Endpoint Protection

 View Only

  • 1.  SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 07:05 AM
    Hi guys,

    Since I'll be getting involved in the maintenance of a SEP 11.0 implementation, I've just been handed a weekly report "Comprehensive Risk report" which contains a lot of statistics.  I've got various questions regarding the content in order to understand what's happening, but the manuals I've downloaded don't give many answers... 

    In the "Risk Distribution by Risk Name" section, I see thousands of W32.Downadup.B and W32.Downadup (confiker) reported. They are in the order of 99% of all risks found. Various fileservers report hundreds of attempts and various clients also, in the "Risk Distribution by Computer" section.

    I see that 98 percent of these were generated by the AutoProtect scan and 1% by the scheduled scans in the "Risk Distribution by Event Source" section.

    And finally, (I purposedly skipped other sections) in the Detection Action Summary, I see that :
    - 500 were cleaned
    - thousands were blocked
    - 500 were quarantined
    - 20 were deleted
    - 500 were manually repaired
    - 600 were newly infected
    and many thousands are Still Infected! 

    My interpretation of the data was that many attempts were being made to infect the systems, but that they were all blocked, one way or another, by SEP. The last two lines though seem to indicate I have a big problem. Is that so? How is the Still Infected total calculated? Is there any source (manual, whitepaper,etc.) that can explain (to a newbie) what the data reported means on a field-per-field basis?
     
    I know that my questions are probably very simple, but I haven't found anything really useful and I'm afraid that we've got a major problem.

    Thanks for your help, Joe


  • 2.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 07:12 AM



    If you are a system administrator, you see counts of the number of Newly Infected and Still infected computers in your site. If you are a domain administrator, you see counts of the number of Newly Infected and Still infected computers in your domain. Still Infected is a subset of Newly Infected, and the Still Infected count goes down as you eliminate the risks from your network. Computers are still infected if a subsequent scan would report them as infected. For example, Symantec Endpoint Protection might have been able to clean a risk only partially from a computer and thus Auto-Protect still detects the risk.

    Hope this helps :)
     



  • 3.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 07:27 AM
    In the admin Guide navigate to page 144 , it  will give you all necessary information you are looking for

    About the Symantec Endpoint Protection Home page


  • 4.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 07:33 AM

    Thanks for your help! But the number I am seeing as Still Infected is much greater than Newly Infected : maybe you meant Newly Infected is a subset of Still Infected? Even so, Still Infected is greater than the total of all the other lines. Does that mean it's calculated from some previous total retained in the DB somewhere?

    I've got thousands of Still Infected and 600 newly Infected. I must repair the 600 Newly Infected? Does SEP clean machines infected by Confiker?

    Thank you again. Joe

     

     



  • 5.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 07:45 AM
    The Newly Infected count shows the number of risks that have infected computers during the selected time interval only. Newly Infected is a subset of Still Infected. The Still Infected count shows the total number of risks that a scan would continue to classify as infected, also within the configured time interval. For example, computer may still be infected because Symantec
    Endpoint Protection can only partially remove the risk. After you investigate the risk, you can clear the Still Infected count from the Computer Status log.
     
    Both the Newly Infected count and the Still Infected count show the risks that require you to take some further action to clean. In most cases, you can take this action from the console and do not have to go to the computer.
     
    Note: A computer is counted as part of the Newly Infected count if the detection event that occurred during the time range of the Home page. For example, if an unremediated risk affected a computer within the past 24 hours, the Newly Infected count goes up on the Home page. The risk can be unremediated because of a partial remediation or because the security policy
    for that risk is set to Log Only.
     
    You can configure a database sweep to remove or retain the detection events that resulted in unremediated risks. If the sweep is configured to remove the unremediated risk events, then the Home page count for Still Infected no longer contains those events. Those events age out and are dropped from the database. This disappearance does not mean that the computers have been remediated.
     
    No time limit applies to Still infected entries. After you clean the risks, you can change the infected status for the computer. Change the status in the Computer Status log by clicking the icon for that computer in the Infected column.
     
    Note: The Newly Infected count does not decrement when a computer’s infection status is cleared in the Computer Status log; the Still Infected count does decrement.
     
    You can determine the total number of events that have occurred in the last time period configured to show on theHomepage. To determine total number, add the counts from all rows in the Action Summary except for Still Infected.


  • 6.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 07:48 AM
    Not sure about the version your are using, if you are not using MR4 then what you said was correct, the problem is with DB purge.

    Symantec Endpoint Protection Manager console Home shows "Still Infected" count even though all infections were cleared in the Computer Status log

    Here is the document for that.


    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008091108413748

    To clear the infected status and check with the latest results, you have to clear the status manually.

    How to clear an erroneous "Still Infected" status from Reports in the Symantec Endpoint Protection Manager

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007111913145448

    1. Choose Monitors from the left hand panel, and click on the Logs tab.
    2. For Log Type, choose Computer Status.
    3. Choose the appropriate time range
    4. click on advanced options
    5. click on compliance
    6. check infected only
    7. now click on view log
    8. clear the onces with red diamonds....


  • 7.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 10:51 AM
    The SEP manager says it is release 11.0.4202.75.  It should be MR4 MP2, right? (Where to find this kind of info regarding upgrade paths?)

    Cheers, Joe



  • 8.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 11:04 AM
    if you log in to
    https://fileconnect.symantec.com
    using your serial key , it would tell you if its mr4 mp2
    11.0.4014 is MP1
    11.0.4202 is MP2


  • 9.  RE: SEP Newbie - How to read Report Data

    Posted Aug 25, 2009 12:06 PM
    Yes 11.0.4202 is MR4Mp2

    Migration paths for Symantec Endpoint Protection 11.0
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007091315222248

    Symantec Endpoint Protection Client and Manager Version List
     

    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008090514290048

    Symantec Endpoint Protection 11.0 Top Articles
    http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008070715030248