Video Screencast Help

Single risk event

Created: 16 Aug 2011 • Updated: 18 Aug 2011 | 11 comments
This issue has been solved. See solution.

I have Single risk event notifications setup as seen below.

Ever since upgrading to SEPM to 12.1, I get multiple emails for these events.

 

The Event time, Database insert time and everything else is the same in the email. The only thing different is "This alarm was generated at". It seems to generate these emails on the hour after the first alert.

Anyone else seeing this?

 

Thanks
 

Comments 11 CommentsJump to latest comment

Rafeeq's picture

How many do u see as per this document?

 

Symantec Endpoint Protection Manager: "Single Risk Event" Notifications Do Not Show When Viewing Notifications

http://www.symantec.com/business/support/index?page=content&id=TECH92280

bjohn's picture

Not sure what you are asking... but

If I go to Monitor > Notifications > view notifications

I see two "new risk found".

 

 

 

Click to acknowledge. Link to report 08/16/2011 14:37:25     New Risk Found New risk found: Trojan.Webkit!html.  
Click to acknowledge. Link to report 08/16/2011 13:37:04     New Risk Found New risk found: Trojan.Webkit!html.  
           
Rafeeq's picture

2 new events; with 1 hour interval...seems to be correct to me!!

It would keep coming until you ack those, thats my understanding of it.

bjohn's picture

Really? I don't think I had to acknowledge these alerts in SEP 11.

bjohn's picture

Update:

I acknowledged these alerts and still got alert emails.

Rafeeq's picture

 

 

Event Notification is dependent upon the "Notification Damper Period" that is active on the SEPM

To set the Event-specific "Notification Damper Period"

  1. Log into the SEPM
  2. Open the "Monitors" tab
  3. Select the "Notifications" tab
  4. Click on the "Notification Conditions" button
  5. Edit the "Single Risk Event"
    (If this does not exist, create the notification by clicking "Add" and selecting "Single Risk Event" for the event type).
  6. Under "What Settings would you like for this Notification", set the "Damper" value to the value you desire. (Smallest value is 20 minutes; default value is "Auto").

Note: The "Auto" value is set for 1hour for all notifications. did you check the risk logs to see if there was indeed a new risk, the Damper setting is auto, so sending mails after 1 hour each

JoshuaT's picture

I installed SEP 12.1 yesterday and am now seeing this problem.

During my morning scheduled scan a risk was found on a single computer. Since that initial alert I am now receiving notifications every hour about this single risk. The alerts are exactly the same alert. Same file. Same file location. Same database insert time. Same computer.

I only have 1 Single Risk notification condition setup.

These repeated alerts did not happen in SEP 11 RU6. I did not have to tweak the Notification Damper period.

bjohn's picture

Joshua,

Try deleting your existing notifcation and re-create it with the same info. This seems to have worked for me.

I tried making a minor change, delete * from the domain field, save, then add * back, but that didn't make a difference. I had to delete and re-add the whole notification.

JoshuaT's picture

Thanks for the tip.

I have recreated the alert and will let you know next hour if that resolved it.

bjohn's picture

Correction - Making the minor change as indicated above also fixes the problem.

SOLUTION
JoshuaT's picture

The recreation of the rule fixed the problem.    (I never tried the minor change)

Thank you!