Endpoint Protection

 View Only
Back to discussions
Expand all | Collapse all

General Information about NTP log in SEPM

  • 1.  General Information about NTP log in SEPM

    Posted Jul 08, 2015 05:00 AM

    Hello Guys,

     

    I just went through our NTP logs from the SEPM. Under risk detected section i can see event time,begin time and end time. Can anyone explain what exactly does it mean .

     

    Capture of NTP.PNG

     

    Thanks

    Dinesh



  • 2.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 05:09 AM

    About Network Threat Protection reports and logs

    https://support.symantec.com/en_US/article.TECH95542.html



  • 3.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 05:25 AM

    Thanks for replying, I have a question based on the event time .My understanding is that event time is the time stamp which shows the malicious activity been detected in that specific time is that right ??

     

    Another question in this scenario

    event time :7/8/2015 10:45:25

    Start time :3/6/2015  09:24:31

    End time: 3/6//2015  09:24:31

    In a different  NTP log i can see that the start time and end time are same (6th of march) but the event time shows a date on (8th of july) what exactly does it mean.

    1.Is that SEP did not detect

    2.Or was the file been quarantined for so long  and was detetcted only in july .

    Thanks in advance

    Dinesh



  • 4.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 06:34 AM

    Start / End Time is the windows in which SEP detected the malicious activity.

    Event Time should be the time that it took for SEP to act on and remediate the issue.

    Out of curiosity what's the exact version of SEP you're running?

     



  • 5.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 08:26 AM

    @brian version is RU5 ...

    So in my scenario the event time is showing

    event time :7/8/2015 10:45:25

    Start/End time :Start time :3/6/2015 09:24:31

    It took 4 months for SEP to remediate the issue.

    Is it normal or SEP did not act immediately ...

    Any possibilites or suggestions will be highly appreciated...



  • 6.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 08:27 AM

    Definitely odd. What was the event type? Intrusion Prevention?

    Was this machine off the network for an extended period of time?



  • 7.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 08:36 AM

    event type is DOS

    Machine was not off the network for a long time ....maybe a week thats it..



  • 8.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 08:39 AM

    Looking at my DoS events, the Begin/End time and Event Time are within a minute of one another so something make be out of sorts here or it's just an anomaly. Are all of your events like this or just this specific one?



  • 9.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 09:42 AM

    For now iam able to find only one event with this scenario.....

    Other events in DOS either have the same time stamp for all three (Begin/End and Event) or within a minute like you said..



  • 10.  RE: General Information about NTP log in SEPM
    Best Answer

    Posted Jul 08, 2015 10:01 AM

    For now I would treat as an anomaly



  • 11.  RE: General Information about NTP log in SEPM

    Posted Jul 08, 2015 11:26 AM

    I believe that the Event time is the time when the log was inserted in to the SEPM database.

     

    However the start and end dates are way too old to be still in the SEPM unless the client is set to hold the old logs for such a long time.

    Please check if the system time on the concerned computer is set correctly. Check other logs from the same computer to find if all of them are dated to old dates.