000.105\Data\Logs ) and in seclog.log I can see multiple events.

Is something broken? SEP is clearly detecting events and logging them, but if they don't show in the client interface it would be easy to miss the event. This one is obviously intentional, but we'd hate to overlook an actual security risk. What could be going wrong that the client isn't showing these events?

Did the client check in to the SEPM and upload the logs yet? Can you force a check in?

Go to Clients >> Policies >> Client Log Settings. Are Security Logs checked to upload the management server?

Before we go down that path, maybe I need to clarify: the log screens are empty on the *local* server. Right now I'm not even worried about the events getting to the SEPM. Maybe I should be, and I'm happy to come back around to that, but in this case the admin doesn't use the SEPM, and just works with the local consoles on a handful of servers he's concerned about.

When you open the sep client interface..have you used the filter to show security log? A screen shot will be helpful here

IPS event only show in the Security log. You can test the IPS component by trying to download the EICAR.com test file..see if it shows up:

http://www.eicar.org/download/eicar.com

The fact that it shows in logs but not in GUI may mean there is a bug somewhere. It's getting logged but not reflecting correctly. I'd be curious to see what the SEPM shows and if it even makes it there

Well, I could swear it was empty before, but now I see items in the security log. Maybe there's a little delay before the client loads it? I'm mystified.

Yeah, the data does make it to the SEPM if we go into monitors and then read the security log for that system.

This might be part of the issue. Apparently it defaults to 1 day as a filter, so it wasn't showing yesterday's events. Maybe there was a little delay before today's events show up. I can see them now, and after adjusting the filter see yesterday's, too. I still think something was temporarily out of sync, but it seems to be responding normally now.

Does the eicar.com detection show up?

Yea 1 day is the default so this may have been the issue...you can test using the eicar.com link I posted above to see if it shows up.

Cool..please close the thread..Thank you