Endpoint Protection

 View Only

  • 1.  SEPM 12.1.x - What is Database Insert Time

    Posted Nov 05, 2015 05:20 PM

    Hi

    I have setup a single risk event.

    This is one of the alert i have received recently:

    Risk name: W97M.Downloader
    File path: xxxxx.doc
    Event time: 05/11/2015 11:34:02 PM
    Database insert time: 06/11/2015 2:00:00 AM
    Source: Real Time Scan
    Description: ""
    User: SYSTEM
    Computer: PCxxxxx
    IP Address: x.x.x.x
    Domain: Default
    Server: xxxxxxx
    Client Group: xxxxxxx
    Action taken on risk: Quarantined
    This alarm was generated at 06/11/2015 2:11:47 AM (Reporter host Time).

     

    I am trying to understand the timing of it all.

    I can confirm that a new definition was downloaded and installed at 11:30pm (so assume the heartbeat happened around this time). This in turn triggers that mini scan that happens after a new def is loaded. This scan has picked up a virus at 11:34pm. So far so good.

    Can someone tell me what "Database insert time" is about? Why would this have happened at 2am the next morning?

    I suspect this has something to do with the heartbeat, as our heartbeat is set for 2 hours with 1 hour randomization. Would it be safe to assume that the heartbeat triggered at around 2AM, and the logs from the PC has been uploaded to SEPM database at 2AM?

    Also, the alarm generation time of 2:11AM, any idea why the 11minute delay for the email to be sent?

    Our Damper is set to Auto.

     

    Apart from lowering the heartbeat interval, any other suggestion of speeding up the email alerting for new virus?

     

    Thanks,

    DM. 



  • 2.  RE: SEPM 12.1.x - What is Database Insert Time

    Posted Nov 06, 2015 02:31 PM

    It should be at what time the event was added to the DB. Was your client offline and not able to connect at a normal time for some reason?



  • 3.  RE: SEPM 12.1.x - What is Database Insert Time
    Best Answer

    Posted Nov 06, 2015 11:32 PM

    Event time is the time the actual event occoured in the client and the event insert time is the time the event was entered into the database. the logs on the client will be sent to SEPM only during heartbeat interval. 

     

    and as for notification you can change the damper time from auto to your preffered time the lesser you keep the more no of email you will get.



  • 4.  RE: SEPM 12.1.x - What is Database Insert Time

    Posted Nov 07, 2015 09:33 AM

    Apart from lowering the heartbeat interval, any other suggestion of speeding up the email alerting for new virus?

    If you are using SEP 12.1.4 and above, there is the so-called fast pathing mechanism. Fast Pathing circumvents heartbeat and will send security related events instantly. You can enable it in the Communications settings:

    Clients > YourGroup > Policies > Communications Settings > Let clients upload critical events immediately

    Additionally, you should disable the damper for Single Risk Events (or in other notifications where it's possible). So every new event will trigger a mail irrespective of previous events.

    Information about the "Fast Pathing" feature in SEP 12.1 RU4



  • 5.  RE: SEPM 12.1.x - What is Database Insert Time

    Posted Nov 08, 2015 04:53 PM

    Greg

    Although i have marked Praveen's as the answer, as it directly answered my question, this new feature does sound promising, if it works as it is intended. Will keep this in mind for future upgrade.

    Thanks, DM.



  • 6.  RE: SEPM 12.1.x - What is Database Insert Time

    Posted Nov 08, 2015 04:57 PM

    Brian

    Thank you for your replies as always.

    The client in question was up all the time.

    Looks like it was the heartbeat that was causing the delays for the logs to be sent to the SEPM database from the client.

    Thanks, DM.