Endpoint Protection

For some reason the four notifications I have set up doesn't work when "Send email to system administrators" is unchecked.

We need to be able to send notifications to only one person (with no other addresses as CC or TO).

Whenever I test it, I can first check "Send email to system administrators" - trigger a notification using an "EICAR Test String", and have the notification work as expected; "System administrators" in CC, and the "Send email to:" addresses in the main "To:" field.

When I uncheck "Send email to system administrators", the notification doesn't even trigger. And no one is sent a notification.

Is there a way to set up notifications without also having the system administrators box checked?

Did you also set up and email address in the other field? Only people that are set as system admins will get that email when the option to send to admins is checked.

Setting up administrator notifications

Are you running SEPM version 12.1 RU1?

If Yes, it is a known issue with 12.1 RU1.

http://www.symantec.com/docs/TECH183416

I'm running RU5

I have specificed an address in the "Send email to" field, yes.

When "Send email to system administrators" is checked everything works (including the addresses specificed in "Send email to", but when "Send email to system administrators" is not checked - it does nothing. If there is an address specified in "Send email to", and the "Send email to system administrators" is unchecked, the notification doesn't even trigger (no one is sent any notification).

Hi,

Q. Is there a way to set up notifications without also having the system administrators box checked?

--> Yes, it's possible, but don't test with EICAR or modify settings.

The damper setting for the notification may be preventing a series of EICAR detections from generating individual notifications, i.e. multiple EICAR detections within the damper period of a "single risk event" notification will generate only one notification for that period. Note also that if you do not see any "single risk event" notifications to acknowledge in the SEPM (under "View Notifications") this is by design. "Single risk" notifications are the only ones that cannot be configured to write a notification to the database -- they will, however, send email or run a custom batch file.

Database maintenance may be deleting EICAR events before the notification task can process them.  
To prevent this: In older versions of the SEPM, go to Admin > Servers > Local Site > Properties > Database tab, and uncheck "Delete EICAR events".  In newer versions, go to Admin > Servers > localhost > Edit Database Properties > Log Settings, and uncheck "Delete EICAR events" in the Risk Log Settings section

Hi!

I tried to uncheck "Send email to system administrators" and then run a "PUA" security risk on the client.

This was one of the things that triggered a notification yesterday (when Send email to system administrators was enabled).

The result today is that the notification did indeed trigger (I can see the notification for 07/07 in 'View Notifications'), but no mail was sent.

So it seems as if not using an "EICAR test string" enabled us to have the notification trigger with "Send email to system administrators" unchecked, but the mail is still not being dispatched?

You need to delete eicar events every time they trigger, try with other notification like client change and move the client to different group, see if there is any change in that.