Endpoint Protection Small Business Edition

On the Network Threat alerts that I am getting the event time and the time in the event description of the time an IP will be blocked are different. For example, in one alert the event time was 2/18/2015 18:11:04 and in the event description it says "The client will block traffic from IP address x for the next 600 seconds (from 2/18/2015 4:12:41 PM to 2/18/2015 4:22:41 PM)" 4:12 PM would be 16:12 which is 2 hours prior to the event time... if only SEP could go back in time and block. At first I thought maybe one time is SEPM and the other is the system time on the client but why would it be setup that way? Another alert I got today has an event time of 2/27/2015 12:54:18 and the event description is, "The client will block traffic from IP address x for the next 600 seconds (from 2/27/2015 12:15:56 PM to 2/27/2015 12:25:56 PM)" which is a difference of approximately 40 minutes. Where are these two time metrics coming from and why would they be different especially why would they be off by 40 minutes which seems like an odd number? Thanks.

What's the exact version of SEP here?

SEPM version 12.1.4023.4080

Client SEP versions: 12.1.4112.4156 and 12.1.1101.401

The event time may be when it was inserted into the database. How often do your clients check in? The alerts will be delayed depending on how often they check in

Would probably need to see a log or screenshot just to get a better idea.

Certainly is interesting. Is this machine in a different time zone compared to the SEPM?

As far as I know it is not in a different time zone. I'm waiting on an answer to that though and if the system time could be set differently for some weird reason. Even if the system was in a different time zone I would hope that isn't the answer that Symantec is using two different time metrics since that could get confusing.