Symantec Antivirus Endpoint 11 - How to block specific alerts

Boatcephus's picture
Boatcephus
November 3rd, 2009

 Is there a way to tell our AV clients not to flash an alert for a specific event? For instance, we have a daily Nessus scan that runs in the afternoon. We get unneccesary Help Desk calls form people spooked when they see the scan alert. I don't want to totally disable ll alerts. I'd just like the client AV not to falsley worry the natives.

Thanks!

Filed under: , , , , ,
0 votes
Kedar Mohile's picture
Kedar Mohile
3 weeks 1 day ago

Nessus scan and IPS

Nessus scan would usually get detected and notified by the IPS component in SEP

If you do not wish the user to be alerted by the same for some reason you can follow the steps below:

  1. Login to SEPM
  2. Go to Monitors > Logs > NTP Logs > Attacks
  3. You should find the alerted event with a Unique SID, make a note of the SID
  4. Now click on the Policies tab in the SEPM > Click on IPS policies and Then click on Edit on the IPS signature which is applied to the SEP clients affected
  5. Click on the exceptions tab, Click Add and Add the same SID which gets detected at the time when a Nessus scan is run
  6. You choose both the ACTION to perform and LOG for the relative SID

Hope this helps. Thanks :-)

Kedar Mohile
http://kedarmohile.blogspot.com

+1 (1 vote)
Bryon's picture
Bryon
3 weeks 1 day ago

You can setup Centralized

You can setup Centralized Exception policies for the AV clients to ignore or log the Nessus scans. 

http://service1.symantec.com/SUPPORT/ent-security.nsf/2326c6a13572aeb788257363002b62aa/f7602d481cc0cb8e882574020062b021?OpenDocument

0 votes