Endpoint Protection

 View Only
Expand all | Collapse all

What's the difference?

Migration User

Migration UserApr 22, 2009 08:45 PM

Migration User

Migration UserApr 23, 2009 03:57 AM

Migration User

Migration UserApr 23, 2009 03:59 AM

Migration User

Migration UserApr 23, 2009 12:53 PM

  • 1.  What's the difference?

    Posted Apr 22, 2009 02:56 PM
    I want to setup a notification that emails me when a risk is detected on a client. I think I want "New risk detected", but "Single risk event" sounds like it could be the right choice too. Which one should I choose? What's the difference between these two notifications?



    Thanks!


  • 2.  RE: What's the difference?
    Best Answer

    Posted Apr 22, 2009 05:18 PM
    "Single Risk Event" will notify you each time a threat is detected whereas "New Risk Found" will not notify you about about multiple computer with the same risk irrespective of the number of detections.


  • 3.  RE: What's the difference?

    Posted Apr 22, 2009 07:49 PM
    Hi, as what Sandeep Cheema said, but I think you should have both notifications setup.


  • 4.  RE: What's the difference?

    Posted Apr 22, 2009 08:45 PM
    Why both?


  • 5.  RE: What's the difference?

    Posted Apr 23, 2009 12:21 AM
     Because then you will know the entire risk universe in the enterprise. Single risk event will sometimes overwhelm you with the number of entries. But risk found will help you tackle a threat of groups of machines. remediation can be planned faster for risk found than for single threats...

    Hope this helps you


  • 6.  RE: What's the difference?

    Posted Apr 23, 2009 12:40 AM
    "New Risk Detected" refers to a risk new to the network, meaning it haven't been detected before. "Single Risk Event" would be ideal to monitor only if the action is not Cleaned, Deleted or Quarantined. Because you won't have to do anything if the AV did it. You can just pull out a full risk report from time to time.

    Try enabling all the messages and disable the ones you don't need. Just so you'll know the volume of email the server sends. Make sure it's excluded in the junk filter.


  • 7.  RE: What's the difference?

    Posted Apr 23, 2009 02:03 AM
    "Single Risk Event" will send you email notification everytime a virus is detected and "New Risk Found" will notify when new virus detected. You should enable both these features.


  • 8.  RE: What's the difference?

    Posted Apr 23, 2009 03:53 AM
    I guess both but then it depends pon u, what u choose to notify u, both the features is there so i have implemented both.
    It should be ur choice.


  • 9.  RE: What's the difference?

    Posted Apr 23, 2009 03:57 AM
    Yes that is true.


  • 10.  RE: What's the difference?

    Posted Apr 23, 2009 03:59 AM
    Yes that is true.


  • 11.  RE: What's the difference?

    Posted Apr 23, 2009 04:12 AM
    We're monitoring over 10,000 clients. And we're using Symantec Threat Reporter. We used to have the alerts to send emails for all the possible alerts but I got fed up of all the emails that says that it detected a threat but was succeeful at cleaning it. If I want to know that, I'll use the reporting feature instead. I have the alerts set to send alerts when the threat can't be fixed, If a number of workstations are not updated and if more than a few alerts of the same type or target PC appears regardless of the actual action.


  • 12.  RE: What's the difference?

    Posted Apr 23, 2009 04:16 AM
    Thanks all, I guess I should have clarified that I know the difference between the two, but in my environment (<250 computers), I don't need the new risk found event.  I watch any computer closely that reports the single risk event closely for a week running full scans after detection.


  • 13.  RE: What's the difference?

    Posted Apr 23, 2009 06:11 AM
    Yes, it's definitely on your choice but If you go through the administrative guide you can get the recommendation.


  • 14.  RE: What's the difference?

    Posted Apr 23, 2009 12:42 PM
    @RickJDS
    Definately, You know it too well. As a matter of fact when I started researching for answering this post, Lot of your threads pulled up wrt  notication and that's where the answer comes from:)


  • 15.  RE: What's the difference?

    Posted Apr 23, 2009 12:53 PM
    Sandip is right...



  • 16.  RE: What's the difference?

    Posted Apr 23, 2009 12:55 PM
    I also think that if you go thruogh the admin guide, it will guided u properly...


  • 17.  RE: What's the difference?

    Posted Apr 23, 2009 01:35 PM
    Well, why did symantec created it if the new virus found have no use. If it's the same with single risk, it will just inform you that it's new, to help you on your research if needed.


  • 18.  RE: What's the difference?

    Posted Apr 23, 2009 09:39 PM
    Paul. I think the answer is that everyone wants to have zero virus in their network. Assuming that you start with zero infections, you would want to get notified by a new infection either to submit for a rapid release or to trace the weakest link in the network if it's already defined. Everytime a new virus enters the network, you may want to know what the client PC was doing at the time to prevent it from ever happening again. It's a little hard if you're handling over 10k clients like I do. :(

    In my case, I'm receiving alerts almost every hour that I can't handle them all. Meaning, I have no time to trace the source to have the web page blocked or the removable storage scanned especially if the user is hundreds of miles away. There's no way of telling how many USB he or she has and if he or she will scan it the way I wanted it to be scanned.


  • 19.  RE: What's the difference?

    Posted Apr 23, 2009 10:12 PM
    Hi Paul,

    For me (an example), I had a computer report it had the Bloodhound Exploit 167 (I think). I ran a full scan, it found more files and the computer would then blue screen when you rebooted.  Had to blow that computer away and reimage.  One week later, same threat hit a different computer in a different location.  Ran a full scan, nothing else found. I should note that both times Symantec deleted the infection via auto protect.  That threat is living somewhere in my network or these two computer hit the same exact website and got infected.  I'm holding my breath that I'll see another computer get infected this Sunday.

    That is why New Risk Found is not useful to me plus the fact that you have to open the MHT attachment on my Treo that does not naitively support that attachment.  Now, if that event produced a plain text report, I would not mind it.   Don't get me wrong, I have both notifications enabled, but I don't pay attention to the New Risk Found as much.  This works well for me and for others that have larger environment would benefit more from it than me.


  • 20.  RE: What's the difference?

    Posted Apr 24, 2009 12:49 AM
    @RickJDS: Whenever I get an alert from a user, I check the infected file and if I'm sure it came from the internet, I use Internet Explorer History Viewer and Mozilla Firefox History Viewer and check the website visited during the time of attack. You can then probably test that website yourself.