Endpoint Protection

Hello folks,

Does anybody know how to find legacy SEP11 client Truscan logs on SEPM12 console ?

I know that TruScan was replaced by SONAR at SEP12 Monitors/Logs page, but TruScan events from my SEP11 clients are not there !

Hello,

Please check the article below :)

http://www.symantec.com/business/support/index?page=content&id=TECH159289

Regards,

Oykun

Migration from Symantec Endpoint Protection (SEP) 11.x to SEP 12.x - TruScan and SONAR exceptions

http://www.symantec.com/business/support/index?page=content&id=TECH185225

Configuring Exceptions for Symantec Endpoint Protection (SEP) 12.

http://www.symantec.com/business/support/index?page=content&id=TECH176906

Ashish & Oykun,

Thank you for sharing but none of the articles have answered my question.

I need to find where are TruScan detection events on SEP12 management console !?!?

HI,

Check This may be help

SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy.

You configure SONAR settings for the clients that run Symantec Endpoint Protection version 12.1. SONAR settings also include TruScan proactive threat scan settings for legacy clients. Many of the settings can be locked so that users on client computers cannot change the settings.

http://www.symantec.com/business/support/index?page=content&id=HOWTO55215

Configuring TruScan proactive threat scan settings for legacy clients

http://www.symantec.com/business/support/index?page=content&id=HOWTO55255#v44056185

About adjusting TruScan settings for legacy clients

http://www.symantec.com/business/support/index?page=content&id=HOWTO55257#v44070148

Hello,

In the article,

You can see that there's no option to see details in the Monitor, one of that is also Logs. So you can vote for an enhancment from the following document;

Solution

Monitors >> Logs >> SONAR

This doesn't show here for you?

Hello,

When did you migrate the SEPM from 11.x to 12.1?

Did you select the Correct "Time Range" of Logs from Monitors >> Logs >> SONAR??

When you Migration takes place the Previous TrueScan ProActive Threat Scan (PTP) events would be still stored within the Database as the Database Schema migration takes place and not the purging of Database logs.

So, In your case of you pull the SONAR Logs, you may see those events.

Note: The Condition here is these Logs are Expires by default after 60 days.

You could check these settings from - 

SEPM >> Admin >> Servers >> Local Host >> Edit Database properties >> Log settings.

Hope that helps!!

Thank you all for your replies but the problem remains.

I haven't migrated from SEPM11 to SEPM12 .
I created a new database for SEPM12 but I added clients running SEP version 11 MR5.
For these clients, Truscan event are not being forwarded to SEPM12, at least, I could not find it.

SONAR events from SEP12 clients are present as well on the Monitors >> Logs >> SONAR page.

I would suggest a call in to support.

Follow the steps To monitor SONAR detection results to check for false positives

1. In the console, click Monitors > Logs.

2. On the Logs tab, in the Log type drop-down list, click SONAR.

3. Select a time from the Time range list box closest to when you last changed a scan setting.

4. Click Advanced Settings.

5. In the Event type drop-down list, select one of the following log events:

   • To view all detected processes, make sure All is selected.

   • To view the processes that have been evaluated as security risks, click Security risk found.

   • To view the processes that have been evaluated and logged as potential risks, click Potential risk found.

6. Click View Log.

If still you are  unable to generate  the call, there could be many reasons, i would advice to Open a case with Symantec Support.

truscan will be applicable for SEP 11 clients. did you see any events on the SEP 11 clients (client side)?

Yes ! I can see the logs on the client-side , but not on the SEPM-side !

So I've opened the case : 03373742

Here's the technician answer :

Issue #2 - TruScan logs not being displayed in a 12.1 SEPM

As you know, SONAR has replaced TruScan in 12.1.  It is expected behavior, working as designed, that the TruScan logs are not viewable in 12.1 SEPM.  The advice would be to migrate your clients to 12.1 so that they are running SONAR which can be viewed from the SEPM as expected.  Another unsupported workaround would be, once again, to run a SQL query to pull this information from the database, as it should still be processed from the information the client has sent to the SEPM

My reaction on that was:

• Disable TruScan policy until every client is upgraded to SEP12 version , becase right now I cannot see Truscan False-positives on SEP11 clients.
• Submit idea to Symantec for including this feature on the next product releases, since SEPM12 supports SEP11 clients, it must support also the log handling.

https://www-secure.symantec.com/connect/ideas/sepm-121-support-displaying-truscan-logs

If you agreed, please vote !