Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Where are TruScan logs at SEPM 12 ?

Created: 15 Oct 2012 • Updated: 23 Jan 2013 | 12 comments
FbacchinZF's picture
This issue has been solved. See solution.

Hello folks,

 

Does anybody know how to find legacy SEP11 client Truscan logs on SEPM12 console ?

 

I know that TruScan was replaced by SONAR at SEP12 Monitors/Logs page, but TruScan events from my SEP11 clients are not there !

 

Comments 12 CommentsJump to latest comment

Ashish-Sharma's picture

Migration from Symantec Endpoint Protection (SEP) 11.x to SEP 12.x - TruScan and SONAR exceptions

http://www.symantec.com/business/support/index?page=content&id=TECH185225

Configuring Exceptions for Symantec Endpoint Protection (SEP) 12.

http://www.symantec.com/business/support/index?page=content&id=TECH176906

Thanks In Advance

Ashish Sharma

 

 

FbacchinZF's picture

Ashish & Oykun,

 

Thank you for sharing but none of the articles have answered my question.

I need to find where are TruScan detection events on SEP12 management console !?!?

 

 

oykunsatis's picture

Hello,

In the article,

You can see that there's no option to see details in the Monitor, one of that is also Logs. So you can vote for an enhancment from the following document;

 

 

Solution

This is as designed and there is no options to see PTP details in the monitors.

If you need this feature enabled in SEP 11, you may vote for this enhancement request at www-secure.symantec.com/connect/ideas/add-ptp-information-sepm-computer-status-reports

 

Regards,

Oykun

 

Ashish-Sharma's picture

HI,

Check This may be help

SONAR is part of Proactive Threat Protection on your client computers. You manage SONAR settings as part of a Virus and Spyware Protection policy.

You configure SONAR settings for the clients that run Symantec Endpoint Protection version 12.1. SONAR settings also include TruScan proactive threat scan settings for legacy clients. Many of the settings can be locked so that users on client computers cannot change the settings.

http://www.symantec.com/business/support/index?page=content&id=HOWTO55215

Configuring TruScan proactive threat scan settings for legacy clients

http://www.symantec.com/business/support/index?page=content&id=HOWTO55255#v44056185

About adjusting TruScan settings for legacy clients

http://www.symantec.com/business/support/index?page=content&id=HOWTO55257#v44070148

Thanks In Advance

Ashish Sharma

 

 

_Brian's picture

Monitors >> Logs >> SONAR

This doesn't show here for you?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

When did you migrate the SEPM from 11.x to 12.1?

Did you select the Correct "Time Range" of Logs from Monitors >> Logs >> SONAR??

When you Migration takes place the Previous TrueScan ProActive Threat Scan (PTP) events would be still stored within the Database as the Database Schema migration takes place and not the purging of Database logs.

So, In your case of you pull the SONAR Logs, you may see those events.

Note: The Condition here is these Logs are Expires by default after 60 days.

You could check these settings from - 

SEPM >> Admin >> Servers >> Local Host >> Edit Database properties >> Log settings.

Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

FbacchinZF's picture

Thank you all for your replies but the problem remains.

I haven't migrated from SEPM11 to SEPM12 .
I created a new database for SEPM12 but I added clients running SEP version 11 MR5.
For these clients, Truscan event are not being forwarded to SEPM12, at least, I could not find it.

SONAR events from SEP12 clients are present as well on the Monitors >> Logs >> SONAR page.

 

 

 

 

 

 

_Brian's picture

I would suggest a call in to support.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Ajit Jha's picture

Follow the steps To monitor SONAR detection results to check for false positives

  1. In the console, click Monitors > Logs.

  2. On the Logs tab, in the Log type drop-down list, click SONAR.

  3. Select a time from the Time range list box closest to when you last changed a scan setting.

  4. Click Advanced Settings.

  5. In the Event type drop-down list, select one of the following log events:

    • To view all detected processes, make sure All is selected.

    • To view the processes that have been evaluated as security risks, click Security risk found.

    • To view the processes that have been evaluated and logged as potential risks, click Potential risk found.

  6. Click View Log.

If still you are  unable to generate  the call, there could be many reasons, i would advice to Open a case with Symantec Support.

Regard's

Ajit Jha

Technical Consultant

ASC & STS

pete_4u2002's picture

truscan will be applicable for SEP 11 clients. did you see any events on the SEP 11 clients (client side)?

FbacchinZF's picture

Yes ! I can see the logs on the client-side , but not on the SEPM-side !

So I've opened the case : 03373742

 

Here's the technician answer :

Issue #2 - TruScan logs not being displayed in a 12.1 SEPM

As you know, SONAR has replaced TruScan in 12.1.  It is expected behavior, working as designed, that the TruScan logs are not viewable in 12.1 SEPM.  The advice would be to migrate your clients to 12.1 so that they are running SONAR which can be viewed from the SEPM as expected.  Another unsupported workaround would be, once again, to run a SQL query to pull this information from the database, as it should still be processed from the information the client has sent to the SEPM

 

My reaction on that was:

  • Disable TruScan policy until every client is upgraded to SEP12 version , becase right now I cannot see Truscan False-positives on SEP11 clients.
  • Submit idea to Symantec for including this feature on the next product releases, since SEPM12 supports SEP11 clients, it must support also the log handling.

https://www-secure.symantec.com/connect/ideas/sepm...

If you agreed, please vote !

SOLUTION